Taking a holistic view of enterprise architectures allows for the creation of consistent policies and standards by which the system is designed and built. In order to manage the complexity of large systems it helps to break that system down into layers that clearly define the roles for each of the stakeholders charged with designing, implementing, and supporting the system. The Sherwood Applied Business Security Architecture (SABSA) is a six layer model that identifies each of these stakeholders, their role in the architecture, and the transition between them. Each layer, or view, forms the foundation for the layer above, building from high level architecture, to the design and implementation, all the way through to the testing and maintenance of the complete system.
From a professional standpoint understanding each layer in the secure architecture can help you design a more comprehensive strategy. By knowing the needs at each level you can anticipate challenges at the various layers. It doesn't make sense to create security policies that cannot be enforced, for example. It also allows for traceability of the implementation when the requirements of one layer flow directly into the next.
From a professional standpoint understanding each layer in the secure architecture can help you design a more comprehensive strategy. By knowing the needs at each level you can anticipate challenges at the various layers. It doesn't make sense to create security policies that cannot be enforced, for example. It also allows for traceability of the implementation when the requirements of one layer flow directly into the next.
The Business View
At the top most level is the business view, also called the contextual security architecture, which sets the requirements that the architecture must support. It is imperative to have a clear understanding of those requirements as each supporting levels uses them to create the architecture. One must also avoid the inclination to start with the technical solutions as doing so may result in an architecture with many complicated, expensive, and disjointed systems that are unable to deliver the business’ needs. |
The Architect's View
The business view feeds into the architect’s view, or conceptual security architecture, which is the overall concept by which the business needs will be met. The architect defines the principles and strategies that guide how the design will be organized and implemented in the layers beneath. Some examples include network security, cryptographic infrastructure, and role-based access control strategies that will eventually be implemented. |
The Designer's View
The designer takes the architect’s view and interprets it into the logical structure that will form the actual architecture. This design process is often referred to as systems engineering and involves identification and specification of the overall system, thus creating a logical security architecture. This logical architecture represents all the major security strategies identified in the previous layer transformed into a series of logical abstractions. |
The Builder's View
The logical security architecture is then transformed into a physical one by the builder, who takes the logical components identified by the designer and creates the actual technology model and functional requirements for the architecture. The architecture is now expressed in terms of the security mechanisms that will support and enforce the policies previously defined. |
The Tradesman's View
With the architecture defined a team of tradesman must now set about actually building it as part of the component security architecture. Each tradesman brings a specific skill that is needed in the construction of the component pieces that make up the architecture. Each hardware, software, or service oriented component must be integrated into the system to form a cohesive architecture. |
The Facility Manager's View
The architecture is complete and the task turns to those charged with operating and maintaining it. The facilities manager’s view, or operational security architecture, is responsible for ensuring the continuity of business systems and information processing throughout the architecture’s lifecycle. The operational security architecture cuts across all of the preceding layers as there are elements of it that must be considered in the planning cycles for each. The business view must account for the people that will maintain the system when setting policies while the architect must plan for business continuity and the architecture’s administration. The designers and builders must account for how the system will be managed, monitored, and executed on a day-to-day basis. And the tradesman must consider how the tools they select will be administered. |