Blog 1 of 3 – Security Architecture
Since this is all unchartered territory, I’m starting this blog with the basics. The ISSS article was a good remedial overview which allowed me to connect this part of the model to the overarching enterprise architecture. The definition provided for Security Architecture: “[it is] … a cohesive security design, which addresses the requirements, and in particular the risks of a particular environment/scenario, and specifies what security controls are to be applied where. The design process should be reproducible.”
As with all components of the meta model, security designs must adhere to principles that ensure the integrity of the enterprise architecture. The actual designs, however, are a catalyst driven by corporate strategy. For each strategy, there are baseline controls for the enterprise to which the strategy must be assessed. They are the minimum standards required to ensure the integrity of the architecture. Additional controls can be applied. Each solution must be recorded in the Security Architecture.
Any waivers to the standards can result in additional costs and implementation time. Adherence to security architecture has the benefits of cheaper and quicker solution approval. Simple, got it.
Blog 2 of 3 – Security Architecture
For this next post, I will focus on the Gartner article titled, “Security Architecture: Developing the Requirements Vision,” in this week’s readings. The enterprise information security architecture framework (Figure 2) resonated, as an enterprise architecture can be broken down into conceptual, logical and implementation levels as well. It never occurred to me that security architecture should have the sub-layering. But, it makes sense.
To get a good understanding of the Security Architecture perspective, I walked through levels in Figure 2. The conceptual level—vision, principles, model and framework—should reflect the internal and external strategic environments. The vision itself, however, “is to help link security solutions to defined business needs. It supports traceability between the business strategy and security decisions.” This seems to be the perfect level to relate the Security Architecture framework to the enterprise architecture as such components as process model and roles and responsibilities have process and roles for the rest of the enterprise. But, knowingly these would have more stringent/detailed criteria for such aspects as physical and technology rights. Further, the figure highlights that the Security Architecture cannot be evaluated from the technical standpoint alone, business and information viewpoints are also considered/populated to give the full systemic impacts.
The matrixes discussed in the remainder of the article provided was a good example of how to map security requirements back to the business context. This answers the question of business value per implemented security requirement. Moreover, it gives security decision insights to business leaders prior to investment.
Blog 3 of 3 – Security Architecture
As a follow-on, I wanted to focus on Gartner’s toolkit which deep dives into the Strategic Security Principles (SSP)–the second element of Figure 2 from my last post, provided again here for easy reference:
The goal of SSPs, as Gartner outlines, is to bring alignment to all target state security implementations thru:
- Business goals and risks alignment;
- Controls reuse;
- Security artifact single source of truth;
- Automation over manual security activities; and
- Roles, responsibilities, and accountability clarification.
As I noticed earlier, there’s a layering to the architecture. This toolkit outlined how the SSP maps to principles in other layers. In addition, it provided example SSPs in a worksheet (see below) that show how each SSP chosen for the organization aligns back to business, information and technology principles. The SSPs are down the first column, with the mapped principles across. An “x” easily identifies which business requirement the principle addresses, which makes it easy for business leaders to understand “why” the principles are necessary to achieve their strategic visions.
