Architecting for security

- [Instructor] Security doesn't exist in isolation. It's a characteristic of a business service, a business system and business information. All of these are either secure or not secure. Although in reality, security isn't black and white, it most definitely comes in shades of gray. Nevertheless, organizations will often adopt a set of controls to secure their IT systems and not consider whether or not these reflect any of the requirements of the business. Rather than just adopt a generic control set, we can use what's known as enterprise security architecture to architect a security solution which meets the needs of our business and then apply the controls that are necessary to achieve that architecture. One of the most popular enterprise security architecture frameworks is SABSA, the Sherwood Applied Business Security Architecture. SABSA is used to capture business requirements and then determine what security is needed to meet those requirements. The basic construct in SABSA is its architecture matrix. The two top layers, the contextual and conceptual, contain the elements of the architecture necessary in the strategy and planning stage. While the three lower layers, the logical physical and component, contain those necessary to design secure IT systems and processes to support the higher level business goals and objectives. This matrix is used to capture all relevant security concepts and activities for the enterprise and these are shown in summary in the cells. Security is often defined in terms of the information assurance we achieve by considering a system's confidentiality, integrity and availability. This approach came from early work on models of security and while it's a very common approach, it's also a very constricting and artificial paradigm. Confidentiality, integrity and availability are indeed three attributes but they're not the only ones. We can add more such as non-repudiation, authenticity, utility. But to create an effective information security architecture that's business centric rather than security centric, this is still inadequate. The SABSA framework provides a comprehensive set of business security attributes, which have been collected from hundreds of consultancy projects, and most, if not all, attributes that an organization needs to define their own concept of security can be found here. SABSA's many attributes are grouped into seven categories in what's called an attribute taxonomy: user, management, operational, risk, technical, legal, and business. These categories represent the focus of the business outcome which is being protected by the attributes. This is in effect a picture of what business success looks like. This set of attributes are often used as a pick list from which to choose a relevant subset of attributes for an architecture project and they're quite useful as a cross check on the attributes derived from the business. We can show the attributes in a business relevant form. Here, we show the attributes representing activities which are important to the military, preparation of the force, intelligence regarding the battlefield, the characteristics of operations, commanding and sustaining the force and providing protection of the force. When we architect security, we start with business goals and objectives. Here's a strategic business construct showing goals and objectives. The smaller ellipses together represent the objectives which are required to meet the goals in the larger ellipses. We can analyze the objectives to determine what we need in terms of security attributes to ensure the objectives are met. In this table, we can see some general business objectives, we call these business drivers, which map to a number of the individual enterprise technology and business division objectives. For each of these, we can describe the business driver as a set of security focused attributes. We can then use these attributes to measure security across the organization and we can map them down to the information systems which support the various business processes. By measuring the effect of a security incident on an attribute, we can map this easily back to the business goals and objectives, which depend upon it. There's much more to SABSA and enterprise security architecture in general but the main takeaway is that we need to always look at security through business eyes because security is what we need to achieve business success.