Perspectives on Information Security Architecture

There are few things that every architect should do but most forget. As you know, there is no shortage of technology architecture frameworks and standards. You may have come across TOGAF for enterprise architecture and SABSA (Sherwood Applied Business Security Architecture) for security architecture. Without going into detail of any of these, I just want to touch base on a few things that every architect should keep in mind to ensure success of themselves as well as people around them (engineers, developers, operations, etc.).

These are: Business, Operations, Technology and Service  or “BOTS”. When creating architecture for security projects, everyone should focus on “BOTS” which are the perspectives and “views” listed below: 

  1. Business View – First and foremost, ensuring that the architecture meets business needs. You may have a perfect architecture but it may hinder business instead of enabling it.
  2. Operational View – Don’t forget the operations. Someone has to run it on a day to day basis. Operations teams are one of the main stakeholders but often forgotten. Consider how your architecture will make their life easy and not difficult.
  3. Technology View – I know this is already the main focus area of all architects. However, technology has many aspects that are ignored sometimes. These include cost, maintainability, complexity, maturity etc. You should remember that complexity is the enemy of security. Complex systems are not only difficult and expensive to maintain, many times they are not as secure as simple systems.
  4. Service View – Whatever you are building, at some point “people” are going to use it, directly or indirectly. Consider the service that you are providing and usability of the overall system. A multi-factor authentication could be very cumbersome or very transparent for the end users. You know which one would be more successful!

Business, Operations, Technology and Service (BOTS) views are essential for success of any information security project. In my last 20 years of experience, I have seen many projects either completely fail or not realize their potential just because architects forgot about one or more of the BOTS views. Don’t do that!

About Rafeeq Rehman

Consultant, Author, Researcher.
This entry was posted in InfoSec and tagged , . Bookmark the permalink.

Comments are closed.