Security Architecture
Security architecture forms the foundation of a good cyber security strategy. It is a type of security design composed of multiple components, including the tools, processes, and technologies used to protect your business from external threats. A good architecture framework will quickly identify and address potential threats and gaps in security, helping you protect sensitive data, such as intellectual property and employees’ social security numbers, with minimal effort on your own part after the architecture is implemented. This makes it an excellent tool for companies that have large amounts of data but not the resources to continually monitor it.
A robust architecture offers several benefits. In addition to its ability to identify and mitigate threats, architecture gives businesses the information they need to strengthen their security protocols and make changes where necessary. A secure architecture also includes detailed security controls that help protect enterprise infrastructure and applications. With more cyber security threats than ever before, having a strong architecture is essential to maintaining control over your digital data, thus preventing expensive recovery efforts and lawsuits that often stem from a data breach.
Purpose
Security architectures typically share the same purpose - protect the organization from cyber harm. In order to achieve this, architects will often try to install themselves in your business for a period of time while they learn what makes you, and your people, different. They will talk to your leaders and employees, seeking to understand your individual business goals, the requirements of your systems, the needs of your customers and other critical factors.
From here, they can produce a plan and offer guidance that is aligned to your business objectives, and suits your stated cyber security risk appetite.
Frameworks
Much like property architects have guidelines to work within, so too do security architects. These are commonly referred to as 'frameworks'.
What is a security architecture framework? It can be a few different things, but is generally considered a consistent set of principles and guidelines for implementing security architecture at different levels of the business. There are many international framework standards, each solving a different problem.
Some companies will also devise their own frameworks. For example, at dig8ital we use best-practices based on three of the world's most common security architecture frameworks: SABSA, TOGAF and OSA (see below). By combining standards, we are able to provide a more versatile service that uses the best guidance from each. This enables us to design, implement and measure highly tailored security requirements and solutions.
Examples of common security architecture frameworks
TOGAF: The Open Group Architecture Framework, or TOGAF, helps determine what problems a business wants to solve with security architecture. It focuses on the preliminary phases of security architecture, an organization's scope and goal, setting out the problems a business intends to solve with this process. However, it does not give specific guidance on how to address security issues.
SABSA: Sherwood Applied Business Security Architecture, or SABSA, is a quite policy driven framework that helps define key questions that must be answered by security architecture: who, what, when and why. Its aim is to ensure that security services are designed, delivered and supported as an integral part of the enterprise's IT management. However, while often described as a 'security architecture method', it does not go into specifics regarding technical implementation.
OSA: Open Security Architecture, or OSA, is a framework related to functionality and technical security controls. It offers a comprehensive overview of key security issues, principles, components and concepts underlying architectural decisions that are involved when designing effective security architectures. That said, it can typically only be used once the security architecture is already designed.