Based on the TOGAF, security concerns are pervasive
throughout the architecture domains and in all phases of the architecture
development. Security is called out separately because it is infrastructure
that is rarely visible to the business function. Its fundamental purpose is to
protect the value of the systems and information assets of the enterprise.
Often the nature of security in the enterprise is that it is deemed successful
if either nothing happens that is visible to the user or other observer, and/or
no damage or losses occur to the enterprise.
The generally accepted areas of
concern for the security architect are:
- Authentication
- Authorization
- Audit
- Assurance
- Availability
- Asset
Protection
- Administration
- Risk Management
When we develop enterprise architecture, security architecture
will be all around each phase of the development, security requirements need to
be taken into the consideration during the each phase of the development. Here
we are talking about creating security architecture not security policies for a
special projects. I have experienced a situation during the development of
architecture of cloud solution for the organization. When I was working with security
specialists on the subject usually I will get a set of policies or even a
specific product to use. To me it is different. Some of the general security
policies developed based on the past and existing information and technology
system may not fit for this architecture. The right approach should be as
described by TOGAF, gathering current and emerging security requirements from
business for each phase of the architecture development, create a security
requirement catalog, perform a baseline analysis to determine the “current
state” of the security effort, identify
gaps in the current state, articulate an architecture in functional terms to
address the gaps and incorporate emerging business requirements, identify and
communicate s “desire state” environment and develop a blueprint for the future
architecture. It is important to develop and select standards and policies to
implement the security program within the context of the chose architecture. Business
requirements should be updated and reassessed during the iteration of the
architecture development process.
Reference
TOGAF
https://www.giac.org/paper/gsec/610/building-enterprise-security-architecture/101447
No comments:
Post a Comment