Component Layer Deliverables

According to Sherwood, the following should be delivered by the Tradesman:

Detailed Security Data Structure

Understanding and considering the language that systems use to communicate with each other is essential. During

the component development process, selection of tools and definition of any standards should not occur until a

clear picture of what data communications from all layers.

Inputs Process Outputs

Data Dictionary produced This is an iterative process and a brief analysis needs The result of this
in the physical layer. to be conducted for each security mechanism and comprehensive analysis
application in the environment that requires should produce a list of
integration. Security tool selection must consider detailed data structures
the existing practices and implementations within which are used throughout
the already-implemented applications. Do the environment. These data
applications require the older and binary encoded structures should tell the
“Abstract Syntax Notation” (ASN.1)? security architect how
Weigh the needs for extreme efficiency and time exchanging data with
sensitivity when considering interoperability of applications and integrating
security tools. Will the systems have the computing security mechanisms, such as
power capable of supporting XML, which is more authentication, certificates,
resource intensive? certificate management, time
protocols, and many others,
will be possible, either by
XML or ANS.1.

Security Standards
When data structures have been determined, the standards which will be used should be selected to ensure

integration with other technologies and tools. Business and security technologies must be able to communicate. This

is the step where the communication protocols are defined (adopted). Note, this is not the same as picking

protocols which sole purpose is to provide security. Additionally, a framework of internal security standards, which

align with the security policies and procedures, should be created.

Inputs Process Outputs

Data Dictionary produced Using the data model and dictionary, as well as the The deliverable should
in the physical layer. security rules, policies and procedures, analyze the include:
data that you can expect to have and need to 1- A list of relevant data and
Business Data Model implement an effective security model. Based on communication standards
(including security data) this analysis, choose the tools, with the goal being based on pertinent
produced in the physical seamless integration of components to form an business systems and
layer. efficient and effective security toolbelt in the near security tools.
and long term.
Security Rules, Policies & There are many international organizations that 2- As per Sherwood,
Procedures produced in outline communication standards for virtually every definition of key internal
the physical layer. type of technology. The emphasis should be on security standards – refer
finding the common and most used standards. There to appendix for what these
are organizations that specialize in development and are.
adoption of technical and procedural standards, and
my recommendation would be to reference the Refer to appendix 1 for
International Organization for Standards (ISO) for example template.
insights and generally accepted standards.
Additionally, some large vendors will introduce their
own standards, which is ok, provided that selection
of their tool isn’t overly exclusive and cannot be
integrated with the rest of the tools.
Lastly, while building this deliverable, it is important
to create the necessary internal security standards.

Security Product & Tools

The specific tools and mechanisms which will be leveraged to implement the security policies and procedures

properly. The tools selected should be “integratable”, meaning they should not create inefficiencies, rework, or

jeopardize the effective security level due to reliability or capability.

Inputs Process Outputs

Information about current Reference the physical layout of the network and The deliverable produced
products on the market. how it has been designed to meet availability should contain a list of all
requirements set forth by the business. The security security types, and the
Users, Apps, and UI for components need to be selected and implemented specific products and tools,
Security to also meet uptime and availability requirements. organized in a list with clear
traceability back to the
Platforms & Network Infra Understand the control objectives and how they logical and physical security
(physical layout & capacity should be executed – must be able to answer this mechanisms, so as to enable
& resilience plan) question: What is the control trying to accomplish, the non-technical reader to
produced in the physical and can the component meet this need? understand how the
layer. individual components fit
into the security strategy.
Control Structure
Execution produced in the Refer to appendix 1 for
physical layer. example template.

Identities, Functions, Actions, ACLs

A framework for naming and defining users, roles, privileges, and functions/actions with instructions for creating the

ACLs that pertain to them.

Inputs Process Outputs

Information about current Using the information produced in prior This deliverable should
products on the market. deliverables, it’s now time to analyze and strategize include a list of user types,
the delivery of acceptable usage of IT systems by the associated roles which
Users, Apps, and UI for authorized individuals. apply to these user types, the
Security privileges that comprise
Role based access controls are defined here and these roles, and an iterative
Platforms & Network Infra therefore, it is important to consider who they are procedure that can be
(physical layout & capacity and why they are accessing the systems so that as leveraged for creation.
& resilience plan) part of this deliverable you can delineate their roles
produced in the physical and still allow them to function effectively. Refer to appendix 1 for
layer. example template.
You must consider where trust services and
Control Structure authentication are “physically” (in quotations
Execution produced in the because they may actually be virtual) implemented
physical layer. so that components that support the physical
location.

During this step, evaluate web service

communications. SAML is compatible with HTTP,
SMTP, and XML. Therefore, we feel it is the best all-
around choice.

Processes, Nodes, Addresses and Protocols

The specifics around what security related protocols will be used as part of the larger communication protocol

“stack”.

Inputs Process Outputs

Information about current With all the emphasis on ensuring proper A list of the security
products on the market. integration and compatibility of systems and tools, it protocols that will be used to
is also critical to ensure that the communications secure the communications
Users, Apps, and UI for between them are secure. Generally, this is referring between hosts and/or web
Security to a client/server communication. services.

Platforms & Network Infra Nowadays, all web service communications should
(physical layout & capacity be protected with HTTPS (TLS 1.2 or above). This
& resilience plan) means certificates need to be issued and installed on
produced in the physical web servers.
layer.
Using the list of business processes, the supporting
Control Structure physical infrastructure, and the functions which
Execution produced in the were outlined, identify any hosts that will be
physical layer. offering services to internal or external parties and
choose the protocol that best fits. Most likely, any
host to host connections will be secured with IPsec,
which is message encapsulation, tunneling, or both,
between two hosts.

Security Step Timing and Sequencing

 Another factor when picking the security tools and implementing them effectively is determining if and how they

will operate efficiently in a timely manner. Sometimes their order, dependence on each other, or the exact time

they occur are critical to being effective.

Inputs Process Outputs

Information about current Walk through of each sub process of the business A list of all security relevant
products on the market. and focus on transactions where a user must transactions, particularly any
authenticate. Create a list of all instances where user authentication or
Users, Apps, and UI for authentication should be occurring. For each authorization events. Each
Security authentication, build a hierarchy of transaction should indicate prerequisite
types that require authorization. Some security transactions. For
Platforms & Network Infra authentication or authorization transactions will be each transaction, the security
(physical layout & capacity contingent on each other – indicate dependencies mechanism(s) should be
& resilience plan) for each transaction. enumerated.
produced in the physical
layer. Identify the pertinent security components for each
and ensure that they can support the impending
Control Structure transactions and will not introduce a race condition
Execution produced in the into the system.
physical layer.

Conclusion
As you can clearly see, there is potential for an enormous amount of planning when designing a security

architecture. There is a seemingly endless series of questions and considerations, and any organization that demands

effective security architecture is best served to attack the task from a wholistic approach and allow ample amount of

time for analysis and fact finding. The SABSA framework strives to facilitate this process and provide the architect and

the business “a light at the end of the tunnel” during this process.

The most difficult part of security is not how to be secure, but how much security is necessary. By starting with

the business as the context for security, and walking though the business concepts, logical business architecture, and

physical business architecture, objective rationalization for security investments is possible.

 References

Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise Security Architecture: A Business-Driven Approach. San Francisco:

Cmp Books.