Enterprise Information Security Architecture

I always have been interested in Enterprise Architecture.  Enterprise Architecture is one of those terms that security professionals hear about but do not always know how it can benefit what they do. Recently a client asked Forrester to review their information security enterprise architecture. I was both excited and pleased to do so.  One of my accomplishments is I hold a patent in software engineering for the traceability in software systems, supporting business  and IT alignment. Several colleagues and I developed an approach to use different types of models, both business and technical, to model the enterprise.  The Object Management Group at about the same time championed the notion of "Model Driven Architecture."  The premise of theses ideas is that the enterprise can be modeled and the relationships between business processes and underlying systems identifed.

Information security, focused at people, process and technology can leverage many of the techniques of the enterprise architect to evolve the security posture of the organization from its current state to a more optimized state over time.  This presents interesting opportunities for security professionals to look at their security processes and tools to determine if they are really meeting the needs of their organization.

Add to the discussion. I would like to know your thoughts on this topic.  I will be posting more over the next several weeks.

Join me at: Forrester's IT Forum 2011

Accelerate At The Intersection Of Business And Technology
North America: May 25-27, Las Vegas
EMEA: June 8-10, Barcelona 


Good to see someone else that

Good to see someone else that shares my passion for enterprise security architecture and modelling. After building several models for consulting engagements we (some esteemed colleagues and myself) developed a generalized modelling approach. Using risk as the 'rosetta stone' between the business domain and the information security responses (technical, operational, procedural, governance and assurance domains) we generated a reproduceable and holistic model that was applicable to government and commercial enterprises alike.

Unfortunately, convincing enterprises of the benefits of a truly architectural approach requires a coincidence of sales ability and maturity of vision not frequently observed. One hopes that sufficient diligence when considering 'clouds', 'silver bullets', ' advanced persistent sales threats', etc. might lead some enterprises to consider architectural approaches if enough of us keep talking about it.

enterprise security architecture


Thank you for your comment. I agree there needs to be a confluence of factors for organizations to embrace architecture and modeling, however with the rise of BPM and SOA more organizations are embracing the notion of models. I also agree that risk is an excellent intersection point between the business and security domains. I think that the way in which risk is characterized to the business is important. Some of my earlier research was in the area of a "lingua franca" between business and IT. I still remember my first job out of graduate school, I worked as the MIS director for a small community college here in the US reporting to the president. In our one-on-ones he would frequently say to me; "You know you computer guys really speak a different language". "Can you please use a few less acronyms and speak some plain English!" It became a running joke between us but it is a lesson that stayed with me.

Pictures speak much louder than words. As security professionals we often look at business processes as provisioning identities or emergency response, yet we know that many of the security breaches we experience are due to inherent flaws in core business processes. Bearings Bank trading practices violated "simple rules" of separation of duties, and it allowed Nick Leeson to bring about the destruction of the bank.

As security professionals we need to look up the stack as well as down the stack to really understand how secure we are as an organization. Technology can certainly help here, but we need to introduce technology in a consistent and systematic way, and that requires an architecture.

I would be very interested in seeing some of the work you have done on your generalized modeling approach. The OMG is developing such a model for security, and you may be interested in some of the work going on there.