Security Architecture

When developing enterprise cybersecurity architectures for an organization, the key is to remember it is like building a house. Houses are designed first before someone starts constructing them, where building architects defer on specifics to engineers and specialized resources.

Enterprise Cybersecurity Architecture

Holistic

Enterprise Cybersecurity Architecture requires a holistic approach when dealing with complex systems across an organization. This means having a proper understanding of requirements, design philosophy, interoperability, component integration, and how the system will operate. Likewise, holistic is not a checklist-based approach, or other necessary components, either technical or process-oriented, may get missed.

Business-Driven

Enterprise Cybersecurity Architecture must be business-driven, focusing on securely enabling the business’ strategic directions in current and new markets, channels, and products. Therefore, a firm understanding of where the company is today and where the business wants to be in the future is necessary.

Risk-Driven

An Enterprise Cybersecurity Architecture focuses on a realistic perspective of risks facing an organization and the remedies in terms of security mechanisms to reduce those risks. It is neither cost nor operationally efficient to put security mechanisms in that are not relevant or required based on the risks present or support a risk the organization does not inherently have.
When developing enterprise cybersecurity architectures for an organization, the key is to remember it is like building a house. Houses are designed first before someone starts constructing them, where building architects defer on specifics to engineers and specialized resources (HVAC, Plumbing, Electrical) when needed. They also include building codes and zoning laws in addition to client requirements. Likewise, enterprise security architectures answer the design’s what, why, who, where, when, and how. In addition, Enterprise Cybersecurity Architects defer to specializations (SOC, Threat Intelligence, Incident Response, Forensics, Internal Audit) and Cybersecurity Engineering. They also include regulatory compliance, contractual compliance, industry standards, and stakeholder requirements in designs. Otherwise, an untenable, unsustainable, and unmaintainable system is built that is costly, inefficient, and ineffective that is inherently full of risks and potentially exploitable.

Enterprise Cybersecurity Architecture encompasses many, many other areas.

Enterprise Cybersecurity Architecture-Reference

Every enterprise cybersecurity architecture must start somewhere. The reference architecture depicted here provides the initial basis for developing an enterprise cybersecurity architecture for any organization. It is industry agnostic, standards-focused, and integrates TOGAF and SABSA. In addition, the reference architecture maintains influence by the Trusted Cloud Initiative Reference Architecture developed by the Cloud Security Alliance and NIST. Finally, anyone can use this public domain document and modify it to suit their own needs.

SABSA is the copyright and trademark of the SABSA Institute, all rights reserved.

TOGAF is the copyright and trademark of The Open Group, all rights reserved.

Enterprise Cybersecurity Architecture Paradigm-Reference

Every enterprise cybersecurity architecture follows a paradigm. The paradigm simply means a lifecycle is attached to the enterprise cybersecurity architectures, as noted by the SABSA lifecycle. The lifecycle overlays with the familiar Plan, Do, Check, Act, or PDCA cycle (Deming cycle or Shewhart cycle). This ties into or can overlay with the Plan, Design, Build, Run model and aligns with the conceptual perspective of the SABSA lifecycle. The ECSA paradigm provides an industry-agnostic view to expectations within each area adaptable to rigid organizations or for looser, more agile-focused organizations, but the expectations remain the same. In addition, the ECSA paradigm leads expectations towards an organization’s areas of interest and the likely places to be protected. Finally, anyone can use this public domain document and modify it to suit their own needs.

Be mindful the lifecycle ties into the current state, target state, and transition state architectures. In general terms, this means integration with portfolio management, program management, and project management in terms of cybersecurity mechanism and tooling, strategy, capability development, and architecture deployment, be it architecture capability, business capability, or both.

SABSA is the copyright and trademark of the SABSA Institute, all rights reserved.

Cybersecurity and Technology Operations Paradigm-Reference

Cybersecurity and Technical Operations Paradigm focuses attention on areas of operationalization, ensuring mutual inclusivity between IT and Cybersecurity. An enterprise cybersecurity architecture that does not account for operations is nothing more than wishful thinking and shelfware. All enterprise cybersecurity architectures must consider integration in SOC, NOC, and Fusion Center concepts within organizations or through Managed security service Providers (MssP), Managed Security Provides (MSP), and Managed Detection and Response (MDR).

It does not make sense to build walls and towers around the castle and then have no sentries to man them or not enough sentries to be effective. In this sense, all architectures need to be right-sized operationally, fit-for-purpose, or they will not be effective regardless of how many tools are thrown at the problem.

Anyone can use this public domain document and modify it to suit their own needs.

Secure Design Principles-Reference

According to the Merriam-Webster dictionary, a principle is:

  • a comprehensive and fundamental law, doctrine, or assumption
  • a rule or code of conduct
  • the laws or facts of nature underlying the working of an artificial device
  • an underlying faculty or endowment

 

Secure Design Principles provides a directive for developing a secure system’s underlying and comprehensive doctrine, assumption, and rule of conduct. Regardless, any system should adhere to secure design principles from design, development, testing, deployment, and during the system’s running lifecycle. In addition, the secure design principles are ever-present but extendable to account for MITRE ATT&CK and D3FEND. Finally, anyone can use this public domain document and modify it to suit their own needs.

Policy and Harmonized Control Framework-Reference

Many do not necessarily think of enterprise cybersecurity architects as involved in policy development and working with or on harmonized control frameworks. Yet, enterprise cybersecurity architecture demands the alignment of security mechanisms with financial, IT, and cybersecurity controls related to broader regulatory compliance. If architects do not account for these areas, the entire cybersecurity program is in jeopardy of missing the mark in securing the overall organization. Likewise, the cybersecurity program will miss the mark on meeting regulatory compliance. Therefore, a synergy exists between enterprise cybersecurity architecture and harmonized control frameworks. Furthermore, the synergy extends outward to policies, standards, guidelines, business processes, standard operating procedures, etc., ensuring consistency under a holistic approach.

The policy and harmonized control framework-reference architecture presented is a single point of view but provides a reference from left to right for a potential direction. The reference architecture utilizes a core set of influences with the NIST 800-53 Rev. 4 as the base. The perspective presented is not rigid, just a starting point. The NIST 800-53 could easily be swapped out for ISO 27001 or the CIS CSC v8, or the CSA-Matrix as the base. Some organizations might favor a NIST CSF direction. Adopt and adapt as appropriate to the organization.

The main policy architecture viewpoint is based on the policy architecture presented by SABSA in the SABSA Big Blue book (the first book listed on the Library page) and within training from the SABSA Institute. Therefore, it is a good starting point for developing organizational policies as well as application-level policies. Finally, anyone can use this public domain document and modify it to suit their own needs.

SABSA is the copyright and trademark of the SABSA Institute, all rights reserved.

Defeating Chaos

Change is like death and taxes, inevitable. Change is a constant regardless of who you are, where you work, and what you do. Change either positive or negative shapes direction and can bring chaos to otherwise orderly systems, plans, and directives. Through disciplined, organized, and thorough planning and design, enterprise cybersecurity architecture attempts to bring order to chaos.

Enterprise cybersecurity architecture is not a silver bullet or one size fits all. Instead, it recognizes a particular fact that standardization, organization, structure, ordering, planning, and many other aspects of enterprise cybersecurity architecture are about controlling the things you can and minimizing the impact from the things you cannot. In addition, the enterprise cybersecurity architecture practice is concerned with continuous improvement while growing overall maturity which also helps reduce chaos.

No environment or business is chaos-free. No environment or business will remain the same forever. However, change can be managed, accounted for, and integrated into daily tasks and efforts.