Enterprise Security Architecture Case Study
With the growth of ICT opportunities, the enterprises have realized the significance of interoperability as a competitive advantage. Thus, many enterprises have adopted the main strategy of rapidly changing their structures to support interoperability. On the other hand, interoperability is incompatible with information security.
The Enterprise Information Security Architecture (EISA) offers a framework upon which business security requirements, the risks and the threats are analyzed and a portfolio of the best integrated enterprise security solutions is put together. Frameworks and models introduced in the past six years have examined different aspects of EISA.
We realized the diversity of the mentioned approaches and in this paper, first, we develop two facets according to which these approaches are categorized. These facets are abstraction level (holistic vs. partial) and architectural viewpoint (managerial vs. technical). As interoperability is the primary focus of our study and it is a broad concept, we restrict our discussion to holistic frameworks and models. In this regard, we survey the prominent holistic approaches namely Gartner, SABSA, RISE frameworks, AGM-based model and intelligent Service-Oriented EISA.
In the next step, we compare the mentioned frameworks from technical, organizational and semantic interoperability aspects. We conclude that none of the frameworks, not even those which are holistic, practical and greatly elaborated, have explored interoperability clearly.
We assert that the competitive advantages offered by interoperability, justify the costs needed for implementing the incompatible concepts of interoperability and security along with each other. In addition, we suggest that the requirements which are common to both interoperability and security should be extracted and the significance of interoperability to EISA should be apprehended
Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects, Australia
The Open Group Architecture Forum and Security Forum agree that the coverage of security in TOGAF should be updated and improved. The understanding and focus of security architecture has moved from a threat-driven approach of addressing non-normative flaws through systems and applications to a risk-driven and business outcome-focused methodology of enabling a business strategy.
Following this trend, we defined fundamental characteristics of effective security architecture. 1) Capabilities are primary assets at risk, while information systems and technology components are secondary assets at risk supporting the primary assets. 2) Security requirements include the business aspects and not only the technology aspects of confidentiality, integrity and availability. 3) IT risk management is business-opportunity-driven. It requires understanding of risk appetite across business, information systems and technology architecture to manage security risks of vulnerabilities and compliance issues, which may arise at any layer of enterprise architecture in a business-outcome-focused way. 4) Security services are aligned to business drivers, goals and objectives, and managed in a risk-driven way.
Yet, there is no single security architecture development methodology to deliver these characteristics. We believe that existing information security standards and frameworks in a combination with the TOGAF are sufficient to meet the aforementioned fundamental characteristics of effective security architecture. However the challenge is in their integration. Our Enterprise Security Architecture Framework integrates key industry standards and best practices for information security and risk management, such as COBIT 5 for Information Security, ITILv3 Security Service Management, ISO/IEC 27000 and ISO/IEC 31000 families of standards, using the TOGAF Architecture Development Method and Content Meta-model as the key integrators. It is a pragmatic security architecture framework which establishes a common language between IT, security, risk and business organisations within an enterprise and ensures effective and efficient support of long-term security needs of both business and IT, with a risk-driven enterprise as a final outcome.
We will present a case study of the implementation of the aforementioned business-outcome-focused and risk-driven Enterprise Security Architecture Framework at the University of New South Wales.
-- Overview of a risk-driven and business-outcome-focused security architecture methodology seamlessly integrated with the TOGAF
-> Security strategic planning
-> Enterprise-wide compliance, internal (policies and standards) and external (laws and regulations
-> Business-opportunity driven management of security risk of threats, vulnerabilities and compliance issues across business, information systems and technology architecture