Security Architecture
The purpose of architecture is to ensure consistency of the design approach across a large complex system or across a complex array of smaller systems. An architectural approach can abstract complexity into layers of functionality to break down the complex whole into a series of less complex conceptual layers. Enterprise security architecture must be driven from a business perspective and must take into account a wide range of requirements that may often be in conflict with one another. The successful architecture balances the tensions between these conflicting objectives. [1] The SABSA model is an approach to developing an enterprise security architecture. It is a methodology that uses a six-layer approach that applies the six critical questions to each of these six layers: What? Why? How? Who? Where? When? Answering these questions and following the steps defined for each layer produces a set of deliverables. One of the major benefits of this multi-layered architecture model is that it provides traceability. Why certain controls and components were selected to manage risk can be traced back to business objectives. [3]
The following six sections summarizes each of these six layers:
Contextual Security Architecture
This layer identifies and captures the business context (objectives, risks, constraints, enablers, etc.) of the enterprise. This layer provides a description of the business context in which the secure system must be designed, built and operated.
Conceptual Security Architecture
This layer takes contextual layer and identifies the key concepts important from an information and risk management perspective. At this stage solutions that will satisfy the business needs are conceptualized.
Logical Security Architecture
This layer provides an abstraction of the conceptual architecture into business information and security services and accountability for risk ownership and management across the entire organization.
Physical Security Architecture
This layer defines specifies the security-related data structures and technical mechanisms in order to implement the logical security services defined in the logical security architecture layer.
Component Security Architecture
This layer deals with specific vendors, tools, roles and individuals involved in the management of the risk to the enterprise. In this layer multiple products related to the specifications in the physical security architecture layer are integrated.
Operational Security Architecture
This layer deals with all of the activities designed to provide assurance, operation and management of the security architecture. This layer has a relationship with the other five layers. The operational security architecture needs to be interpreted in detail at each and every one of the other five layers. The operational security architecture relates to the operation of secure business systems. It considers all aspects by which the business systems are operated in a secure manner. It also considers measurement of the efficiency, effectiveness and security of business operations.
The following six sections summarizes each of these six layers:
Contextual Security Architecture
This layer identifies and captures the business context (objectives, risks, constraints, enablers, etc.) of the enterprise. This layer provides a description of the business context in which the secure system must be designed, built and operated.
Conceptual Security Architecture
This layer takes contextual layer and identifies the key concepts important from an information and risk management perspective. At this stage solutions that will satisfy the business needs are conceptualized.
Logical Security Architecture
This layer provides an abstraction of the conceptual architecture into business information and security services and accountability for risk ownership and management across the entire organization.
Physical Security Architecture
This layer defines specifies the security-related data structures and technical mechanisms in order to implement the logical security services defined in the logical security architecture layer.
Component Security Architecture
This layer deals with specific vendors, tools, roles and individuals involved in the management of the risk to the enterprise. In this layer multiple products related to the specifications in the physical security architecture layer are integrated.
Operational Security Architecture
This layer deals with all of the activities designed to provide assurance, operation and management of the security architecture. This layer has a relationship with the other five layers. The operational security architecture needs to be interpreted in detail at each and every one of the other five layers. The operational security architecture relates to the operation of secure business systems. It considers all aspects by which the business systems are operated in a secure manner. It also considers measurement of the efficiency, effectiveness and security of business operations.
The sixth layer is laid across the other layers to identify tasks that need to be performed at each layer related to Operations and Service Management.
SABSA is a flexible framework that can be integrated with other architecture frameworks like TOGAF
Open Group SABSA TOGAF Integration [2]
[1] Sherwood, J., Clark, A. & Lynas, D. (2005). Enterprise security architecture: A business-driven approach. Boca Raton FL. CRC Press.
[2]Open Group. (2016, January). Integrating Risk and Security within a TOGAF® Enterprise Architecture. Retrieved from https://sabsa.org/download/tog-g152-integrating-risk-and-security-within-togaf/?uid=2768925dfa
[3]Archistry. (2015, March 31). SABSA overview [Video file]. Retrieved from https://www.youtube.com/watch?v=yGqC7JqDN18
[2]Open Group. (2016, January). Integrating Risk and Security within a TOGAF® Enterprise Architecture. Retrieved from https://sabsa.org/download/tog-g152-integrating-risk-and-security-within-togaf/?uid=2768925dfa
[3]Archistry. (2015, March 31). SABSA overview [Video file]. Retrieved from https://www.youtube.com/watch?v=yGqC7JqDN18