Enterprise Security Architecture
Enterprise Security Architecture
SABSA, which stands for Sherwood Applied Business Security Architecture, is a framework and methodology that helps organizations manage their enterprise security architecture and service management. It is utilized in the following ways: 1. Governance, Compliance & Audit: SABSA ensures that an organization is following the necessary regulations and standards. It aids in auditing the security measures of the organization. 2. Business Requirements Engineering: SABSA helps businesses identify and define their security requirements based on their objectives and risks. 3. Risk & Opportunity Management: SABSA assists in identifying, assessing, and managing risks and opportunities related to security. 4. Information Assurance: SABSA ensures the integrity, availability, and confidentiality of information. 5. Business Continuity: SABSA helps businesses plan and implement measures to ensure the continuity of business operations in case of disruptions. 6. Policy Architecture: SABSA aids in designing and implementing security policies that align with the business objectives. 7. Security Service Management: SABSA helps in managing the security services of an organization, ensuring they are effective and efficient. 8. Security Performance Management, Measures & Metrics: SABSA provides a framework for measuring and managing the performance of security measures. 9. Secure Systems Design & Development: SABSA aids in designing and developing secure systems.
The paper below examines the organization of SABSA layers and identifies the stakeholders involved in each. Each layer builds upon the previous one:
sabsa_framework.pdf |
Contextual Security Architecture:
The contextual security architecture plays a crucial role in shaping a business's security strategy. This layer focuses on various aspects such as the organization's objectives, risks, connections, and facilitators to determine its security requirements. The 5W's in this layer delve into the following key questions:
- What are the business needs?
- Why do these needs exist (opportunities and threats)?
- How can we secure the processes?
- Who is responsible for overseeing the security measures (management structure and relationships)?
- Where does the business operate geographically?
- When should the security measures be implemented or updated?
Conceptual Security Architecture:
The conceptual security architecture, also referred to as the Architect's view, presents a holistic view of the measures necessary to safeguard a system. This layer takes into account the fundamental concepts required to establish a robust security posture. It consolidates the crucial concepts and controls that ultimately constitute the security architecture's final product. Disregarding any steps at this level may have far-reaching and catastrophic consequences later in the program's life cycle. Therefore, dedicating adequate time and resources to this stage is critical in laying a firm foundation for the remaining segments of the architecture.
Logical Security Architecture:
The Logical layer, also known as the Designer's view, serves as a crucial component in the implementation of the ideas generated from the conceptual layer. At this layer, the concepts are transformed into logical structures that can be implemented. This layer also plays a crucial role in shaping policies and procuring security services, while also addressing the handling of both static and dynamic information. It is at this stage that the design and procurement of security services take place. Furthermore, the logical layer identifies the key services and systems to be deployed, making it an essential stage in the implementation of the plan. Therefore, the logical layer is instrumental in actualizing the entire plan and ensuring that the policies and security services are designed to meet the needs of the organization.
Physical Security Architecture:
This layer, known as the Builder's view, is where the actual implementation of the security architecture takes place. The information from the Logical layer is mapped to the systems and services that were identified in the previous layer. This layer dives into the technical details of security architecture, focusing on defining and developing the rules, procedures, and practices that are necessary for a secure system.
Cryptography and security mechanisms are defined and developed in this layer, which includes selecting the appropriate algorithms, protocols, and key management techniques. Access control, encryption, database security, backup, and recovery systems are also designed and discussed in this layer.
To ensure that all these systems work together seamlessly, this layer involves choosing the appropriate technologies and protocols that will facilitate integration. Any systems that do not integrate well, or that need additional support beyond the capabilities of the organization must be addressed and mitigated in this phase.
Overall, the Builder's view plays a critical role in the development of a comprehensive Security Architecture, which is crucial for protecting sensitive data and ensuring the continuity of business operations.
Component Security Architecture:
The Component Security Architecture layer represents the domain in which all relevant technologies are implemented. Specifically, the management and maintenance of this layer is delegated to the respective teams responsible for these processes. These teams undertake the installation and configuration of networks, firewalls, and servers, as well as the development and integration of applications. Furthermore, the layer's design must incorporate critical components such as business continuity and operational risk management functions.
Reflection
Enhancing my skills in the field of information security and risk management is crucial for me. Understanding SABSA (Sherwood Applied Business Security Architecture) can help me achieve this goal. The framework provides a comprehensive approach to enterprise security architecture from strategic planning to operational details. It enables me to work collaboratively with internal teams responsible for designing solutions and understand how security decisions can affect the overall business. I aim to expand my professional network by connecting with peers in more strategic positions within the organization. It is expected from the security professionals to act in an ethical and professional manner when approaching the subject of architecting and implementing a business system.
References:
SABSA Organization (n.d.) A Brief History of SABSA: Part 1-21 years old this year. Retrieved on December 13, 2020 from https://sabsa.org/the-chief-architects-blog-a-brief-history-of-sabsa-21-years-old-this-year/
Sherwood, J., Clark, A. and Lynas, D. (2005). Enterprise Security Architecture: A Business-Driven Approach. Boca Raton, London, New York: CRC Press Taylor & Francis Group
Wood A. (2014) Security Architecture, Design & Engineering. Retrieved on December 13, 2020, 2020 from https://andywood.info/category/sabsa