SABSA Security Architecture Framework: An Overview
Security architecture is a crucial component of any enterprise that aims to protect its information assets and support its business objectives. However, developing and implementing a security architecture that is aligned with the business needs and risk appetite of the organization can be a challenging task. This is where the SABSA security architecture framework can help.
SABSA stands for Sherwood Applied Business Security Architecture, and it is a methodology for developing risk-driven enterprise information security and information assurance architectures and for delivering security infrastructure solutions that support critical business initiatives. It is an open standard, comprising a number of frameworks, models, methods and processes, free for use by all, with no licensing required for end-user organisations who make use of the standard in developing and implementing architectures and solutions.
SABSA is unique in that it fulfils all of the following criteria:
It is vendor-neutral and not related to any IT solutions supplier.
It is scalable and can be introduced in subsequent areas and systems and implemented incrementally.
It can be used in any industry sector and in any organisation whether privately or publicly owned, including commercial, industrial, government, military or charitable organisations.
It can be used for the development of architectures and solutions at any level of granularity of scope, from a project of limited scope to an entire enterprise architectural framework.
It does not replace or compete with any other information risk or information security standard rather it provides an overarching framework that enables all other existing standards to be integrated under the single SABSA framework, enabling joined up, end-to-end architectural solutions.
It fills the gap for security architecture and security service management by integrating seamlessly with other standards such as TOGAF and ITIL.
It is continually maintained and developed and up-to-date versions are published from time to time.
The SABSA methodology has six layers (five horizontals and one vertical). Each layer has a different purpose and view. The contextual layer is at the top and includes business requirements and goals. The second layer is the conceptual layer, which is the architecture view. The third layer is the logical layer, which is the design view. The fourth layer is the physical layer, which is the build view. The fifth layer is the component layer, which is the deploy view. The vertical layer is the operational layer, which is the manage view. Figure 1 shows the six layers of this framework.
Figure 1: SABSA Layers
The SABSA framework also uses a matrix model to describe the relationship between the layers and six aspects of security: assets, risks, controls, services, measures and trust. Each aspect has a corresponding attribute that defines its characteristics. For example, assets have value attributes, risks have threat attributes, controls have policy attributes, services have service attributes, measures have performance attributes and trust has trust attributes. Figure 2 shows the matrix model of SABSA.
Figure 2: SABSA Matrix
The SABSA framework provides a comprehensive and systematic approach to developing security architectures that are aligned with business needs and risk appetite. It also enables security professionals to communicate effectively with business stakeholders and demonstrate the value of security investments. By using SABSA, enterprises can achieve optimal security outcomes that support their strategic objectives.
[Enterprise Security Architecture White Paper]
[Enterprise Security ArchitectureA Top-down Approach]
[Enterprise Security Architecture for Cyber Security]