3.4 Security Architecture

An organization's security architecture is extremely important. It sets the tone for how an organization copes with security issues, and it establishes a foundation for its administrators and staff to use in their efforts at protecting organizational assets. Mark Bouchard of the Meta Group recommends that information technology organizations embrace the concept of an information security architecture, [3] which includes the following main components :

Statement of high-level objectives. This serves as the linkage between business goals and information security goals.
Process-centric organizational model. The goal is to clearly delineate roles and responsibilities pertaining to information security. Also, the head of information security within an enterprise will be the owner of the architecture defined within.
Hierarchically structured policy framework. This links business requirements to domain-specific technology and configuration details in a highly flexible manner.
Catalog of security processes. The catalog should include both strategic and operational security processes.
Security services framework. This is a reference model, taxonomy, or linked list that bounds the scope of the security services to be provided, indicates their interrelationships, and provides a common language for both IT and business to use when discussing security controls.
Domain structure. This is the decomposition of the enterprise into manageable portions, with groupings ideally based on sets of resources that have similar security requirements.
Trust-level definitions. These typically take the form of a matrix that correlates relative degrees of trust with the corresponding security controls (i.e., technologies and processes) required to achieve and support each trust level.
Tools and templates. These are needed to support development of the security program and execution of the security processes (e.g., a trust modeling tool to establish the required trust level of a new application or project, or a trust measurement tool to assess the "as is" trust level of a given domain).
Technology option matrices. These map generic security services to corporate-approved mechanisms and products for delivering those services.

Bouchard also points out that the information security architecture is analogous to the architecture that is frequently associated with buildings . It starts out as a concept and progresses to a model, followed by the preparation of detailed blueprints, or tools, that will be used to transform the model into a finished product. Bouchard mentions two important factors about this comparison: (1) The architecture is more than just a blueprint because it includes both the concept and all that resulted from it. He cautions us to keep detailed information (such as corporate standards) separate from the blueprint so the high-level architecture will continue to remain visible and manageable. (2) The high-level architecture should not be viewed as static and immutable, and it should be revisited periodically to ensure continued alignment with changing corporate objectives.

The security architecture should be viewed in conjunction with an evaluation of the interdependencies of the organization as a whole. New business activities may necessitate a change in the security architecture. For example, the decision to provide a customer portal via the Internet would necessitate such change. When implementing a security architecture, the impact it has on the business is also important to know and understand. It is quite possible to lock down a site so that it is virtually impossible for anyone to enter, but if that hinders business objectives, it is of little value to the organization. The trick here is to find the proper balance between meeting the business objectives and achieving a level of security that satisfies the intent of the security architecture plan.