“Security architecture is a unified security design that addresses the necessities and potential risks involved in a certain scenario or environment. It also specifies when and where to apply security controls” – Techopedia
Applying the right security controls (mitigations against potential risks), at the right time in the right place (whilst providing business value) is the ask. Some would say its an art, others would say it’s a science, either way it’s a skill, that requires an eye for detail.
A good security architecture not only addresses the potential risk, but also helps to meet the security goals of the organisation, which are ultimately connected to the security strategy.
The NCSC have a good article on the above, and also explain what the role of a security architect is
To implement a fit for purpose, business enabling security, using an architecture methodology is highly recommended. Mature methodologies like TOGAF and Zachman are based on good architecture practice, and are regularly updated. These can be adapted to suit the business culture and context, which includes blending the best of the two.
Security cuts across the architecture, it impacts most aspects of it, from the way the data is stored, to the way it is processed and eventually accessed. There are also business touchpoints , this is where it aligns to the overall business goals/strategy. TOGAF (The Open Group) describe this
To support the model for security architecture it is imperative that
- Security objectives are aligned to the business objectives
- Security principles are aligned to the business requirements
- The business risk appetite is understood
- Key risk areas are identified
- A security resource plan is in place
Further information on how to integrate security into the TOGAF Architecture methodology can be found in the “Integrating Risk and Security within a TOGAF® Enterprise Architecture “guide, which is available here
There are other architecture methodologies that can be used e.g. Zachman, SANS have a whitepaper on this, which can be found here
Given that the security layer in the architecture is designed to mitigate potential security risks, a clear and comprehensive way to articulate this is important. It should include a view of what the business impact could be. The NIST Risk Assessment whitepaper which describes how Security controls mitigate threats provides a view on how to represent this
Understanding the business risk becomes important in control selection and decision making. The cost of the security mitigation shouldn’t be inhibitive (i.e. the security control costs more than then the asset value). ISACA have a good article on this
In summary, good security architecture should be able to protect business assets and reduce security risk by
- Using the most appropriate security controls
- Integrating the security architecture across all domains
- Aligning to business objectives and principles
- Aligning to business products, services and processes
Using an architecture and risk methodology is both repeatable and scalable across the organisation, demonstrating business value and providing a true risk lens and method to effectively reduce/mitigate against those risks.