Professional Documents
Culture Documents
Enterprise Architecture v2 To Mapping Guide
Enterprise Architecture v2 To Mapping Guide
© 2021 Cloud Security Alliance – All Rights Reserved. You may download, store, display on your
computer, view, print, and link to the Cloud Security Alliance at https://cloudsecurityalliance.org
subject to the following: (a) the draft may be used solely for your personal, informational, non-
commercial use; (b) the draft may not be modified or altered in any way; (c) the draft may not be
redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote
portions of the draft as permitted by the Fair Use provisions of the United States Copyright Act,
provided that you attribute the portions to the Cloud Security Alliance.
Contributors:
Jeff Maley
Michael Theriault
Rolando Marcelo Vallejos
Ashish Vashishtha
Henry Werchan
CSA Staff:
Sean Heide (Analyst)
Stephen Lumpe (Cover Design)
AnnMarie Ulskey (Layout Design)
The Enterprise Architecture Working Group (EA) is a Cloud Security Alliance (CSA) research
working group helps cloud customers and providers develop industry-recommended, secure and
interoperable identity, access and compliance management configurations and practices. The
working group developed cloud reference architecture, the CSA Enterprise Architecture (formerly the
TCI), overlays cloud platforms and solutions on existing common enterprise architectures hardened
with security criteria and industry mappings from the CSA Cloud Controls Matrix.
Information
Business Operation
Technology Technology Solution Security & Risk
Support
Operations & Support Services (TSS) Management (SRM)
Services (BOSS)
(ITOS)
Goal
Provide a mapping between the Enterprise Architecture 2.0 and Cloud Controls Matrix 3.0.1
demonstrating how both can be used together as a guide to securing an enterprise architecture.
Audience
The EA to mapping can be used by cloud security and compliance professionals to guide them in
securing enterprise architectures and performing security assessments.
1
Interactive Enterprise Architecture Representation: https://research.cloudsecurityalliance.org/tci/
index.php/explore/
2
Cloud Controls Matrix: https://cloudsecurityalliance.org/research/cloud-controls-matrix/
© Copyright 2021, Cloud Security Alliance. All rights reserved. 6
Guide
This guide will first define the main components of mapping - the CSA EA and CSA CCM, then
demonstrate through example how the mapping was accomplished. After this the mapping results
will be provided and explained in a summary that also contains the roadmap of improvements to be
accomplished during 2020/21 that will ensure that the Enterprise Architecture remains relevant.
Below you will find a detailed overview of the Enterprise Architecture and its components.
Source Code Availability Services Data Masking Data Obscuring Data Tagging Data Seeding
Version Control OS Virtualization TPM Virtualization Virtual Memory
Management
Patch Management Servers
Data Loss Prevention
Storage Virtualization
Compliance Monitoring Service Discovery Secure Build Image Management
Block-Based Virtualization Data Discovery Network (Data in Transit) Endpoint (Data in Use) Server (Data at Rest)
Host-Based
Equipment Maintenance
LDM LVM LUN Intellectual Property Protection
Network Services
Intellectual Property Digital Rights Management
Network Segmentation Authoritative Time Source Storage-Device Based
Cryptographic Services
Network-Based
Storage Services Key Management
PKI
Appliance Switched
Symmetric Keys Asymmetric Keys
Signature Services
3
https://cloudsecurityalliance.org/artifacts/tci-reference-architecture-v2-0/
The container/process
levels from the EA
translate into the four
levels in rows 3-6 of
domain/high/mid/low
EA Key
Row 1 Example EA Key: BOSS.Compliance.Audit Planning.
Amalgamation of the various Enterprise Architecture components useful for spreadsheet manipulation.
The above example key would examine the BOSS domain, followed by the Compliance and Audit
Planning containers.
4
https://docs.google.com/spreadsheets/d/1oPzOAhw3IQiY0BnnOYxbR5HBU7xuXidbW1ua_
py4qwE/edit?usp=sharing
EA Domain
Top Level Domain (BOSS/ITOS/TSS//SRM).
Key ID
The Key ID is a unique identifier for the EA mapping. The Key ID will remain constant, even if Items
move within the chart, duplicates, combined, or addendums occur.
5
https://research.cloudsecurityalliance.org/tci/index.php/explore/boss/
6
https://research.cloudsecurityalliance.org/tci/index.php/explore/itos/
7
https://research.cloudsecurityalliance.org/tci/index.php/explore/infrastructure_services/
8
https://research.cloudsecurityalliance.org/tci/index.php/explore/security_risk_management/
The BOSS domain is all the enterprise support functions such as Human Resources, Compliance, and
Legal that are critical to a security program. It is also the place where the operations of the company
and its systems are monitored for any signs of abuse or fraud.
Description
BOSS was designed based on best practices and reference frameworks with proven success of
aligning the business and transforming the information security practice across organizations into
a business enabler. Most of the security architectures focus only on technical capabilities, missing
the opportunity to create a dynamic synergy with the business, transforming reactive practices
into proactive areas, that eventually can enable business command centers that provide relevant
information about the health around information assets and business processes. A common concern
when organizations decide to integrate services with cloud providers is the level of security the
provider will offer, as well as the amount of exposure when data is hosted on a multi-tenant model.
This domain outlines aspects that must be considered besides the technological solutions, such as
legal guidance, compliance and auditing activities, human resources, and monitoring capabilities
with a focus on fraud prevention.
ITOS is typically provided by the IT Department. It is the help desk that takes the call when a problem
is found. It is the teams that coordinate changes and roll them out in the middle of the night. It is the
planning and processes that keep the systems going even in the event of a disaster.
Description
ITOS outlines all the necessary services an IT organization will have in order to support its business
needs. This domain provides alignment of industry standards and best practices (PM BOK, CMMI,
ISO/IEC 27002, COBIT, and ITIL v3), providing a reference from two main perspectives that enable the
organization to support its business needs. However, relationships between technology components
are not intended to be a one-to-one match to the process touch points described in PM BOK, ISO/IEC
27002, CMMI, COBIT and ITIL v3.
IT solutions can be thought of as a stack of technology: computers and networks are the bottom
layer, followed by the data they host and transport, the applications that manipulate the data, and the
actual interactions that users have with the stack. The four technology solution domains (Presentation
Services, Application Services, Information Services, and Infrastructure Services) are based on the
standard multi-tier architecture that is used to build these solutions. The CSA Reference Architecture
does not get into all the details of how that architecture works, but instead gets into the details of
the security concerns and required services for each tier in the solution.
Presentation Services
Description
An example of Presentation Services is the website you see when you go to the online bank or the
voice on the phone when you call the airline reservation system.
Application Services
Development and implementation of business logic. Think of application services as the processes
that developers use to write code, as well as the code itself.
Description
Application services are the rules and processes behind the user interface that manipulate the data
and perform transactions for the user. In an online bank, this might be a bill payment transaction that
deducts the payment amount from the user’s account and sends a check to the payee. In addition
to the application services of an IT solution, the Application Services domain also represents the
development processes that programmers go through when creating applications.
Information Services
Managing Data
Description
One of the most common pain points across organizations is the amount of data generated across
the company, sometimes including redundant data (different perspectives for the same threat or
• Operational data store: All day-to-day and transactional information will be allocated here,
using a 360 degree perspective around information assets (i.e. application and infrastructure
vulnerabilities, patching gaps, penetration test results, audit findings, and controls per asset).
• Data Warehouse: All historical transactions will be used to develop a data warehouse or data
mart that can measure the success obtained with the risk management program. Also, this
model can be used to identify behavior patterns, trends, tendencies, and systemic gaps
across the organization.
Infrastructure Services
Infrastructure Services can be visualized as the rows of computers, network cables, power supplies,
cooling vents, and fire suppression pipes you will see inside any standard data center.
Description
Infrastructure Services provide the basic core capabilities that support higher-level capabilities in
other areas of the architecture. This is the service layer that supports cloud applications visible to the
majority of cloud users. This level consists of virtual machines, applications, and databases. Often,
Infrastructure services will be deployed centrally and will run standard machine images, with all
necessary services preconfigured to support ease of integration and reliable connectivity and access.
As they provide a foundation, Infrastructure Services are largely invisible to end users of the cloud
service. For example, a customer will likely be required by due diligence to assure that cloud facilities
provide physical security to match the risk characteristics of the uses they make of cloud services,
but otherwise will ignore the operational details of how physical access controls are implemented.
Description
The Security and Risk Management domain provides the core components of an organization’s
Source: https://cloudsecurityalliance.org/wp-uploads/2011/10/TCI_Whitepaper.pdf/
CCM Description
The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental
security principles and best practices to guide cloud vendors and to assist prospective cloud customers
in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that
gives detailed understanding of security concepts and principles that are aligned to the Cloud Security
Alliance guidance in 16 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on
customizations of other industry-accepted security standards, regulations, and controls frameworks
such as ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP. The CCM will
augment or provide internal control direction for service organization control reports attestations
provided by cloud providers.
Control Domain
The 16 domains were derived from CSA Security Guidance version 310 and major standards such as
ISO/IEC 27001 and ISO/IEC 27002. The domain defines what category the controls fall under. Column
A represents the Control Domain and Control name.
9
https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix/
10
https://cloudsecurityalliance.org/research/guidance/
Control ID
Each domain is assigned an acronym. For example, the Application and Interface Security domain is
assigned the acronym AIS. Column B contains the control ID which consists of a three-letter control
domain acronym plus a sequential control number.
Control Description
There may be one or more controls under a domain. Each control has a control ID, which is the
domain acronym followed by a number. For example, AIS-02 means 2nd control in the Application
and Interface Security domain. (Another example is IAM-03, representing the 3rd control in the
Identity and Access Management domain). Column C includes the control specification description
of the purpose of the control.
As previously mentioned, each of the mapping spreadsheets identifies EA containers and CCM
control elements where appropriate. An example of the mapping process would include the Clear
Desk Policy of the Business Operations Support Services. Located within the Data Governance
container is a policy component regarding the need for a clear desk defined as:
“A corporate policy which ensures that sensitive information is not left out in the open for viewing or
theft by unauthorized users.”
There are four CCM Controls designated as the main focus of the EA’s Clear Desk Policy, designated
in column P with the CCM Control IDs themselves.
AIS-04: Application & Interface Security - Data Security / Integrity (row 11)
• Policies and procedures shall be established and maintained in support of data security
to include (confidentiality, integrity, and availability) across multiple system interfaces,
jurisdictions, and business functions to prevent improper disclosure, alteration, or
destruction.
• Justification: A complete set of policies for a corporation in compliance with ISO 27001
and NIST 800-53 include limiting improper disclosure. A clean desk policy reduces risks
associated with need to know of trusted insiders and authorized/unauthorized visitors to a
corporate facility.
• A security awareness training program shall be established for all contractors, third-party
users, and employees of the organization and mandated when appropriate. All individuals
with access to organizational data shall receive appropriate awareness training and regular
updates in organizational procedures, processes, and policies relating to their professional
function relative to the organization.
• Justification: Training for all policies and procedures falls under the jurisdiction of the
Human Resources department. This includes the Clean Desk Policy
• Policies and procedures shall be established to require that unattended workspaces do not
have openly visible (e.g., on a desktop) sensitive documents and user computing sessions
are disabled after an established period of inactivity.
• Justification: The Workspace control specifically calls out the desktop/laptop computing
requirements of screen locking after walking away from a desk.
In all, of the 48 thousand cells examined between the EA and the CCM, roughly 3,600 items were
deemed as within the spirit of the domain and thereby marked.
Given the generalized descriptions used in both the EA column and CCM row components the
mappings capture the main spirit of any convergence recognized by the WG rather than a technical
exactness. An exact mapping would require granular technical descriptions which would normally be
the responsibility of anyone using this document. The EA mapping provides a guide to ensuring their
actual enterprise architecture was secure. This would be followed by testing to verify control design
and effectiveness.
First we show the mapping universe which comprises a 133 (Rows) x 360 (Cols) matrix with 48K cells.
SRM is the largest EA domain with over 14K cells. This means there are over 14K intersection points
between the CCM controls and all SRM components.
Then we show the count of the controls that have been identified as relating to each components
security. In this mapping 3,565 relevant intersections of the EA V2.0 and CCMv3.01 have been
identified as securing the EA.
Finally below we show the percentage of the controls identified as relating to each EA component. In
this mapping the count of 3,565 controls indicates 7.4% of the cells.
Summary
Many organizations use underlying Enterprise Architecture framework components in designing and
controlling their environments, including ITIL, CoBIT, TOGAF and the Jericho Forum11. The EA can assist
in converting existing processes and assessments or performing cloud control gap reviews.
Another use case for the EA surrounds its big picture view of an organization’s security posture. The
Cloud Controls Matrix and companion Consensus Assessment Initiative Questionnaire (CAIQ) provides
an internal assessment tool for determining where successes or deficiencies exist. The mapping
described here allows a capability to assess with CCM/CAIQ and present findings with the EA.
We hope you find this tool useful and look forward to your feedback.
11
https://publications.opengroup.org/white-papers/security/jericho-forum
Cloud Security Alliance - Cloud Control Matrix v3.01, Release Date: August 3, 2019, available @
https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v3-0-1/
NIST Special Publication 500-292, NIST Cloud Computing Reference Architecture, Recommendations
of the National Institute of Standards and Technology, by Fang Liu, Jin Tong, Jian Mao, Robert Bohn,
John Messina, Lee Badger and Dawn Leaf, September 2011, available @ https://nvlpubs.nist.gov/
nistpubs/Legacy/SP/nistspecialpublication500-292.pdf