Rick Guetschow | ePortfolio - Security Architecture

Description of Security Architecture

Security architecture is the method of designing and implementing secure systems and artifacts that further the organization's needs while being cognizant of the security requirements posed by internal and external forces. Security architecture should address the Who, What, Where, When, Why, and How (5W's + H) by using key security artifacts that adhere to the contextual, conceptual, logical, physical, component, and operational areas. Security architecture is not a "set it and forget it" process. Regular reviews and effective change control need to be in place to allow the architecture to continue to provide value and security to the organization. The planned architecture must accommodate the needs of the organization and allow a seamless integration into the daily operations and future plans of the enterprise.

The Sherwood Applied Business Security Architecture (SABSA) is a very useful model for organizations to apply to their security architecture plans. While it is an unsophisticated model in terms of business drivers, it still serves as an important framework to map planned outcomes. SABSA represents the primary stakeholder views that will drive the design. One advantage of SABSA is that each layer builds upon the output of the previous layer, if a layer is skipped or the information does flow from one layer to the next, critical information can be missed.

The diagram provides a view of how the layers are organized and who the key stakeholders are in each step of the process. Each layer is broken down lower on the page. All of these layers can be mapped to the 5W's + H as shown in the 36-cell SABSA Matrix below. SABSA consists of six layers, each building on the previous layer. There is a seventh layer known as the "Inspector's View", which is responsible for auditing the overall program, this layer will not be discussed here.

The SABSA 36-Cell Matrix

Contextual Security Architecture

The contextual security architecture is concerned with the business view. This layer focuses on the business strategy, objectives, relationships, risks, and enablers to determine the security needs of the organization. The 5W's here ask:

What are the business needs
Why - expressed as opportunities and threats
How - Processes that need security
Who - management structure and relationships
Where - business geography
When - Time-bound or scope-bound

This crucial step sets the tone and trajectory for the following layers.

Conceptual Security Architecture

Also known as the Architect's view, the conceptual security architecture is the 10,000-foot view into protecting the system. The concepts needed to provide a strong security posture are considered at this layer. This layer starts to put together the concepts and controls that will be in place for the final product of the security architecture. Any steps missed at this layer will have devastating impacts later in the program. Taking the time to get this step right will give a solid foundation for the remaining portions.

Logical Security Architecture

The Logical layer, or Designer's view is where the concepts passed from the conceptual layer are put into logical structures to be implemented. Policies begin to take form at this layer. The handling of static and dynamic information is addressed within this layer. The design and procurement of security services take place here also. The logical layer is where the entire plan begins to be actualized and identifies key services and systems to be put into place.

Physical Security Architecture

This layer is the Builder's view. Information from the Logical layer is mapped to the systems and services identified in the previous layer. This layer dives into the nuts and bolts of security architecture. The rules, procedures and practices are developed here. Cryptography and security mechanisms are defined and developed in this layer. Access control, encryption, database security, backup, and recovery are designed and discussed in this layer. These systems must work together to provide a comprehensive Security Architecture. Any systems that do not integrate well, or that need additional support beyond the capabilities of the organization must be addressed and mitigated in this phase.

Component Security Architecture

Component Security architecture is the Tradesman's view. All technologies are implemented at this layer. Management and maintenance is handed off to the respective teams responsible for these processes. Networks, firewalls and servers are installed and configured by these teams. Applications are developed and integrated. Business continuity and operational risk management functions need to be built into this layer as well.

Security Services Management Architecture

The Operational layer, or Facilities Manager view. This is the layer that ties all of the pieces together and provides the day-to-day operational oversight of the system. This layer must create a feedback loop for the layers above it to ensure the dynamism of the entire system. Future projects and changes to the system will be determined by the monitoring and maintenance of the system. This layer ensures that the system runs as it was designed and provides guidance for system changes or new assets. Event scheduling and change timelines are critical functions of this layer.

Reflection

Failure to plan is planning to fail. As a cyber security professional, it is my ethical duty to ensure the safety and security of all systems under my watch. Not having an architectural framework and model would be missing a large piece of the puzzle. Systems that are not integrated or do not serve their intended purpose present a vulnerability within an environment. Confusion or unclear guidelines within a security system leave organizations vulnerable to attack. By implementing a system that builds the architecture in line with what the business needs I am behaving in an ethical and professional manner. A good security architecture should be invisible to the operations of the business, but robust enough to ensure that the organization's objectives are not impacted if a portion of the system fails. This class has taught me how to view the organization's security architecture from the business, technology, and operational aspects of the company.

** References are provided within the Reference Link Library Page

Page updated

Google Sites

Report abuse