mwrinfosecurity.com | MWR InfoSecurity 1
mwrinfosecurity.com | MWR InfoSecurity
Enterprise Architectures
(EA) & Security
Marcel Schlebusch 2013-07-18
A synopsis of current state EA’s and
enterprise security as an add on
mwrinfosecurity.com | MWR InfoSecurity 2
Something to ponder
mwrinfosecurity.com | MWR InfoSecurity 3
Overview
•
Introduction: Brief history and overview of EA
•
Common problems faced by EA programmes
•
Security as part of EA
•
A comparison of 4 EA frameworks
•
EA trends – Literature study
•
An optimist’s vision for EA and ESA
mwrinfosecurity.com | MWR InfoSecurity 4
Introduction: Brief history and overview of EA
26 Years of EA
• 1960s and 1970s (Information Architectures)
• 1987 (John Zachman)
• 1990s (Term EA, different views start to form)
mwrinfosecurity.com | MWR InfoSecurity 5
Introduction: Brief history and overview of EA . . .
What is an EA framework?
• Reference structure that provides models, tools and processes to plan, produce and operate an EA programme Overview of EA
What is Enterprise Architecture?
• Enables translating business vision into enterprise change
• Enables management of complexity
• Purpose/Goals: Effectiveness, Efficiency, Agility, and Durability
mwrinfosecurity.com | MWR InfoSecurity 6
Common problems faced by EA programmes
At the very least, these questions will be addressed:
• Should my organisation implement an Enterprise Architecture?
• Which EA framework is the best?
• We’ve spent a fortune on EA, why are we not getting ROI?
• Why do EA programmes commonly fail?
• What are the current business trends in EA?
mwrinfosecurity.com | MWR InfoSecurity 7
Security as part of EA
mwrinfosecurity.com | MWR InfoSecurity 8
Security as part of EA
There are many security standards
• ISO 27001 (BS 7799)
• NIST 800-12 800-14 800-26 800-37 800-53 rev3
• PCI-DSS
• Etc…
There are Risk Frameworks
• RiskIT (Risk framework by ISACA)
• ISO 27005
• Etc…
There are Enterprise Security Architecture (ESA) Frameworks
• SABSA (Sherwood Applied Business Security Architecture)
• IAEAF (Information Assurance Enterprise Architectural Framework)
mwrinfosecurity.com | MWR InfoSecurity 9
Security as part of EA . . .
Goals of ESA:
• Establish common “language”
• Structured management of security complexity
• Enable business-to-security alignment
• Traceability to business reqs.
Business architecture
Information Architecture
Technology architecture
Positioning Enterprise Security Architecture
Security
mwrinfosecurity.com | MWR InfoSecurity 10
Security as part of EA . . .
Positioning Enterprise Security Architecture
• ESA is a subset of EA
• Stretches across all other Architectures
mwrinfosecurity.com | MWR InfoSecurity 11
Security as part of EA . . .
•
Business assets
•
Information assets
mwrinfosecurity.com | MWR InfoSecurity 12
Security as part of EA. . .
SABSA as an example
• Risk driven methodology
• Consists of frameworks, models, methods and processes
• Free for use by all
• Overarches all other security standards
• Everything is driven from an analysis of the business requirements for security
The SABSA layered model
The SABSA lifecycle
mwrinfosecurity.com | MWR InfoSecurity 13
Security as part of EA. . .
SABSA as an example
Source: SABSA whitepaper – www.sabsa.org
The SABSA matrix
Business View Architect’s View Designer’s View Builder’s View Tradesman’s View Service Manager’s View Business view of Who Business view of Why Business view of How Business view of What Business view of Where Business view of When
mwrinfosecurity.com | MWR InfoSecurity 14
Security as part of EA. . .
The SABSA Matrix
Source: SABSA whitepaper – www.sabsa.org Business View Architect’s View Designer’s View Builder’s View Tradesman’s View Service Manager’s View
mwrinfosecurity.com | MWR InfoSecurity 15
Security as part of EA. . .
SABSA as an example
The SABSA Business Attributes
mwrinfosecurity.com | MWR InfoSecurity 16
A comparison of 4 EA frameworks
Zoom out back to the
Enterprise
mwrinfosecurity.com | MWR InfoSecurity 17
A comparison of 4 EA frameworks
Over the past decade many EA approaches have emerged, 4 are leading the pack:
1. Zachman framework for EA
2. The Open Group Architecture Framework (TOGAF)
3. Federal Enterprise Architecture (FEA)
mwrinfosecurity.com | MWR InfoSecurity 18
A comparison of 4 EA frameworks . . .
In comparing these frameworks, the following will be shown: 1. A summary/overview of each framework
2. A score-sheet, directly comparing the frameworks 3. Some usage statistics (mostly from USA and Europe)
mwrinfosecurity.com | MWR InfoSecurity 19
A comparison of 4 EA frameworks. . .
Zachman framework for EA
• Taxonomy
• Categorising deliverables
• Planning tool
• Views & view-points Also:
• Limited usefulness as EA
• History in manufacturing
mwrinfosecurity.com | MWR InfoSecurity 20
A comparison of 4 EA frameworks. . .
The ARCHITECT
VS.
John Zachman
John Sherwood
6 x 6 matrix
•
Views
•
View-points
Enterprise SecurityFramework Enterprise Framework SABSA
mwrinfosecurity.com | MWR InfoSecurity 21
A comparison of 4 EA frameworks. . .
TOGAF
• Process driven (via ADM)
• Enterprise Continuum (general -> specific)
• Technical reference models (TRM)
• Standards information bases (SIB) Also:
• Holistic perspective
• History in defence
mwrinfosecurity.com | MWR InfoSecurity 22
A comparison of 4 EA frameworks. . .
FEA
• Segmented enterprise
• 5 Reference models
• Development process
• Planning and communication tool Also:
• Holistic perspective
• US-Gov Standard
mwrinfosecurity.com | MWR InfoSecurity 23
A comparison of 4 EA frameworks. . .
Gartner
• Better described as a practice
mwrinfosecurity.com | MWR InfoSecurity 24
A comparison of 4 EA frameworks. . .
Score-sheet (
2007
)
Criteria
Zachman
TOGAF
FEA
Gartner
Taxonomy Completeness 4 2 2 1
Process Completeness 1 4 2 3
Reference Model Guidance 1 3 4 1
Practise Guidance 1 2 2 4 Maturity Model 1 1 3 2 Business Focus 1 2 1 4 Governance Guidance 1 2 3 3 Partitioning Guidance 1 2 4 3 Prescriptive Catalogue 1 2 4 2 Vendor Neutrality 2 4 3 1 Information Availability 2 4 2 1 Time to Value 1 3 1 4 4. Very Good
mwrinfosecurity.com | MWR InfoSecurity 25
A comparison of 4 EA frameworks. . .
Score-sheet (
2012
)
Criteria
Zachman
TOGAF
FEA
Gartner
Taxonomy Completeness 4
3
2 1Process Completeness 1 4
3
3Reference Model Guidance 1 3 4 1
Practise Guidance 1 2
2
4 Maturity Model 12
4
2 Business Focus 1 23
4 Governance Guidance 1 2 3 3 Partitioning Guidance 13
4 3 Prescriptive Catalogue 13
4 2 Vendor Neutrality 2 4 3 1 Information Availability 2 43
1 Time to Value2
4
2
4 4. Very Goodmwrinfosecurity.com | MWR InfoSecurity 26
A comparison of EA frameworks:
Usage survey 2003
0%
5%
10%
15%
20%
25%
30%
35%
40%
TOGAF
Other
Zachman
None
Organisation's Own
mwrinfosecurity.com | MWR InfoSecurity 27
A comparison of EA frameworks:
Usage survey 2012
0%
5%
10%
15%
20%
25%
FEA
None
Zachman
MoDAF
Other
Pragmatic EA
TOGAF
Organisation's Own
mwrinfosecurity.com | MWR InfoSecurity 28
EA trends: Literature study
Gartner:
• Analysts predict that 95% of organisations will support multiple approaches to EA by 2015
• By 2020 the majority of Global 1000 organisations will support EA as a distinct discipline
To prepare for 2020, Gartner advises to:
• Ensure that EA practices are driven by the business direction
• EA should lead from the top, and be driven from the top
• Use EA to predict the impact of investment decisions
mwrinfosecurity.com | MWR InfoSecurity 29
mwrinfosecurity.com | MWR InfoSecurity 30
EA trends: Literature study
The blended approach to EA
Gartner identifies different approaches to EA
• Traditional – Top down approach
• Federated – Useful for larger organisations
• Middle-Out – Most dynamic approach
• Managed Diversity – Option based approach
A true "blended" approach is one whereby the enterprise architecture (EA) team determines the appropriate mix of above EA approaches based on business-outcome-driven decision criteria.
mwrinfosecurity.com | MWR InfoSecurity 31
What does a partially successful or unsuccessful implementation look like?
Isolation
Trap
Losing
Optimised
Fragmented
Enterprise
Architecture
Solution Architecture
Source: Oracle EA surveyEA trends: Literature study
Oracle Survey
An EA Maturity
representation
mwrinfosecurity.com | MWR InfoSecurity 32
Criteria Zachman TOGAF FEA Gartner
Taxonomy Completeness 4 3 2 1
Process Completeness 1 4 3 3
Reference Model Guidance 1 3 4 1
Practise Guidance 1 2 2 4 Maturity Model 1 2 4 2 Business Focus 1 2 3 4 Governance Guidance 1 2 3 3 Partitioning Guidance 1 3 4 3 Prescriptive Catalogue 1 3 4 2 Vendor Neutrality 2 4 3 1 Information Availability 2 4 3 1 Time to Value 2 4 2 4 4. Very Good
An optimist’s view of EA and ESA. . .
The blended approach
mwrinfosecurity.com | MWR InfoSecurity 33
SABSA
TOGAF
Zachman
Requirements Definition
a
Process
a
a
Goals and Artefacts
a
a
Gartner
mwrinfosecurity.com | MWR InfoSecurity 34
SABSA and TOGAF
integration
mwrinfosecurity.com | MWR InfoSecurity 35
An optimist’s view of EA and ESA. . .
The blended approach
Are we not increasing
the complexity?
mwrinfosecurity.com | MWR InfoSecurity 36
An optimist’s view of EA and ESA. . .
The ideal state
• Market leading • Strategic • SECURE • Compliant • Competitive • Cost effective • Dynamic • Efficient • Documented • Intelligent
mwrinfosecurity.com | MWR InfoSecurity 37
Conclusion
For organisations practicing EA and ESA:
• EA and ESA are tools for change
• It takes time (track maturity)
• EA is not an IT function – Drive from the top!
• Be open to a blended approach Include security here
For EA and ESA professionals:
• Understand that ESA delivers into EA
• Manage expectations (long term value)
• The value of EA careers are increasing
mwrinfosecurity.com | MWR InfoSecurity 38
At the very least, these questions will be addressed:
• Should my organisation implement an Enterprise Architecture? -YES
• Which EA framework is the best? - BLEND
• We’ve spent a fortune on EA, why are we not getting ROI? – It takes time, but measure
the maturity of your programme, and re-focus efforts on delivering business value
• Why do EA programmes commonly fail? – Not driven from the top or focus shifts to
shorter term solutions architecture
• What are the current business trends in EA? – Blended EA approaches and EA tools
• How do we get started with EA? – Combine Zachman, TOGAF and SABSA and let the
TOGAF ADM guide your process
mwrinfosecurity.com | MWR InfoSecurity 39
mwrinfosecurity.com | MWR InfoSecurity 40
References:
[1] – Article: “A Comparison of the Top Four Enterprise-Architecture Methodologies” by Roger Sessions [2] – White-paper: “A Comparison of the Five Major Enterprise Architecture Methodologies”
https://online.ist.psu.edu/sites/ist871/files/t10_comparisonof5.pdf
[3] – Ovum Research: Amongst others: http://ovum.com/2012/03/22/hybrid-enterprise-architecture-frameworks-are-in-the-majority/
[4] – Gartner: Hype Cycle for Enterprise Architecture, 2012 [5] – TOGAF: http://www.opengroup.org/togaf/
[6] – Whitepaper: “The Oracle Enterprise Architecture Framework” (Oracle – October 2009) [7] – Whitepaper: “Enterprise Security Architecture” www.sabsa.org