Opinion: Enterprise Security Architecture as a discipline – the three viewpoints.

Enterprise Security Architecture for an organisation as a discipline is required to outline an enterprise wide risk-driven approach to information security and deliver infrastructure solutions in response to the organisations threat profile. Enterprise Security Architecture is required to drive and support the standardisation and management of an organisations information security discipline.

Enterprise Security Architecture is a term used loosely by organisations today, and depending on the maturity of the discipline, it may be limited to a technology only function that looks to address the organisations security concerns through technical solutions, that provide point in time protection without an appreciation of a broader strategy encompassing the ever important people and process domains.

As an example, for a web based business the focus is availability and continuous uptime, the Enterprise Security Architecture for such an organisation will be focused at a minimum on the protection of its web servers, ensuring the associated web applications are secured and not susceptible to man in the middle or SQL injection attacks, further this organisation would ensure that technology controls are in place to prevent a Distributed Denial of Service (DDOS) Attack.

Alternatively, if an organisations core business is manufacturing and distribution, the core focus will be on the protection of core systems, the unavailability of which will have an impact on its corresponding manufacturing cycles and in turn adversely affect the distribution of its products. The protection of these systems may be a mixture of network, hosting and end point technologies with potentially minimal appreciation of supporting people and process controls. The protection mechanism and the corresponding security architecture for these two organisations will be different when compared to the security architecture at a financial services organisation that is required to address the security concerns and manage the treat vectors across people, process and technology domains.

In my view a comprehensive Enterprise Security Architecture should focus across people, process and technology domains, but additionally have three distinct views that explain information security from multiple aspects including but not limited to a ‘Business Viewpoint’, ‘Technology Management Viewpoint’ and ‘Security Practitioners Viewpoint’ addressing the requirements across people, process and technology domains.

The Business viewpoint of an Enterprise Security Architecture should provide for an understanding of the Governance, Risk and Compliance (GRC) posture of information security at an executive level, followed through by an appreciation of the required People and Identity factors that influence information security. In addition, the business viewpoint of enterprise security architecture should highlight the organisations Information Assets and the threat posture of its IT Infrastructure including but not limited to network components, server instances and end points.

The Technology Management and Security Practitioner viewpoint should build on the Business viewpoint and explain in detail the requirements and principles for information security management supported by the organisations security policy, standards that include identity and access management, threat and vulnerability management operating procedures, and a framework for security reporting.

The Security Practitioner view will specifically focus on and provide details of the security capability and associated infrastructure components that are required to support the management view and the business view by detailing in no particular order the;

  •  System security policy management and compliance reporting system,
  •  Security information and event management systems,
  •  Network security including network intrusion detection/prevention systems,
  •  Data leakage prevention systems,
  •  Host and end point security systems,
  •  Data storage security,
  •  Security operations reporting and metrics system,
  •  Application and business system security etc.

The Enterprise Security Architecture within an organisation should ensure that the above viewpoints are understood and not be limited to a technology only function. A successful Enterprise Security Architecture should provide guidance across the three domains of people, process and technology to ensure that the organisation continues to operate anytime and anywhere in a secure manner whilst maintaining a competitive compliance posture.

About CSO Opinion writer Puneet Kukreja

Puneet Kukreja is the Managing Director of Affirm Risk Pty Ltd. a boutique information security and risk advisory firm. He has demonstrated experience in successfully delivering enterprise security programs and establishing integrated security delivery functions within complex multi vendor and multi stakeholder environments. He is an experienced information security and systems auditor with in-depth controls advisory experience. He holds the following certifications CRISC,  CISM, MSP, CEA,  ITIL ICT (M), MCSE (Security), CCNA, CCSP, Security +.