Sunday, March 20, 2016

Topic 5 / Post 2 – Security Architecture Layer / Application Security Architecture and Applied Design

March 20, 2016 / Dennis Holinka

Topic 5 – Security Architecture Layer

This week's posts go over the Security Architecture Layer, the various perspectives, and related reflections in the blog.

Post 2 – Application Security Architecture and Applied Design

Enterprise Architecture and quite similarly, Security Architecture is riddled with much confusion and ambiguity in how to make their implementations tangible.  If you ask an enterprise architect what consumables he or she will produce, you will fortunate to receive a list of artifacts as described by Gartner in the EA Charter document.  Similarly, Security Architecture has experienced a similar problem in that it is the experience of IT professionals that security architecture has emerged as a checkbox / compliance / controls based set of exercises and has limited if little visual modeling artifacts to produce that would be the visual depiction of the abstractions that are required for the creation of an architecture design.  It is here that there are a number of needed frameworks to provide an Enterprise Architect and even more so, a Solution Architect with a modeling discipline and set of techniques to produce artifacts from.  

Fortunately, the approach I have researched and provide here as a recommendation is the use of the IBM Security Framework and Security Blueprint Methodology coupled with a practical approach of enhancing existing Solution Architecture artifacts with security architecture designs.   The IBM approach formed its framework by decomposing the various sub-components of the Security Framework into parts that a solution architect will have to provide a visual modeling artifact for.  The practical approach of modeling each of these specific areas of control objectives which we can consolidate using a global controls list like CCM from the Cloud Security Alliance.  However, we should align each of the controls into the larger framework provided by the IBM Security Framework:


Figure: Enterprise Security Framework - IBM

The overall framework breaks up into various parts policy management planes and then into subcomponents of the policy domains for the security architecture coverage.  The policy governance and manaagement portions are the Command and Control Management, Security Policy Management, and Risk and Compliance Assessment.  The policy sub domains are Identity, Access and Entitlement Management, Data and Information Protection Management, Software, System and Service Assurance, Threat and Vulnerability Management, IT Service Management, and Physical Asset Management.  Each policy domain is broken into further sub-components along with Security Services Infrastructure components required to be addressed as part of the blueprinting of the solutions.  The solution approach can be enhanced modeling using Archimate and its Extended Motivation Model which maps the controls to the multi layer EA model diagram to document the various components of the framework and blueprint the solution.  


Figure: Archimate Extended Motivation Model - Mastering Archimate (The Open Group)

By documenting each part of the framework using the Risk approach using the Archimate language, the solution artifacts in addition to those documented as part of the TOGAF Security Architecture ADM deliverables will provide a detailed design for implementing and understanding the security architecture designs.  As a matter of convenience I providing the list of subcomponents of the frameworks that will have to be modeled.  The best approach to modeling would be to walk down the security framework and align the various global standardized controls from CCM and place them within governance, policy oversight management, or policy domain sub component frameworks.  Then model the various controls as they apply to the SRV - Security Requirements Vision as detailed in the SSR - Security Solutions Requirement map to the various matrices and traceabilities to STR, SBR, SBP, STT, and SIRs in the SRV.  They are as follows and should use the above Archimate modeling technique to design the security architecture including more detailed models such as UML that will further decompose the Application Architecture layer in Archimate.








Figure: Enterprise Security and BluePrint Framework - IBM

No comments:

Post a Comment