Embed Size (px)
Citation preview
THE ROLE OF ARCHITECTURE
BRIDGING THE GAP BETWEEN THE ENTERPRISE AND TECHNOLOGY
THE GREAT DIVIDE
WHAT IS ENTERPRISE SECURITY ARCHITECTURE?• ENTERPRISE MEANS CONSIDERING AN
ORGANISATION AS A SINGLE ENTITY RATHER THAN A SET OF CO-OPERATING OR COMPETING SILOS
• SECURITY IS DIFFERENT FOR EVERY ORGANISATION
• ARCHITECTURE – IS BOTH A PROCESS AND A PRODUCT• PROCESS = PLANNING, DESIGN AND
CONSTRUCTION• PRODUCT = PEOPLE, PROCESS AND
TECHNOLOGY
THE EVOLUTION OF SECURITY
• LATE 1980’S – ISO7498:2
• LATE 1990’S – 2000’S - SECURITY TECHNOLOGIES USED AS A COUNTERMEASURE TO COMBAT VIRUSES AND UNAUTHORISED ACCESS
• LEFT ALONE TO TECHNOLOGISTS, SECURITY WAS SEEN AS THE BUSINESS PREVENTION DEPARTMENT
THE RESULT
• DISCONNECT BETWEEN THE BUSINESS NEEDS AND TECHNOLOGY, INFORMATION ASSURANCE
• SECURITY SEEN AS AN ADD-ON – ROI HARD TO GAUGE
• SECURITY ROLLED IN TACTICALLY AS PART OF PROJECT DELIVERY
TACTICAL SOLUTIONS COST MORE!USED TO SOLVE AN IMMEDIATE PROBLEM, BUT:• UNDERTAKEN AS A SILOED APPROACH• DEPLOYED SOLUTIONS LACK FLEXIBILITY• UNFORESEEN INTEGRATION COMPLEXITIES• ISSUES WITH INTEROPERABILITY• HIGHER SUPPORT COSTS (DIVERSE SYSTEMS)• DIFFERENT PERSPECTIVES AND APPROACHES• ADDITIONAL RESOURCES OFTEN REQUIRED
THE REAL ROLE OF SECURITY
PROVIDE CONFIDENCE AND ASSURANCE:• DEPENDABILITY (RELIABLE)• SUITABILITY (FIT FOR PURPOSE)• TRUST IN PEOPLE, PROCESS & TECHNOLOGY• NOT EXPOSED TO UNACCEPTABLE LEVELS OF RISK
SECURITY MUST ENABLE THE BUSINESS TO MEET ITS OBJECTIVES, IDENTIFY AND TRANSFORM OPPORTUNITIES.
THE IMPORTANCE OF A FRAMEWORK• ALLOWS ORGANISATIONS TO MANAGE COMPLEXITY• MAINTAIN INTEGRITY OF DESIGN AT ALL STAGES• PROVIDES A ROADMAP FOR ALL• LOWERS THE TOTAL COST OF OWNERSHIP• INTEGRATION AND INTEROPERABILITY• RESOLVE CONFLICTING OBJECTIVES AND PRIORITIES• PREDICTABLE OUTCOMES• FLEXIBLE AND AGILE SOLUTIONS• BALANCE BETWEEN STRATEGIC, TACTICAL & OPERATIONAL
ARCHITECTURE GUIDING PRINCIPLESAN ARCHITECTURE MUST NOT PRESUPPOSE ANY:• CULTURES OR OPERATIONAL PRACTICES, MANAGEMENT STYLE,
MANAGEMENT PROCESSES, MANAGEMENT STANDARDS, TECHNICAL STANDARDS OR TECHNOLOGY PLATFORMS
A GOOD ARCHITECTURE:• MEETS AN ORGANISATIONS UNIQUE SET OF BUSINESS REQUIREMENTS• DOES NOT REPLACE OR COMPETE WITH ESTABLISHED POLICY,
STANDARDS, PRACTICES OR LEGISLATION BUT RATHER ENABLES THEIR DEPLOYMENT
• IS SUFFICIENTLY FLEXIBLE AND ADAPTABLE
ARCHITECTURE FRAMEWORK
A CONSISTENT SET OF PRINCIPLES, POLICIES AND STANDARDS THAT SETS THE DIRECTION AND VISION FOR THE DEVELOPMENT AND OPERATION OF THE ORGANISATION’S BUSINESS INFORMATION SYSTEMS SO AS TO ENSURE ALIGNMENT WITH AND SUPPORT FOR THE BUSINESS NEEDS.
© SABSA INSTITUTE 2016
SABSA ARCHITECTURE VIEWSBUSINESS VIEW CONTEXTUAL ARCHITECTURE
ARCHITECT’S VIEW CONCEPTUAL ARCHITECTURE
DESIGNER’S VIEW LOGICAL ARCHITECTURE
BUILDER’S VIEW PHYSICAL ARCHITECTURE
TRADESMAN’S VIEW COMPONENT ARCHITECTURE
SERVICE MANAGER’S VIEW OPERATIONAL ARCHITECTURE
VERTICAL ANALYSIS OF THE SABSA COLUMNSWHAT
WHAT ARE WE TRYING TO DO AT THIS LAYER?THE ASSETS, GOALS AND OBJECTIVES TO BE PROTECTED AND ENHANCED.
WHY WHY ARE WE DOING IT?THIS RISK AND OPPORTUNITY MOTIVATION AT THIS LAYER.
HOW HOW ARE WE TRYING TO DO IT?THE PROCESSES REQUIRED TO ACHIEVE SECURITY AT THIS LAYER.
WHOWHO IS INVOLVED?THE PEOPLE AND ORGANISATIONAL ASPECTS OF SECURITY AT THIS LAYER.
WHERE WHERE ARE WE DOING IT?THE LOCATIONS WHERE WE ARE APPLYING SECURITY AT THIS LAYER.
WHEN WHEN ARE WE DOING IT?THE TIME RELATED ASPECTS OF SECURITY AT THIS LAYER.
TWO-WAY TRACEABILITY
SABSA PROVIDES TWO-WAY TRACEABILITY FOR:• COMPLETENESS - EVERY BUSINESS REQUIREMENT FOR SECURITY IS
MET AND THE RESIDUAL RISK IS ACCEPTABLE TO THE BUSINESS• JUSTIFICATION - EVERY OPERATIONAL OR TECHNOLOGICAL SECURITY
ELEMENT CAN BE JUSTIFIED BY REFERENCE TO A RISK-PRIORITISED BUSINESS REQUIREMENT
BUSINESS DRIVEN ARCHITECTURE
• BEING BUSINESS-DRIVEN MEANS NEVER LOSING SITE OF THE ORGANISATION’S GOALS, OBJECTIVES, SUCCESS FACTORS AND TARGETS
• THE CONTEXTUAL ARCHITECTURE CAPTURES AND PRESENTS THE FULL SET OF RELEVANT REQUIREMENTS FOR THE SCOPE OF THE ASSIGNMENT
SUMMARYSABSA• IS BUSINESS DRIVEN• PROVIDES UNIQUE ATTRIBUTE PROFILING• MANAGES RISKS TO ATTRIBUTES• DOES NOT COMPETE WITH OTHER FRAMEWORKS• AN OPEN STANDARD• FREE TO USE• CAN BE ADAPTED TO SUIT ANY ORGANISATION
QUESTIONS?
