Architecture Frameworks
SABSA Framework SABSA (Sherwood Applied Business Security Architecture) provides layered approach flowing from business context through risk analysis to control objectives, services, and components. Each layer maintains traceability to layers above and below. Contextual layer captures business drivers, risk appetite, and compliance requirements. Conceptual layer defines security services and control objectives aligned with business needs. Logical layer specifies security mechanisms and standards, while physical layer defines specific products and configurations. Component layer provides detailed implementation specifications. Traceability across layers enables impact analysis when business requirements change. Changes at contextual layer flow down through all layers systematically. TOGAF Security Extensions TOGAF (The Open Group Architecture Framework) provides enterprise architecture methodology with security extensions. TOGAF integration ensures security architecture aligns with broader enterprise architecture. Architecture repository stores reusable architecture artifacts including reference architectures, patterns, and standards. Repository integration enables security architecture to leverage enterprise architecture investments. Architecture roadmaps coordinate security initiatives with business and technology roadmaps. Roadmap integration prevents security from becoming bottleneck or afterthought.Security Capability Model
Core Capabilities Security capability model defines discrete security functions including Identity and Access Management, Secrets Management, Network Security, Data Protection, Application Security, Security Operations, Incident Response, Governance Risk and Compliance, and Supply Chain Security. Each capability should have clear ownership, service level agreements, and maturity targets. Ownership ensures accountability for capability development and operation. Capability maturity assessment identifies gaps and prioritizes investments. Maturity models including CMMI or custom frameworks provide structured assessment. Paved Roads and Shared Services Paved roads provide opinionated, secure-by-default implementations of common patterns. Paved roads make secure choices the easy choices, increasing adoption. Shared services provide centralized capabilities including authentication, secrets management, and logging. Shared services enable economies of scale and consistent implementation. Control inheritance enables applications to inherit security controls from platforms, reducing per-application security burden. Inheritance should be explicit and verifiable. Evidence as Code Evidence as code captures security control implementation and effectiveness in machine-readable formats. Evidence enables automated compliance reporting and continuous assurance. Policy as code defines security requirements programmatically, enabling automated enforcement. Code-based policies are version-controlled and testable.Operating Model
Federated Security Federated operating model balances centralized governance with distributed execution. Platform teams provide guardrails and shared services, while product teams own security context and implementation. Governance teams set policies, define standards, and measure outcomes. Governance should enable rather than block, providing clear requirements and self-service capabilities. Product teams implement security controls within guardrails, with autonomy to make context-appropriate decisions. Autonomy increases velocity while guardrails ensure consistency. Portfolio Planning Portfolio planning coordinates security investments across capabilities and business units. Planning should balance risk reduction with business enablement. Maturity targets per capability provide clear goals and measure progress. Targets should be realistic and aligned with business risk tolerance. Outcome-based metrics measure security effectiveness rather than activity. Metrics should include risk reduction, incident impact, and business enablement. Quarterly reviews assess progress, adjust priorities, and allocate resources. Reviews should include business stakeholders to ensure alignment. Team Topologies Security team structure should align with operating model. Common patterns include centralized security teams, embedded security engineers, and platform security teams. Centralized teams provide expertise and governance, while embedded engineers provide context and velocity. Platform teams build shared security services. Team interfaces should be clearly defined with explicit responsibilities and communication patterns. Unclear interfaces create gaps and conflicts.Architecture Artifacts
Reference Architectures Reference architectures provide proven patterns for common scenarios including cloud migration, zero trust implementation, and multi-cloud security. Reference architectures accelerate implementation and ensure consistency. Architecture patterns document reusable solutions to recurring problems. Patterns should include context, problem statement, solution, and tradeoffs. Architecture decision records (ADRs) capture significant decisions with rationale and alternatives considered. ADRs provide historical context and prevent revisiting settled decisions. Control Catalog Control catalog maps security controls to compliance frameworks including NIST CSF, ISO 27001, SOC 2, and PCI DSS. Mapping enables efficient compliance by implementing controls once for multiple frameworks. Control descriptions should include implementation guidance, testing procedures, and evidence requirements. Clear descriptions enable consistent implementation. Control ownership assigns responsibility for implementation and maintenance. Ownership should be explicit with named individuals or teams. Exception Management Exception workflows enable risk-based deviations from standards when business requirements demand it. Exceptions should be time-bounded with compensating controls. Risk registers track accepted risks with business justification and mitigation plans. Risk registers provide visibility into security posture. Exception approval should require appropriate authority based on risk level. High-risk exceptions require executive approval.Architecture Governance
Architecture Review Board Architecture Review Board (ARB) reviews significant architecture decisions and ensures alignment with standards. ARB should include security, enterprise architecture, and business representation. Review criteria should be clear and published, enabling teams to self-assess before formal review. Criteria reduce review cycle time. ARB decisions should be documented and communicated broadly. Transparency builds trust and enables learning. Standards and Guidelines Security standards define mandatory requirements, while guidelines provide recommended practices. Standards should be minimal and enforceable. Standards should be technology-agnostic where possible, focusing on outcomes rather than specific implementations. Technology-agnostic standards age better. Guidelines provide flexibility for context-appropriate implementation. Guidelines should include examples and rationale. Metrics and Reporting Architecture metrics measure adoption of reference architectures, compliance with standards, and capability maturity. Metrics should drive improvement rather than punishment. Executive reporting should focus on outcomes and risk, not technical details. Reporting should be concise and actionable. Trend analysis identifies improving or degrading areas, enabling proactive intervention.Conclusion
Enterprise Security Architecture aligns business strategy with security capabilities through frameworks, capability models, and federated operating models. Security engineers design architecture programs that provide strategic direction while enabling tactical execution. Success requires treating architecture as continuous practice rather than one-time effort, with regular updates to reflect changing business and threat landscapes. Organizations that invest in enterprise security architecture fundamentals build coherent security programs that scale across portfolios.References
- SABSA Institute Framework and Methodology
- TOGAF Security Architecture
- NIST Cybersecurity Framework 2.0
- ISO/IEC 27001 Information Security Management
- Cloud Security Alliance Enterprise Architecture