One of
the key findings of Gartner research paper “Aligning Security Architecture and
Enterprise Architecture: Beast practice” is “The more-closely aligned the
security architecture function is to the enterprise architecture (EA), the more
effective it is. Complete integration of security into the EA must be the goal.”
In this
research paper, Gartner indicates that “The goal is for the security
architecture to be completely integrated into an organization's EA.” In
reality, as stated in this paper, “many realities mitigate against achieving
this in most organizations, including historical organizational and internal
political realities. Security architecture has traditionally been practiced separately
from the EA. Thus, security architects are often not conversant with EA
terminology, principles and practices. Furthermore, the EA tools used by most
organizations do not allow for security artifacts to be fully integrated with
the EA, simultaneously being able to provide a separate, security perspective
where security-only artifacts can be modeled.”
This is
what I see in our organization today, in certain degree we don’t even have
security architecture in place in general.
EA is difficult
to interact with security architecture group, there is no formal communication mechanism in place. While EA creates solution space for the business, security
architecture was not in the consideration of the design. Most of the security specialists
(I will not call them security architects as most of the them are only
concentrating on designing a detailed security solution for the projects rather
than creating an architecture) don’t quite understand what enterprise
architecture is. Often time this creates conflicts and misunderstanding between
EA and security. The security solution, policies for a specific project is
isolated from other security policies and solutions even for a similar project.
Gartner
provides strategies to improve the level of alignment which I fully agree and I
think our organization should adopt.
·
Sending security architects to attend a training
course on the EA methodology used in the organization
·
Aligning the structure and methodology of the
enterprise information security architecture (EISA) framework with the
structure and methodology of the organization's EA approach
·
Adopting EA terminology in the EISA practice
·
Leveraging any focus on IT governance in the
organization to support the effective integration of security into the IT
services and application life cycles, and thus into the EA process
·
Conducting joint workshops between the EISA and
EA teams to develop common processes, process interfaces and terminology
·
Combining EISA and EA in major new projects
·
Placing security architects in the EA team — that
is, starting to work toward integrating the EISA team into the EA team
Reference
https://www.gartner.com/doc/790521/aligning-security-architecture-enterprise-architecture
No comments:
Post a Comment