A Security Reference Architecture model should enable businesses to create a business-centric, product-neutral, security process, and security technology savvy architecture of their own, to suit their circumstances. At a minimum, such models should provide diagrams you can modify to fit your situation. Once that’s done, the architecture becomes your own bespoke template for creating security strategies, solutions, requirements, and vendor selection criteria. The figure below is a visual overview of the Reference Architecture I wrote in 2020. You can download a detailed, complimentary excerpt and summary of it from Techvision Research, including 4 of the key figures (registration required).
My interest in Reference Architecture (RA) started 21 years ago at Burton Group, an IT research and advisory company later acquired by Gartner in 2010. Back in 1999 and 2000 we were still pretty small. One of the keys to our growth was acquiring a small consulting firm called NetReference and its Network Reference Architecture. By 2005 we had generalized the concept into other parts of the IT stack. We had a Security Technology RA, an Identity and Directory Services RA, and others. I was a lead author and research director for both the identity and the security RAs. They became popular with our customers. At least one customer referenced our Identity RA models in an RFP!
Fast forward to 2020. Some “Burton Group alumni” partners of mine at Techvision Research created a new Identity and Access Management (IAM) RA. Techvision CEO Gary Rowe asked me to create a Security Reference Architecture. Always up for a challenge, I said “Yes!”
Back to the Future
Since 2000 and even 2005 the landscape has changed so much. Cloud, AI, IOT, blockchains, and other novel concepts are now commonplace. We have new models like Open FAIR and the NIST Cybersecurity Framework (CSF). I’ve learned these and other new disciplines, including many Sherwood Applied Business Security Architecture (SABSA) concepts. I have this blog on security-architect.com. Also moderate the LinkedIn Security Architecture group with almost 15,000 members.
But in 2020 creating a new security architecture seemed like starting over. I searched cyberspace extensively to see if someone had already created anything like what I was thinking about. It would have to be comprehensive, map to hybrid multi-cloud (aka hybrid IT) environments, incorporate process as well as technology views, and show the business linkages. The closest thing was the Cybersecurity Reference Architecture from Microsoft by Mark Simos. Mark did some great work on that, but it is specific to Microsoft products. It was also (just) technology centric. However, it helped me visualize what to create and for that I’m grateful.
A Security Reference Architecture for the 2020’s
Using SABSA terminology, security architecture views can include:
- Contextual layers for strategic alignment with business
- Conceptual layers showing technology and process intersections
- Conceptual and logical layers identifying key technology and process capabilities throughout the hybrid multi-cloud IT stack
The Security Reference Architecture I wrote for Techvision Research (download a detailed, complimentary excerpt here) provides diagrams at the contextual, conceptual, and logical level. It has guidance on identifying the business and risk context for a digital enterprise. It helps with selecting and prioritizing security-related processes and functional or technical capabilities in the IT environment. Also, it maps the capabilities to NIST Cybersecurity Framework (CSF) controls for convenient linkage to IT Governance, Risk, and Compliance (IT GRC) and solution architecture management tools.
The Security Reference Architecture models both security-related processes and security technologies across digital enterprises’ multi-cloud and edge system IT environments. It identifies capabilities required to support distributed security systems; enterprise security operations and services; customers, partners, and suppliers; and the enterprise IT/OT environment. The Business View of the Security Reference Architecture depicts the business context for the security program, security controls, and enterprise security infrastructure required for a Digital Enterprise.
The Functional Views include a Technology View and a Process View. These views map security-related technologies and processes into those required for security management and control systems, security monitoring, incident response, vulnerability and configuration management, network security, identity and access management, and information protection. When you download the excerpt you’ll notice the Process View has no acronyms, but the Technology View has lots of them. The downside is that these market-defined categories (e.g., CASB, or PAM) require updating every few years. The upside is that they’re familiar and reasonably self-descriptive to a technology savvy audience.
Using the Security Reference Architecture
Clients can use the Reference Architecture to get a logical understanding of security capabilities, enable cross-functional alignment of security projects or activities, measure their effectiveness, and facilitate compliance as well as digital transformation of the business. The Reference Architecture also incorporates by reference the certain models such as the security-related roles taxonomy and sample RACIs from my book Rational Cybersecurity for Business (also freely available).
Call to Action
After you download the excerpt, please join the LinkedIn Security Architecture group where I’m opening a discussion today. You can also contact us here, or at Techvision Research, with any questions about the architecture and how to use it.