The security industry has little strategic cohesiveness, instead the market is comprised of vendors selling an aggregation of tactical one off point solutions. The problem is that security is of strategic concern to the enterprise but the market does not reflect this. This security architecture blueprint shows one way to take a strategic approach to security in the enterprise.
The purpose of the security architecture blueprint is to bring focus to the key areas of concern for the enterprise, highlighting decision criteria and context for each domain. Since security is a system property it can be difficult for Enterprise Security groups to separate the disparate concerns that exist at different system layers and to understand their role in the system as a whole. This blueprint provides a framework for understanding disparate design and process considerations; to organize architecture and actions toward improving enterprise security.
This blueprint distills what I have learned on a number of enterprise security engagements into a generic framework. Enterprises know they have security problems today, and will not be perfect tomorrow, next month or next year -- so the question is how to define a pragmatic way forward?
I was fortunate to get great feedback on drafts from a number of folks including James McGovern, Jim Nelson, and Brian Snow.
"The security industry has little strategic cohesiveness, instead the market is comprised of vendors selling an aggregation of tactical one off point solutions."
This is exactly what I have perceived, but lacked the experience to express it as succinctly as you have. Thanks for publishing. I'm reading your paper right now.
Posted by: Jon Robinson | May 06, 2007 at 09:36 PM
While I can certainly see deriving risk management from stake holder's goals, policy and security architecture are both better derived from your risk assessment.
Posted by: Walter Williams | May 08, 2007 at 08:21 AM
Haven't spoken in a while Gunnar! Always some interesting posts here though. In terms of this paper, there seems to be overlap with the SABSA methodology for Enterprise Security Architecture. That says to me there are more than a few of us heading in the same direction. That can only be a good thing.
Cheers,
Steve.
Posted by: Steve Bakewell | May 08, 2007 at 11:29 AM