According to Dr. Davis (2013), an average person has been 35 and 48 thoughts per minute. That means over 50,000 ideas a day, so there is a chance that at least one of them is a viable business destroying idea. In an article by NetIQ (2015), the average cost of a corporate data breach increased 15% in 2015 to $3.5million. The Sherwood Applied Business Security Architecture, also known as SABSA, can help lay the framework of how to get a secure business architecture rolling. By explaining the seven stakeholder views and their assets, motivation, process, people, location and time, this post will shed light on what is SABSA.
The first and foremost stakeholder view in the enterprise security architecture framework is the Business View. This is also known as the contextual layer and it helps gives context to the business. This layer helps in setting the business requirements. Topics such as the business motivation, the users involved, the affected processes, are all explored. Figure 1 shows some of the common questions asked and answered at this stage. In short, the Business View answers in what context is the security required.
Once the context is decided, it is the conceptual layer or also known as the Architect’s view that comes up next. Just like the name suggests, this layer deals with the choosing of the appropriate components that will be used to build the solution. Topics such as IT architecture strategies, and the business risk strategy are explored. Figure 2 shows some of the common questions asked and answered at this stage. In short, the Architect’s View sheds light on the required security concepts that are appropriate to the solution.
After both the contexts and the concepts are decided, a bridge is built in the next layer –namely Designer’s View. The bridge is between the conceptual (Business/Architect) and the physical (Builder’s/Tradesman’s/Manager’s). Also known as the Logical layer, it plays an important role in manifesting the success of the framework. It explores the logical steps required to bring the idea into reality. This exploration consists of building blocks such as entity authentication, system assurance etc. The risk management policies, entities and trust models, interaction flows between locations are all determined in this layer to secure business information. After crossing the bridge of logic, it’s the Physical layer that is next. Also known as the Builder’s View, physical security mechanisms and machines such as user interfaces, business data objects, access control mechanisms are all explored in this layer. Figure 3 shows some of the common questions asked and answered at this stage. In short, the Designer’s View is the logical bridge while the Builder’s View acts as the basis of the physical security.
Physical security leads to the implementation of security in the Component Security layer. This is also known as the Tradesman’s View as it deals with the technical nitty gritty details of installing, configuring, and operating of the system(s). Topics such as IT products, risk analysis, protocols are all explored in this layer. An example of a question asked in this stage would be what IT applications are needed, how will they be used, who will use them. This is the last stage before the release of the solution. After this comes the Facility Manager’s View, which is analogous to, the once in a while oil changes and smog checks that is required for a car. Also known as the Operations Security layer, this plays a role in all the other five layers. For example, in the contextual layer it refers to the business policymaking, the cultural development etc. Figure 5 has more details of how the operational security layer plays a part in each of the other layers. Though SABSA does not recognize the Inspector’s View as an official layer, this layer basically confirms and approves that the solution described and implemented is an accurate and meaningful one.
In conclusion, the seven views namely Business, Architect, Designer, Builder, Tradesman, Facility Manager and Inspector along with their assets, motivation, process, people, location and time making the SABSA framework. Figures 1 – 3 highlight some of the questions asked at each stage while Figure 4 gives an overview of the matrix.
Figure 1. Common questions answered in the Contextual layer2
Figure 2. Common questions answered in the Conceptual layer2
Figure 3. Common questions answered in the Physical layer2
Figure 4. Overview of the layers and the 6W’s3
Figure 5. Description of the Operational Security Layer in each of the other layers5
1) Davis, B. (2013, July 23). There Are 50,000 Thoughts Standing Between You and Your Partner Every Day! Huffington Post. Retrieved May 22, 2016, from http://www.huffingtonpost.com/bruce-davis-phd/healthy-relationships_b_3307916.html
2) Korban, S. (2012, April 24). Addressing Information Security In Business Analysis With SABSA. Addressing Information Security In Business Analysis With SABSA. Retrieved May 19, 2016, from http://www.batimes.com/articles/addressing-information-security-in-business-analysis-with-sabsa.html
3) SABSA – in 3 minutes [Web log post]. (2013, August 22). Retrieved May 21, 2016, from http://www.vanharen.net/blog/enterprise-architecture/sabsa-in-3-minutes/
4) Shephard, D. (2015, March 16). 84 Fascinating & Scary IT Security Statistics [Web log post]. Retrieved May 20, 2016, from https://www.netiq.com/communities/cool-solutions/netiq-views/84-fascinating-it-security-statistics/