InfoSec: Enterprise Architecture Building Codes

There are many types of criminals. These include thrill-seeking hackers, politically motivated hackers, organized criminals after financial gain, and state-sponsored groups after financial gain and intellectual property or both.  Any of these have the potential to break these capabilities through information loss, or denial of service. Business processes and their associated transactions need to look at information security as a key component of any architectural design we might create as Enterprise Architects.

Security architecture is dependent on the idea of “security.”  Security by some definitions is the trade-off of convenience for protection.  When I am unloading the car and have an armful of groceries, it's challenging to unlock the front door at the same time. Alternatively I could just leave the front door unlocked but that might invite guests I had not planned for. So I trade convenience for protection.

  • Security is often seen as in conflict with business users; however, security is a process that protects the business and allows it to effectively operate.
  • Security is in response to perceived business risks.
  • Security can be seen as a benefit and a business enabler and can aid organizations to achieve their business objectives.

Forrester Vice President, Principal Analyst Randy Heffner wrote in his article of May 2011, “The Future Of Solution Architecture, Part 1: Business Processes Within A Capability,” on set of architectural views to describe the enterprise and the processes and systems that make up the enterprise. Randy defines six design focal points that define successful business technology implementation. As I read this article I thought it important to provide the information security perspective on Randy’s approach. 

My father was a general contractor so I really like the use of construction metaphors when I discuss systems development. (We in the technology business could learn a lot from the building trades.) All construction is done to a set of “building codes.” These codes are there to make sure the building is built in a safe and secure way and to ensure the building is “fit for purpose.”  There are codes for structure, electric, and plumbing to name a few.  These codes represent best practices, academic and empirical research on building safety.

Information security policies, procedures, standards and guidelines are some of the building codes we need to adhere to when we build IT systems:

  1. Business processes, inasmuch as they define the “who,” “what,” “when,” and “where” for the organization, are also the foundation for any business system. Like the frame of a house, key business processes are the foundation for value creation. Information security represents the building codes we build this infrastructure.
  2. Customers, employees, all interact with this business process foundation to create or benefit from this value. Customers represent the “why” dimension of our architecture. They are the reason we do anything in any business endeavor. Value creation for the customer should be at the core to decisions or actions in a well-defined business process. Information security is a fundamental component in value creation. When we design a process, we need to consider the safety of this process and its ability conduct business in a way that protects the interests of the customer and the organization.
  3. Once we understand process we have transactions, queries (applications) modeled as services to provide a flexible toolset to process digital and non-digital business.  Building these components to the specific standards, including information security, is critical to these services performing as planned.
  4. These applications use and create information (data) to create value but to also create insights into future wants and needs of potential customers as well as providing opportunities for employees to become more efficient.
  5. The business processes that provide the requirements for applications require controls and optimization points to ensure the business does its business with integrity (some might say security) and efficiency.
  6. As businesses grow and use outside parties to provide more to their customers and increase employee efficiency, the ability to work with third parties and make sure they build and operate to "code" becomes paramount.

Security is based on five design principles.  Please note for all you purists out there, yes I have extended the original CAI security model.

  • Confidentiality – Is the design consideration that information should be seen only by users authorized to see this information and no others.
  • Availability – Is the design consideration that systems and the use of information by authorized users should not be arbitrarily restricted or denied by unauthorized persons or parties.
  • Integrity – Is the design consideration that information is accurate and has been consistent and that no authorized or unauthorized user has tampered with the information.
  • Privacy – Is the design consideration that extends confidentiality and ensures that lawful user activities and information determined to be private to an individual or group remain private and that information that may identify a person - personally identifiable information (name, address, Social Security Number (US), taxpayer identification number, medical records, etc.) remain private as well.
  • Compliance is the design consideration that extends all of the other design considerations to ensure that the organization’s policies, procedures, and systems meet external government and regulatory requirements.

As we think about Enterprise Architecture we need to make sure we build our systems “ to code.”  When we operate these systems we also need to make sure we operate them in secure, safe ways. Information security best practices need to be designed into these new systems. Trained inspectors need to review these systems as they are built and check on them as they operate to maintain the security we design into them.

Comments

Architecture's shadow

I'm beginning to look at information security/risk as the 'shadow' that follows each stage of the architecture cycle. The idea formed for me as I worked on a security strategy and found that the concepts, approaches for defining strategy don't work so well when translated into security. Every part of the security strategy hinged on some part of our overall business or technology strategy. Once the problem is framed this way, it exposes some of the same ideas you refer to here.

Building codes act like security standards, defining minimum requirements for materials etc. Where we want a specific technology, we have a specific set of recommendations that need to be addressed etc. Working back up the chain you find that architects aren't required to analyse the material choice, but they are required to ensure that buildings have appropriate fire escape routes or the right number of bathrooms to meet regulations. Coming back a step further, governments (at least this side of the pond) have requirements regarding a buildings environmental profile etc.

We can take this idea into EA by recognising that just as our technology solutions require build standards, so our solution architectures need to ensure that components fit together safely, and our target architectures do not exposes the business risk. Our governing principles don't just ened to have a 'security' entry tacked on, security needs to have its own 'shadow' principles.

Architecture's Shadow

Richard:

Thank you for your comment . I think your point about security hinging on business and technology strategy is of paramount importance. My research shows that information security must be aligned with overlying strategies for the business and the technology organization if the program is to have relevance and be viewed as successful. I like your comment about component safety. The assumption with building codes is the electrical components, plumbing fixtures, etc. are fit for purpose.

Thanks again!

Ed Ferrara

There are many transactions,

There are many transactions, queries modeled as services to provide a flexible toolset to process digital and non-digital business. Building these components to the specific standards, including information security, is critical to these services performing as planned.
building security