The document discusses the importance of enterprise security architecture, emphasizing the need for a cohesive approach that aligns business objectives with technology. It highlights the evolution of security practices and the issues arising from siloed approaches, advocating for a flexible framework that enhances integration and interoperability. The SABSA architecture framework is presented as a business-driven model that ensures security meets organizational goals while managing risks effectively.

1. THE ROLE OF ARCHITECTURE
BRIDGING THE GAP BETWEEN THE ENTERPRISE AND TECHNOLOGY

2. THE GREAT DIVIDE

3. WHAT IS ENTERPRISE SECURITY ARCHITECTURE?
• ENTERPRISE MEANS CONSIDERING AN ORGANISATION AS A
SINGLE ENTITY RATHER THAN A SET OF CO-OPERATING OR
COMPETING SILOS
• SECURITY IS DIFFERENT FOR EVERY ORGANISATION
• ARCHITECTURE – IS BOTH A PROCESS AND A PRODUCT
• PROCESS = PLANNING, DESIGN AND CONSTRUCTION
• PRODUCT = PEOPLE, PROCESS AND TECHNOLOGY

4. THE EVOLUTION OF SECURITY
• LATE 1980’S – ISO7498:2
• LATE 1990’S – 2000’S - SECURITY TECHNOLOGIES USED AS A COUNTERMEASURE TO COMBAT
VIRUSES AND UNAUTHORISED ACCESS
• LEFT ALONE TO TECHNOLOGISTS, SECURITY WAS SEEN AS THE BUSINESS PREVENTION DEPARTMENT

5. THE RESULT
• DISCONNECT BETWEEN THE BUSINESS NEEDS AND TECHNOLOGY, INFORMATION ASSURANCE
• SECURITY SEEN AS AN ADD-ON – ROI HARD TO GAUGE
• SECURITY ROLLED IN TACTICALLY AS PART OF PROJECT DELIVERY

6. TACTICAL SOLUTIONS COST MORE!
USED TO SOLVE AN IMMEDIATE PROBLEM, BUT:
• UNDERTAKEN AS A SILOED APPROACH
• DEPLOYED SOLUTIONS LACK FLEXIBILITY
• UNFORESEEN INTEGRATION COMPLEXITIES
• ISSUES WITH INTEROPERABILITY
• HIGHER SUPPORT COSTS (DIVERSE SYSTEMS)
• DIFFERENT PERSPECTIVES AND APPROACHES
• ADDITIONAL RESOURCES OFTEN REQUIRED

7. THE REAL ROLE OF SECURITY
PROVIDE CONFIDENCE AND ASSURANCE:
• DEPENDABILITY (RELIABLE)
• SUITABILITY (FIT FOR PURPOSE)
• TRUST IN PEOPLE, PROCESS & TECHNOLOGY
• NOT EXPOSED TO UNACCEPTABLE LEVELS OF RISK
SECURITY MUST ENABLE THE BUSINESS TO MEET ITS OBJECTIVES, IDENTIFY AND TRANSFORM
OPPORTUNITIES.

8. THE IMPORTANCE OF A FRAMEWORK
• ALLOWS ORGANISATIONS TO MANAGE COMPLEXITY
• MAINTAIN INTEGRITY OF DESIGN AT ALL STAGES
• PROVIDES A ROADMAP FOR ALL
• LOWERS THE TOTAL COST OF OWNERSHIP
• INTEGRATION AND INTEROPERABILITY
• RESOLVE CONFLICTING OBJECTIVES AND PRIORITIES
• PREDICTABLE OUTCOMES
• FLEXIBLE AND AGILE SOLUTIONS
• BALANCE BETWEEN STRATEGIC, TACTICAL & OPERATIONAL

9. ARCHITECTURE GUIDING PRINCIPLES
AN ARCHITECTURE MUST NOT PRESUPPOSE ANY:
• CULTURES OR OPERATIONAL PRACTICES, MANAGEMENT STYLE, MANAGEMENT PROCESSES,
MANAGEMENT STANDARDS, TECHNICAL STANDARDS OR TECHNOLOGY PLATFORMS
A GOOD ARCHITECTURE:
• MEETS AN ORGANISATIONS UNIQUE SET OF BUSINESS REQUIREMENTS
• DOES NOT REPLACE OR COMPETE WITH ESTABLISHED POLICY, STANDARDS, PRACTICES OR
LEGISLATION BUT RATHER ENABLES THEIR DEPLOYMENT
• IS SUFFICIENTLY FLEXIBLE AND ADAPTABLE

10. ARCHITECTURE FRAMEWORK
A CONSISTENT SET OF PRINCIPLES, POLICIES AND STANDARDS THAT SETS THE DIRECTION AND
VISION FOR THE DEVELOPMENT AND OPERATION OF THE ORGANISATION’S BUSINESS
INFORMATION SYSTEMS SO AS TO ENSURE ALIGNMENT WITH AND SUPPORT FOR THE BUSINESS
NEEDS.
© SABSA INSTITUTE 2016

11. SABSA ARCHITECTURE VIEWS
BUSINESS VIEW CONTEXTUAL ARCHITECTURE
ARCHITECT’S VIEW CONCEPTUAL ARCHITECTURE
DESIGNER’S VIEW LOGICAL ARCHITECTURE
BUILDER’S VIEW PHYSICAL ARCHITECTURE
TRADESMAN’S VIEW COMPONENT ARCHITECTURE
SERVICE MANAGER’S VIEW OPERATIONAL ARCHITECTURE

12. VERTICAL ANALYSIS OF THE SABSA COLUMNS
WHAT
WHAT ARE WE TRYING TO DO AT THIS LAYER?
THE ASSETS, GOALS AND OBJECTIVES TO BE PROTECTED AND ENHANCED.
WHY
WHY ARE WE DOING IT?
THIS RISK AND OPPORTUNITY MOTIVATION AT THIS LAYER.
HOW
HOW ARE WE TRYING TO DO IT?
THE PROCESSES REQUIRED TO ACHIEVE SECURITY AT THIS LAYER.
WHO
WHO IS INVOLVED?
THE PEOPLE AND ORGANISATIONAL ASPECTS OF SECURITY AT THIS LAYER.
WHERE
WHERE ARE WE DOING IT?
THE LOCATIONS WHERE WE ARE APPLYING SECURITY AT THIS LAYER.
WHEN
WHEN ARE WE DOING IT?
THE TIME RELATED ASPECTS OF SECURITY AT THIS LAYER.

13. TWO-WAY TRACEABILITY
SABSA PROVIDES TWO-WAY TRACEABILITY FOR:
• COMPLETENESS - EVERY BUSINESS REQUIREMENT FOR SECURITY IS MET AND THE RESIDUAL
RISK IS ACCEPTABLE TO THE BUSINESS
• JUSTIFICATION - EVERY OPERATIONAL OR TECHNOLOGICAL SECURITY ELEMENT CAN BE
JUSTIFIED BY REFERENCE TO A RISK-PRIORITISED BUSINESS REQUIREMENT

14. BUSINESS DRIVEN ARCHITECTURE
• BEING BUSINESS-DRIVEN MEANS NEVER LOSING SITE OF THE ORGANISATION’S
GOALS, OBJECTIVES, SUCCESS FACTORS AND TARGETS
• THE CONTEXTUAL ARCHITECTURE CAPTURES AND PRESENTS THE FULL SET OF
RELEVANT REQUIREMENTS FOR THE SCOPE OF THE ASSIGNMENT

15. SUMMARY
SABSA
• IS BUSINESS DRIVEN
• PROVIDES UNIQUE ATTRIBUTE PROFILING
• MANAGES RISKS TO ATTRIBUTES
• DOES NOT COMPETE WITH OTHER FRAMEWORKS
• AN OPEN STANDARD
• FREE TO USE
• CAN BE ADAPTED TO SUIT ANY ORGANISATION

16. QUESTIONS?