Problem solve Get help with specific problems with your technologies, process and projects.

TOGAF and SABSA guidance for integrating security and risk management into enterprise architecture

The Open Group has paired with the SABSA Institute to create a new business view on security for enterprise architects.

The twin worlds of enterprise architecture and software security architecture are usually siloed. That shortcoming is addressed in recent guidance from The Open Group. The organization has paired with the SABSA Institute (home of the Sherwood Applied Business Security Architecture) to connect the security architects' and the enterprise architects' approaches.

The guidance is intended to enable enterprise and security architects to integrate security and risk management approaches into enterprise architectures. The integration comes just as security conscious IT shops discover they need to open up their APIs a bit more to support increasingly popular open Web application integrations.

SABSA and TOGAF (The Open Group Application Framework) make a good mix, according to John Sherwood, head of the SABSA Academy division of the SABSA Institute.

''TOGAF is very strong in its business requirements but a little light on how to do [security].  Integration of SAPSA brings a tool useful not just in the security space but also as a generic requirements method,'' he said. 

''SAPSA supports a business attributes profiling method,'' he said.

Sherwood said the business attribute-based approach acknowledges that businesses and business decisions are not wholly about security. "Doing business is about taking risk. No risk - no business," he said.

That notion is increasingly borne out as steady-as-you-go enterprises embrace Web-based interfaces for mobile computing.

"From a security and trust perspective the mobile worker and others present problems for architects," said Sherwood.  "They are going to have to be agile and creative in their thinking to solve these problems. Some of the old ways are not going to hit the spot."

Sherwood said we are seeing useful new security methods emerging. For example, he expects to see authorization profiles that are more dynamic. Specific data needs to be tagged with specific assurance policies. Are people in a train station, an office or an airport? These are important questions in the new version of the connected enterprise.

A person-centric approach to security architecture is coming into play, agreed Dave Hornford, senior partner, Enterprise Architecture, Conexiam, a consulting firm.

"There is a change in the generic risk appetite in the community," said Hornford. Imperatives have changed, with 'need to know' being replaced with 'need to share,' he continued.

TOGAF expert Hornford said working with SAPSA brings to TOGAF "the core thinking that security isn't an island."

"Using the Business Attitude Profile, we can make sure all elements of the architecture address security," he said.


Related security architecture information
TOGAF and SABSA Integration Whitepaper  – [Reg. Req.]


What are your thoughts? Email us and let us know.

Dig Deeper on Topics Archive