Professional Documents
Culture Documents
Business Security Architecture Weaving Information Security Into Your Organization's Enterprise Architecture Through SABSA
Business Security Architecture Weaving Information Security Into Your Organization's Enterprise Architecture Through SABSA
Address correspondence to
INTRODUCTION
Jason S. Burkett, Senior Associate, SABSA® focuses on the use of “best practices” for any organization that
Veris Group, LLC, 3429A
W. Franklin Street, Richmond, VA needs to develop information security solutions and traceable business enter-
23221. E-mail: Jason.Burkett@gmail.com prise initiatives. SABSA provides integrated frameworks, models, methods, and
47
processes that are risk-focused and address both threats focuses on security at the operational layer of an orga-
and opportunities. The SABSA methodology uses a nization and does not take into account a strategic
“business-driven approach” consisting of a “six-layer point of view. SABSA is used to address these issues
model covering all four parts of the IT lifecycle: by taking the strategic view into consideration.
Strategy, Design, Implementation, and Management SABSA brings information security professionals
& Operations.” Information security solutions are the arsenal they need to become business security
derived from all views and layers of enterprise archi- solution providers instead of the business operations
tecture in order to produce requirements driven by inhibitors they have been portrayed to be. Reporting
the business, not because of the latest buzz words on information security only gives organizations an
(Sherwood, Clark, & Lynas, 2005). idea of what risks exist; it does not show organizations
Information security professionals have been viewed how to become more secure by mitigating risk. The
as inhibiting operations because they identify prob- same holds true for applying security only through
lems in the protection of information assets after an operations; tactical information security only meets the
information technology solution has been designed, immediate need rather than establishing strategic, long-
implemented, and put into operation. These problems term solutions to an organization’s information protec-
exist because security considerations were not incorpo- tion ailments. SABSA gives organizations a roadmap
rated into a technology solution during the initiation to protecting company assets through the SABSA
phase and aligned with all layers of the organiza- Development Process, developing security solutions as
tion throughout implementation. Typical information viewed by all six layers of an organization. The SABSA
security assessments include recommended mitigation Development Process diagram is shown in Figure 1
actions, but they are seldom remediated as recom- (Sherwood, Clark, & Lynas, 2005).
mended. Reasons usually include the lack of funding, SABSA is easily integrated with existing enterprise
lack of resources, or statements such as “the priority architectures because it is holistic, accounting for all or-
of mission operations will suffer” if the recommended ganizational business units. The major enterprise archi-
security actions are implemented. In most cases, it tectures in use today are listed below (Sessions, 2007):
is not until after organizations have become “intru-
sion victims” of an “Advanced Persistent Threat” (APT) • The Zachman Framework (Zachman, 2008)
that remediation efforts are taken seriously (Stamos, • The Open Group Architectural Framework
Grattafiori, Daniels, Youn, & Orvis, 2011). These are all (TOGAF® ) (The Open Group, 2008)
symptoms of the root problem, incorporating security • The Federal Enterprise Architecture (FEA) Security
into the enterprise at all levels. Each level or layer of an and Privacy Profile (Federal CIO Council, 2010)
organization has its own business priorities and objec- • The Gartner Enterprise Architecture Framework
tives to support the mission. The need to implement an (GEAF) (Gartner, 2006)
enterprise security solution is commonly overlooked or
not even recognized. Another reason for not imple- In Robert Sessions’ white paper “Comparison of the
menting security is that information security can be Top Four Enterprise Architecture Methodologies,” he
addressed later in the development of the technology describes Zachman to be a “taxonomy,” TOGAF to be
or system, during the operations phase where opera- a “process,” FEA to be a “methodology,” and Gartner’s
tional security is applied. However, operational security to be a “practice” (Sessions, 2007).
J. S. Burkett 48
Similar to how a building architect designs security the software goes through each layer of development
into a building, SABSA assimilates information secu- (Harris, 2011). The six layers of SABSA are mapped to
rity elements throughout the layers of an organization six stakeholder views, and the six interrogatives defined
and aligns it with the current enterprise architecture, be for each layer of an enterprise security architecture.
it any of the four listed above. This mapping is shown in Figure 2 in the SABSA
SABSA enables business growth by strengthening Matrix (Sherwood, Clark, & Lynas, 2005).
the ability of an organization to produce more infor- SABSA takes a holistic approach in identifying secu-
mation products and services in a secure fashion. All rity solutions for business problems that executives
layers of the organization have signed off on infor- face, not the “technically led approach” that solves
mation security attributes and requirements, enabling only the tactical operational issues. Within the past
strategic organizational objectives to be achieved while few years, business and technology have become one
protecting operations. As more organizations realize and the same as organizations have not been able to
the best way to protect the business is by establish- stay competitive without incorporating technologies
ing an information security strategy at each layer of the that give them an edge. For many years, the security
organization, SABSA becomes the solution of choice. of business and technology has focused on the con-
fidentiality, integrity, and availability of information.
However, by focusing on only three attributes, security
INTEGRATING SABSA gaps have existed throughout organizations and their
Many white papers, articles, and books have systems. There are other attributes that an organization
been written on information security and enterprise needs to include in order to mitigate risks unique to its
architecture, but these topics are typically separated, enterprise.
and there are few that combine the two. It is hard SABSA uses a business attribute taxonomy to cap-
to believe that one of the most important aspects of ture these attributes and to show measurable organi-
enterprise architecture (information security) could be zational value (MOV) based on these unique needs.
left out of defined methodologies and frameworks. Using the profiling technique, security solutions can
Enterprise architectures that fail to include security be measured against predetermined targets. A large
leave gaps in the protection of information assets. multinational banking group (unnamed to prevent
These gaps can be closed at the enterprise level by unnecessary threats) has used SABSA successfully to
implementing a strong Enterprise Security Architecture ensure strategic development of a single application for
derived from the business and its stakeholders. high-value Internet transactions. Challenges that were
overcome using targeted metrics consisted of availabil-
ity, inter-operability with legacy systems, and real-time
The SABSA Methodology transactions (www.SABSA.org).
SABSA was originally developed in 1995 as an
“idea” by John Sherwood. In 1996, he published
“SABSA: A Method for Developing the Enterprise SABSA and the Zachman Framework
Security Architecture and Strategy” This white paper The SABSA model closely follows the Zachman
details the SABSA methodology and framework. Framework in that both attempt to answer the “prim-
The SABSA methodology includes six layers, each itive interrogatives” of who, what, when, where, why,
representing the view of a different stakeholder in and how for each layer of an organization. Both
the enterprise. Shon Harris, author of the Certified SABSA and the Zachman Framework were developed
Information System Security Professional (CISSP) All-in- independent of each other. SABSA does not replace
One Exam Guide, mentions in a recent article that the Zachman Framework but instead enhances it by
SABSA also establishes a “time-tested” framework for including security. SABSA helps align security to busi-
building secure information systems that account for ness strategy by filling the security gaps in enterprise
the security needs of each layer. She also indicates that architecture and service management. The Zachman
SABSA is similar to “software development” as when Framework is shown in Figure 3 (Zachman, 2011).
someone “uncovers a business need to develop a spe- As indicated in the Zachman Framework, there
cific software product” and applies more granularity as is no mention of security in any of the quadrants.
SABSA can be easily integrated with the Zachman service management into all layers of the organiza-
Framework because both are flexible and meet an tion. A SABSA and TOGAF integration model would
organization’s unique set of business requirements. resemble Figure 5.
When integrated, SABSA fills in the missing security
gaps providing an organization with more complete
enterprise architecture.
SABSA and The Federal Enterprise
Architecture Security & Privacy
SABSA and The Open Group Profile (FEA SPP)
Architecture Framework (TOGAF) The FEA SPP, version 3, is “a scalable, repeat-
TOGAF1 is owned by the Open Group and is a able, and risk-based methodology and framework
tool or process used to develop different information for addressing information security and information
technology (IT) architectures. TOGAF’s architecture privacy requirements in the context of an agency’s
development model is shown in Figure 4 (The Open architecture at the enterprise, segment, and solu-
Group, 2008). tion levels.” It provides guidance on the mandates
SABSA complements TOGAF because it incor- for federal government departments and agencies to
porates security into the process for creating IT protect information and information systems by imple-
architecture solutions. TOGAF categorizes architecture menting “security and privacy protections.”
into four areas (business, application, data, and tech- The FEA SPP Framework shown in Figure 6 pro-
nical) but does not include security in any of these vides a roadmap on how departments or agencies can
categories. SABSA supports all categories and takes integrate the NIST Risk Management Framework into
this architecture a step further by incorporating the the FEA to develop an “Enterprise Level Common
business need of security architecture and security Control” solution (The Federal CIO Council, 2010).
J. S. Burkett 50
FIGURE 3 The Zachman Enterprise Framework. (color figure available online.)
Figure 6 depicts SABSA attributes included in the when using FEA SPP. The diagram in Figure 6 also
framework to illustrate how SABSA incorporates includes the SABSA methodology as part of enter-
additional controls that might have been overlooked prise architecture guidance and information security
guidance because it would be considered supporting SABSA and the Gartner Model
documentation.
The Gartner model is often called a practice
By itself, the FEA SPP methodology consists of
as it rests on the interpretation, experience, and
a compliance element that is not necessarily flexi-
shared knowledge of enterprise service providers.
ble enough for all departments or agencies to meet.
Unfortunately, Gartner did not grant permission to
Incorporating SABSA into the FEA SPP takes into
publish their model in this paper because they indi-
account unique agency missions that require additional
cated an updated model is forthcoming. The origi-
security attributes. Unique agency missions have trou-
nal model was published in the 2006 Gartner white
ble meeting compliance requirements because of the
paper “Incorporating Security into the Enterprise
lack of flexibility in federal directives and requirements
Architecture Process.” Since its publication, security
(The Federal CIO Council, 2010).
J. S. Burkett 52
architecture has become a focus of enterprise Management Professional (PMP) certification exam was
operations, applying the concept of a service-oriented held. The first certified group numbered 43 PMPs. There
architecture. The model illustrates how “current-state are now 180,000 PMPs in 175 countries (Owens, 2011).
architecture,” or “as-is” architecture, can be trans- SABSA does not replace existing organizational pro-
formed into “future-state architecture,” or the “to- cesses or frameworks. The biggest benefit to using
be” architecture (Gartner, 2006). The Gartner practice it is to align and enhance that which works in an
focuses on services that an enterprise can provide and organization, building on existing strengths without
“closing the gap” between the “current-state” and the introducing weaknesses or risks. Figure 7 illustrates
“future-state.” It answers the questions of how, why, some of the benefits and challenges that are introduced
and for what as identified in SABSA and Zachman but when integrating SABSA in an organization.
does not necessarily include the who, where, and when.
The architecture effort itself is influenced by business
strategy and environmental trends. The integration of CONCLUSION
the SABSA would complement the Gartner practice by
closing any gaps in security that do not address the SABSA is an enabler of business, providing fea-
enterprise stakeholders (the who), the enterprise loca- tures and advantages that lead to many benefits
tions (the where), and the timing (the when). SABSA for every layer of an organization, regardless of the
also supports the alignment of security with strategic existing enterprise architecture. Organizations can real-
objectives identified in the to-be architecture. ize tremendous gains by implementing a security archi-
tecture based on the SABSA methodology. SABSA
meets the unique needs of any business mission, and it
is flexible enough to integrate with any existing archi-
SABSA Benefits and Challenges tecture. It helps organizations manage complexity by
All methodologies and frameworks are met with chal- providing architectural governance, ensuring two-way
lenges despite the benefits that are offered to an industry. traceability on key decisions, measuring the true orga-
An example is the Project Management Methodology nizational value added, and by being risk driven as well
and Project Management Institute (PMI). Founded in as business driven. Organizations that realize business
1969, the PMI consisted of a small group of project and security are now inseparable, just as business and
managers practicing what was thought of at the time technology, will also understand the need to incorpo-
to be questionable unproven methods, but now is rate information security at every layer of the enterprise
considered a valuable repository called the Project for every technology solution and not wait until the
Management Body of Knowledge (PMBOK). It was solution is already operational. This is the time to be
not until 1984, 15 years later, that the first Project proactive instead of reactive.
J. S. Burkett 54
Copyright of Information Security Journal: A Global Perspective is the property of Taylor & Francis Ltd and its
content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's
express written permission. However, users may print, download, or email articles for individual use.