Enterprise Architectures (EA) & Security A synopsis of current state EA s and enterprise security as an add on Marcel Schlebusch 2013-07-18 mwrinfosecurity.com MWR InfoSecurity mwrinfosecurity.com MWR InfoSecurity 1
Something to ponder 9gag.com mwrinfosecurity.com MWR InfoSecurity 2
Overview Introduction: Brief history and overview of EA Common problems faced by EA programmes Security as part of EA A comparison of 4 EA frameworks EA trends Literature study An optimist s vision for EA and ESA Conclusion mwrinfosecurity.com MWR InfoSecurity 3
Introduction: Brief history and overview of EA 26 Years of EA 1960s and 1970s (Information Architectures) 1987 (John Zachman) 1990s (Term EA, different views start to form) 2000s (Many different approaches to EA emerge) mwrinfosecurity.com MWR InfoSecurity 4
Introduction: Brief history and overview of EA... Overview of EA What is Enterprise Architecture? Enables translating business vision into enterprise change Enables management of complexity Purpose/Goals: Effectiveness, Efficiency, Agility, and Durability What is an EA framework? Reference structure that provides models, tools and processes to plan, produce and operate an EA programme mwrinfosecurity.com MWR InfoSecurity 5
Common problems faced by EA programmes At the very least, these questions will be addressed: Should my organisation implement an Enterprise Architecture? Which EA framework is the best? We ve spent a fortune on EA, why are we not getting ROI? Why do EA programmes commonly fail? What are the current business trends in EA? How do we get started with EA? mwrinfosecurity.com MWR InfoSecurity 6
Security as part of EA Zoom in on Security mwrinfosecurity.com MWR InfoSecurity 7
Security as part of EA There are many security standards ISO 27001 (BS 7799) NIST 800-12 800-14 800-26 800-37 800-53 rev3 PCI-DSS Etc There are Risk Frameworks RiskIT (Risk framework by ISACA) ISO 27005 Etc There are Enterprise Security Architecture (ESA) Frameworks SABSA (Sherwood Applied Business Security Architecture) IAEAF (Information Assurance Enterprise Architectural Framework) OSA (Open security architecture) mwrinfosecurity.com MWR InfoSecurity 8
Security as part of EA... Positioning Enterprise Security Architecture Business architecture Goals of ESA: Establish common language Structured management of security complexity Enable business-to-security alignment Traceability to business reqs. Security Architecture Information Architecture Technology architecture mwrinfosecurity.com MWR InfoSecurity 9
Security as part of EA... Positioning Enterprise Security Architecture ESA is a subset of EA Stretches across all other Architectures mwrinfosecurity.com MWR InfoSecurity 10
Security as part of EA... Business assets Information assets Technology assets mwrinfosecurity.com MWR InfoSecurity 11
Security as part of EA... SABSA as an example Risk driven methodology Consists of frameworks, models, methods and processes Free for use by all Overarches all other security standards Everything is driven from an analysis of the business requirements for security The SABSA layered model The SABSA lifecycle mwrinfosecurity.com MWR InfoSecurity 12 Source: SABSA whitepaper www.sabsa.org
Security as part of EA... SABSA as an example Business View Business view of What Business view of Why Business view of How Business view of Who Business view of Where Business view of When Architect s View Designer s View Builder s View The SABSA matrix Tradesman s View Service Manager s View mwrinfosecurity.com MWR InfoSecurity 13 Source: SABSA whitepaper www.sabsa.org
Security as part of EA... The SABSA Matrix Business View Architect s View Designer s View Builder s View Tradesman s View Service Manager s View mwrinfosecurity.com MWR InfoSecurity 14 Source: SABSA whitepaper www.sabsa.org
Security as part of EA... SABSA as an example The SABSA Business Attributes mwrinfosecurity.com MWR InfoSecurity 15 Source: SABSA whitepaper www.sabsa.org
A comparison of 4 EA frameworks Zoom out back to the Enterprise mwrinfosecurity.com MWR InfoSecurity 16
A comparison of 4 EA frameworks Over the past decade many EA approaches have emerged, 4 are leading the pack: 1. Zachman framework for EA 2. The Open Group Architecture Framework (TOGAF) 3. Federal Enterprise Architecture (FEA) 4. Gartner Enterprise Architecture Framework mwrinfosecurity.com MWR InfoSecurity 17
A comparison of 4 EA frameworks... In comparing these frameworks, the following will be shown: 1. A summary/overview of each framework 2. A score-sheet, directly comparing the frameworks 3. Some usage statistics (mostly from USA and Europe) mwrinfosecurity.com MWR InfoSecurity 18
A comparison of 4 EA frameworks... Zachman framework for EA Taxonomy Categorising deliverables Planning tool Views & view-points Also: Limited usefulness as EA History in manufacturing Broad acceptance mwrinfosecurity.com MWR InfoSecurity 19
A comparison of 4 EA frameworks... The ARCHITECT John Sherwood John Zachman SABSA VS. 6 x 6 matrix Views View-points Enterprise Security Framework Enterprise Framework mwrinfosecurity.com MWR InfoSecurity 20
A comparison of 4 EA frameworks... TOGAF Process driven (via ADM) Enterprise Continuum (general -> specific) Technical reference models (TRM) Standards information bases (SIB) Also: Holistic perspective History in defence Broad acceptance mwrinfosecurity.com MWR InfoSecurity 21
A comparison of 4 EA frameworks... FEA Segmented enterprise 5 Reference models Development process Planning and communication tool Also: Holistic perspective US-Gov Standard Broad US-Gov acceptance mwrinfosecurity.com MWR InfoSecurity 22
A comparison of 4 EA frameworks... Gartner Better described as a practice EA as a service to large enterprises mwrinfosecurity.com MWR InfoSecurity 23
A comparison of 4 EA frameworks... Score-sheet (2007) Rating Scale: 1. Very poor Public 2. Inadequate 3. Acceptable 4. Very Good Criteria Zachman TOGAF FEA Gartner Taxonomy Completeness 4 2 2 1 Process Completeness 1 4 2 3 Reference Model Guidance 1 3 4 1 Practise Guidance 1 2 2 4 Maturity Model 1 1 3 2 Business Focus 1 2 1 4 Governance Guidance 1 2 3 3 Partitioning Guidance 1 2 4 3 Prescriptive Catalogue 1 2 4 2 Vendor Neutrality 2 4 3 1 Information Availability 2 4 2 1 Time to Value 1 3 1 4 mwrinfosecurity.com MWR InfoSecurity 24
A comparison of 4 EA frameworks... Score-sheet (2012) Rating Scale: 1. Very poor Public 2. Inadequate 3. Acceptable 4. Very Good Criteria Zachman TOGAF FEA Gartner Taxonomy Completeness 4 3 2 1 Process Completeness 1 4 3 3 Reference Model Guidance 1 3 4 1 Practise Guidance 1 2 2 4 Maturity Model 1 2 4 2 Business Focus 1 2 3 4 Governance Guidance 1 2 3 3 Partitioning Guidance 1 3 4 3 Prescriptive Catalogue 1 3 4 2 Vendor Neutrality 2 4 3 1 Information Availability 2 4 3 1 Time to Value 2 4 2 4 mwrinfosecurity.com MWR InfoSecurity 25
A comparison of EA frameworks: Usage survey 2003 Organisation's Own None Zachman Other TOGAF Source: Capgemini EA survey 2003 0% 5% 10% 15% 20% 25% 30% 35% 40% mwrinfosecurity.com MWR InfoSecurity 26
A comparison of EA frameworks: Usage survey 2012 Organisation's Own TOGAF Pragmatic EA Other MoDAF Zachman None FEA Source: Ovum EA survey 2012 0% 5% 10% 15% 20% 25% mwrinfosecurity.com MWR InfoSecurity 27
EA trends: Literature study Gartner: Analysts predict that 95% of organisations will support multiple approaches to EA by 2015 By 2020 the majority of Global 1000 organisations will support EA as a distinct discipline To prepare for 2020, Gartner advises to: Ensure that EA practices are driven by the business direction EA should lead from the top, and be driven from the top Use EA to predict the impact of investment decisions Source: Gartner EA Hype Cycle 2012 mwrinfosecurity.com MWR InfoSecurity 28
EA trends: Literature study (Gartner EA Hype Cycle 2012) mwrinfosecurity.com MWR InfoSecurity 29
EA trends: Literature study The blended approach to EA Gartner identifies different approaches to EA Traditional Top down approach Federated Useful for larger organisations Middle-Out Most dynamic approach Managed Diversity Option based approach A true "blended" approach is one whereby the enterprise architecture (EA) team determines the appropriate mix of above EA approaches based on business-outcomedriven decision criteria. Source: Gartner EA Hype Cycle 2012 mwrinfosecurity.com MWR InfoSecurity 30
EA trends: Literature study Oracle Survey What does a partially successful or unsuccessful implementation look like? Isolation Trap Optimised An EA Maturity representation Enterprise Architecture Losing Fragmented Solution Architecture Source: Oracle EA survey mwrinfosecurity.com MWR InfoSecurity 31
An optimist s view of EA and ESA... The blended approach Rating Scale: 1. Very Public poor 2. Inadequate 3. Acceptable 4. Very Good Criteria Zachman TOGAF FEA Gartner Taxonomy Completeness 4 3 2 1 Process Completeness 1 4 3 3 Reference Model Guidance 1 3 4 1 Practise Guidance 1 2 2 4 + SECURITY, of course Maturity Model 1 2 4 2 Business Focus 1 2 3 4 Governance Guidance 1 2 3 3 Partitioning Guidance 1 3 4 3 Prescriptive Catalogue 1 3 4 2 Vendor Neutrality 2 4 3 1 Information Availability 2 4 3 1 Time to Value 2 4 2 4 mwrinfosecurity.com MWR InfoSecurity 32
An optimist s view of EA and ESA... The blended approach Gartner SABSA TOGAF Zachman Requirements Definition a Process a a Goals and Artefacts a a mwrinfosecurity.com MWR InfoSecurity 33
An optimist s view of EA and ESA... The blended approach SABSA and TOGAF integration mwrinfosecurity.com MWR InfoSecurity 34
An optimist s view of EA and ESA... The blended approach Are we not increasing the complexity? mwrinfosecurity.com MWR InfoSecurity 35
An optimist s view of EA and ESA... The ideal state Market leading Strategic SECURE Compliant Competitive Cost effective Dynamic Efficient Documented Intelligent mwrinfosecurity.com MWR InfoSecurity 36
Conclusion For organisations practicing EA and ESA: EA and ESA are tools for change It takes time (track maturity) EA is not an IT function Drive from the top! Be open to a blended approach Include security here For EA and ESA professionals: Understand that ESA delivers into EA Manage expectations (long term value) The value of EA careers are increasing Be skilled in multiple frameworks mwrinfosecurity.com MWR InfoSecurity 37
Conclusion At the very least, these questions will be addressed: Should my organisation implement an Enterprise Architecture? -YES Which EA framework is the best? - BLEND We ve spent a fortune on EA, why are we not getting ROI? It takes time, but measure the maturity of your programme, and re-focus efforts on delivering business value Why do EA programmes commonly fail? Not driven from the top or focus shifts to shorter term solutions architecture What are the current business trends in EA? Blended EA approaches and EA tools How do we get started with EA? Combine Zachman, TOGAF and SABSA and let the TOGAF ADM guide your process mwrinfosecurity.com MWR InfoSecurity 38
mwrinfosecurity.com MWR InfoSecurity 39
References: [1] Article: A Comparison of the Top Four Enterprise-Architecture Methodologies by Roger Sessions [2] White-paper: A Comparison of the Five Major Enterprise Architecture Methodologies https://online.ist.psu.edu/sites/ist871/files/t10_comparisonof5.pdf [3] Ovum Research: Amongst others: http://ovum.com/2012/03/22/hybrid-enterprise-architectureframeworks-are-in-the-majority/ [4] Gartner: Hype Cycle for Enterprise Architecture, 2012 [5] TOGAF: http://www.opengroup.org/togaf/ [6] Whitepaper: The Oracle Enterprise Architecture Framework (Oracle October 2009) [7] Whitepaper: Enterprise Security Architecture www.sabsa.org [8] Whitepaper: TOGAF and SABSA Integration The Open Group (October 2011) mwrinfosecurity.com MWR InfoSecurity 40