Enterprise Architectures (EA) & Security

(1)

mwrinfosecurity.com | MWR InfoSecurity 1

mwrinfosecurity.com | MWR InfoSecurity

Enterprise Architectures

(EA) & Security

Marcel Schlebusch 2013-07-18

A synopsis of current state EA’s and

enterprise security as an add on

(2)

Something to ponder

(3)

Overview

•

Introduction: Brief history and overview of EA

•

Common problems faced by EA programmes

•

Security as part of EA

•

A comparison of 4 EA frameworks

•

EA trends – Literature study

•

An optimist’s vision for EA and ESA

(4)

Introduction: Brief history and overview of EA

26 Years of EA

• 1960s and 1970s (Information Architectures)

• 1987 (John Zachman)

• 1990s (Term EA, different views start to form)

(5)

Introduction: Brief history and overview of EA . . .

What is an EA framework?

• Reference structure that provides models, tools and processes to plan, produce and operate an EA programme Overview of EA

What is Enterprise Architecture?

• Enables translating business vision into enterprise change

• Enables management of complexity

• Purpose/Goals: Effectiveness, Efficiency, Agility, and Durability

(6)

Common problems faced by EA programmes

At the very least, these questions will be addressed:

• Should my organisation implement an Enterprise Architecture?

• Which EA framework is the best?

• We’ve spent a fortune on EA, why are we not getting ROI?

• Why do EA programmes commonly fail?

• What are the current business trends in EA?

(7)

Security as part of EA

(8)

Security as part of EA

There are many security standards

• ISO 27001 (BS 7799)

• NIST 800-12 800-14 800-26 800-37 800-53 rev3

• PCI-DSS

• Etc…

There are Risk Frameworks

• RiskIT (Risk framework by ISACA)

• ISO 27005

• Etc…

There are Enterprise Security Architecture (ESA) Frameworks

• SABSA (Sherwood Applied Business Security Architecture)

• IAEAF (Information Assurance Enterprise Architectural Framework)

(9)

Security as part of EA . . .

Goals of ESA:

• Establish common “language”

• Structured management of security complexity

• Enable business-to-security alignment

• Traceability to business reqs.

Business architecture

Information Architecture

Technology architecture

Positioning Enterprise Security Architecture

Security

(10)

Security as part of EA . . .

Positioning Enterprise Security Architecture

• ESA is a subset of EA

• Stretches across all other Architectures

(11)

Security as part of EA . . .

•

Business assets

•

Information assets

(12)

Security as part of EA. . .

SABSA as an example

• Risk driven methodology

• Consists of frameworks, models, methods and processes

• Free for use by all

• Overarches all other security standards

• Everything is driven from an analysis of the business requirements for security

The SABSA layered model

The SABSA lifecycle

(13)

Security as part of EA. . .

SABSA as an example

Source: SABSA whitepaper – www.sabsa.org

The SABSA matrix

Business View Architect’s View Designer’s View Builder’s View Tradesman’s View Service Manager’s View Business view of Who Business view of Why Business view of How Business view of What Business view of Where Business view of When

(14)

Security as part of EA. . .

The SABSA Matrix

Source: SABSA whitepaper – www.sabsa.org Business View Architect’s View Designer’s View Builder’s View Tradesman’s View Service Manager’s View

(15)

Security as part of EA. . .

SABSA as an example

The SABSA Business Attributes

(16)

Zoom out back to the

Enterprise

(17)

Over the past decade many EA approaches have emerged, 4 are leading the pack:

1. Zachman framework for EA

2. The Open Group Architecture Framework (TOGAF)

3. Federal Enterprise Architecture (FEA)

(18)

A comparison of 4 EA frameworks . . .

In comparing these frameworks, the following will be shown: 1. A summary/overview of each framework

2. A score-sheet, directly comparing the frameworks 3. Some usage statistics (mostly from USA and Europe)

(19)

A comparison of 4 EA frameworks. . .

Zachman framework for EA

• Taxonomy

• Categorising deliverables

• Planning tool

• Views & view-points Also:

• Limited usefulness as EA

• History in manufacturing

(20)

A comparison of 4 EA frameworks. . .

The ARCHITECT

VS.

John Zachman

John Sherwood

6 x 6 matrix

•

Views

•

View-points

Enterprise Security

Framework Enterprise Framework SABSA

(21)

TOGAF

• Process driven (via ADM)

• Enterprise Continuum (general -> specific)

• Technical reference models (TRM)

• Standards information bases (SIB) Also:

• Holistic perspective

• History in defence

(22)

A comparison of 4 EA frameworks. . .

FEA

• Segmented enterprise

• 5 Reference models

• Development process

• Planning and communication tool Also:

• Holistic perspective

• US-Gov Standard

(23)

Gartner

• Better described as a practice

(24)

Score-sheet (

2007

)

Criteria

Zachman

TOGAF

FEA

Gartner

Taxonomy Completeness 4 2 2 1

Process Completeness 1 4 2 3

Reference Model Guidance 1 3 4 1

Practise Guidance 1 2 2 4 Maturity Model 1 1 3 2 Business Focus 1 2 1 4 Governance Guidance 1 2 3 3 Partitioning Guidance 1 2 4 3 Prescriptive Catalogue 1 2 4 2 Vendor Neutrality 2 4 3 1 Information Availability 2 4 2 1 Time to Value 1 3 1 4 4. Very Good

(25)

A comparison of 4 EA frameworks. . .

Score-sheet (

2012

)

Criteria

Zachman

TOGAF

FEA

Gartner

Taxonomy Completeness 4

3

2 1

Process Completeness 1 4

3

Practise Guidance 1 2

2

4 Maturity Model 1

2

4

2 Business Focus 1 2

3

4 Governance Guidance 1 2 3 3 Partitioning Guidance 1

3

4 3 Prescriptive Catalogue 1

3

4 2 Vendor Neutrality 2 4 3 1 Information Availability 2 4

3

1 Time to Value

2

4

2

4 4. Very Good

(26)

A comparison of EA frameworks:

Usage survey 2003

0%

5%

10%

15%

20%

25%

30%

35%

40%

TOGAF

Other

Zachman

None

Organisation's Own

(27)

A comparison of EA frameworks:

Usage survey 2012

0%

5%

10%

15%

20%

25%

FEA

None

Zachman

MoDAF

Other

Pragmatic EA

TOGAF

Organisation's Own

(28)

EA trends: Literature study

Gartner:

• Analysts predict that 95% of organisations will support multiple approaches to EA by 2015

• By 2020 the majority of Global 1000 organisations will support EA as a distinct discipline

To prepare for 2020, Gartner advises to:

• Ensure that EA practices are driven by the business direction

• EA should lead from the top, and be driven from the top

• Use EA to predict the impact of investment decisions

(29)

(30)

EA trends: Literature study

The blended approach to EA

Gartner identifies different approaches to EA

• Traditional – Top down approach

• Federated – Useful for larger organisations

• Middle-Out – Most dynamic approach

• Managed Diversity – Option based approach

A true "blended" approach is one whereby the enterprise architecture (EA) team determines the appropriate mix of above EA approaches based on business-outcome-driven decision criteria.

(31)

What does a partially successful or unsuccessful implementation look like?

Isolation

Trap

Losing

Optimised

Fragmented

Enterprise

Architecture

Solution Architecture

Source: Oracle EA survey

EA trends: Literature study

Oracle Survey

An EA Maturity

representation

(32)

Criteria Zachman TOGAF FEA Gartner

Taxonomy Completeness 4 3 2 1

Process Completeness 1 4 3 3

Practise Guidance 1 2 2 4 Maturity Model 1 2 4 2 Business Focus 1 2 3 4 Governance Guidance 1 2 3 3 Partitioning Guidance 1 3 4 3 Prescriptive Catalogue 1 3 4 2 Vendor Neutrality 2 4 3 1 Information Availability 2 4 3 1 Time to Value 2 4 2 4 4. Very Good

An optimist’s view of EA and ESA. . .

The blended approach

(33)

SABSA

TOGAF

Zachman

Requirements Definition

a

Process

a

Goals and Artefacts

a

Gartner

(34)

SABSA and TOGAF

integration

(35)

An optimist’s view of EA and ESA. . .

The blended approach

Are we not increasing

the complexity?

(36)

An optimist’s view of EA and ESA. . .

The ideal state

• Market leading • Strategic • SECURE • Compliant • Competitive • Cost effective • Dynamic • Efficient • Documented • Intelligent

(37)

Conclusion

For organisations practicing EA and ESA:

• EA and ESA are tools for change

• It takes time (track maturity)

• EA is not an IT function – Drive from the top!

• Be open to a blended approach  Include security here

For EA and ESA professionals:

• Understand that ESA delivers into EA

• Manage expectations (long term value)

• The value of EA careers are increasing

(38)

At the very least, these questions will be addressed:

• Should my organisation implement an Enterprise Architecture? -YES

• Which EA framework is the best? - BLEND

• We’ve spent a fortune on EA, why are we not getting ROI? – It takes time, but measure

the maturity of your programme, and re-focus efforts on delivering business value

• Why do EA programmes commonly fail? – Not driven from the top or focus shifts to

shorter term solutions architecture

• What are the current business trends in EA? – Blended EA approaches and EA tools

• How do we get started with EA? – Combine Zachman, TOGAF and SABSA and let the

TOGAF ADM guide your process

(39)

(40)

References:

[1] – Article: “A Comparison of the Top Four Enterprise-Architecture Methodologies” by Roger Sessions [2] – White-paper: “A Comparison of the Five Major Enterprise Architecture Methodologies”

https://online.ist.psu.edu/sites/ist871/files/t10_comparisonof5.pdf

[3] – Ovum Research: Amongst others: http://ovum.com/2012/03/22/hybrid-enterprise-architecture-frameworks-are-in-the-majority/

[4] – Gartner: Hype Cycle for Enterprise Architecture, 2012 [5] – TOGAF: http://www.opengroup.org/togaf/

[6] – Whitepaper: “The Oracle Enterprise Architecture Framework” (Oracle – October 2009) [7] – Whitepaper: “Enterprise Security Architecture” www.sabsa.org

https://online.ist.psu.edu/sites/ist871/files/t10_comparisonof5.pdf

http://ovum.com/2012/03/22/hybrid-enterprise-architecture-frameworks-are-in-the-majority/

http://www.opengroup.org/togaf/