Security Architectures Projects

Security Strategy

A plenary presentation in San Francisco on 4th Feb 2003 represented a new initiative to encourage Forums to create a reference architecture and a family of architectures for Boundaryless Information Flow. This reference IT architecture helps enterprises that make Boundarylessness a strategic objective.

In 2006 we adopted a broader multi-disciplinary strategy for addressing security challenges in today's Internet-driven, globally networked IT world. This embraced the Jericho Forum's de-perimeterization approach, and also included governance (legal, regulatory, and audit) as one of our key business drivers. This resulted in publication of our Security Strategy white paper - Framework for Information-Centric Security Governance - which proposes a new framework for ensuring enterprise-level information security that reflects current realities of enterprise, network, and information sharing and access. We collaborated with the American Bar Association's Cyberspace Law Committee to produce this white paper. It lays down the strategy for future projects in our Security Forum. 

We are currently extending our Security Strategy paper to add our strategic approach to enabling secure collaboration with business partners, suppliers, customers and outworkers, globally over any network.

Security Design Patterns

In April 2004 we published our Technical Guide to Security Design Patterns - an approach to creating and maintaining coherent information security architectures, which includes a catalog of Security Design Patterns.

Design patterns are about how to construct a design, given a statement of a problem and a set of forces that act upon it. In the information technology environment, they give programming architects and systems designers a method for defining reusable solutions to design problems without ever having to talk about or write program code - i.e. they are truly program-language independent.

We see that software architects and designers need to be enabled to design their own architectures. As the proverb says: 'It's better to teach a man how to fish than to give him fish'. In this context it is better to explain how to use a proven methodology - design patterns - to design security architectures, than to publish a selection of architectures that have to then be modified to fit every need.

Our SDP Technical Guide was published in April 2004, and is available online as a free download from our Publications Web site at http://www.opengroup.org/publications/catalog/g031.htm

The objective of this Technical Guide to Security Design Patterns is to meet the needs of an IT architect or systems designer who:

• is looking for guidance (not instructions) on how to solve their conflicting information security design problems in the context of their own business system
• wants to develop a stable but extensible security architecture that properly reflects their business requirements and the design choices they needed to make.
• would like to know how The Open Group's information security experts would tackle their problems.

The opening chapters are tutorial in style, describing the nature and structure of the design patterns, and how to use them. The bulk of the Guide is a catalog of security design patterns, separated into Available System Patterns and Protected System Patterns.

Review comments are welcome. If you are interested in further discussion and ongoing work in reviewing and applying these design patterns then we will be pleased to add you to our list of external contacts so we can keep you informed on future developments.

Enterprise Security Architecture

In 2007 the Network Applications Consortium transitioned into the Security Forum. One of their achievements was their Enterprise Security Architecture Guide, published in 2004.  ESA contains much valuable information that is as relevant today as when it was first published, so a new project is underway:

• to separate the existing content into parts to suit its different audience levels. A suggested restructuring from that time was:
  • Part 1. Framework for ESAs
  • Part 2. Governance, Regulation & Compliance (GRC), and Enforcement
    Integrate Policy with Policy Driven Architecture chapter?
    Integrate Enforcement with Security Operations chapter?
    Relate events, event logging, and audit, to The Open Group's XDAS standard
    Relate Risk Analysis to The Open Group's FAIR deliverables
  • Part 3. Security Technologies
  • Part 4. Glossary of terms
    Normalize to ISO 10181.3 and to the Risk Taxonomy standard
• to update the contents where appropriate. An example is to update the section which refers to BS17799, to refer to the latest standard.

Security in TOGAF

In December 2005 we published a Security in TOGAF white paper explaining what security considerations need to be addressed in the TOGAF8 Architecture Development Model (ADM) for the guidance of enterprise architects and system designers. This contribution was included in TOGAF9, which was launched in February 2009.

COA Reference Architecture for TOGAF9

In Feb 2009 the Jericho Forum launched it's Collaboration Oriented Architecture (COA) Framework for design of architectures which provide effective security to enable business collaboration over and network, with business partners, suppliers, customers, and outworkers, in de-perimeterised environments.

The Architecture Forum has achieved global success since 1996 with successive launches of The Open Group Architecture Framework (TOGAF) and its Architecture Development Method (ADM).  The "security" content of TOGAF9, which was also launched in Feb 2009, does include several mentions of security considerations as represented in the Security Forum's Security in TOGAF white paper, but does not integrate security issues into its framework in ways which security architects consider will deliver best results. 

It is therefore timely for the Security Forum to take the Jericho Forum's COA Framework and demonstrate how it can be used to design secure architectures, by positioning COA as a reference architecture within TOGAF9. The objective is to explain to IT architects and systems designers how to design computing architectures that are secure in de-perimeterised environments. It will provide a valuable basis for organizations to develop their own COA-compliant architectures. 

The planned deliverable from this project is a COA-compliant reference architecture demonstrating how to design secure architectures using the TOGAF ADM. 

COA Framework Guide

--------------

Documents providing further information on this security architectures work are available to members, by logging in to the members-only Web area. If you would like to become involved in this security architecture work, please contact Ian Dobson.