Security Architecture Frameworks – Yay or Nay?
This post is about a topic that few of us ponder often: security architecture frameworks. We have some exciting research plans in this area, hence this blog series.
Perhaps one can say that dumb people think of boxes, smart people think of processes, wise people think of architectures? OK, I just made it up, so perhaps dumb people think of pithy oversimplifications of reality, no? 
In any case, this post is a continuation of this one, where I asked about how people define “security architecture” in 2018. Today I want to remind people that “standard” security architecture frameworks do exist.
Widely-known [not the same as widely-used, mind you] examples include:
- SABSA (Sherwood Applied Business Security Architecture … and no, I don’t know what Sherwood stands for either, but presumably not the forest …)
- O-ESA (The OpenGroup Enterprise Security Architecture, definitely alive, but closed behind the paywall? [oh, look, the pot calling the kettle back :-)])
- OSA (Open Security Architecture, presumed dead by some)
On top of this, some “architecture-like” things can be found in NIST CSF (a lot, actually), ISO 2700x series and even in COBIT, if you look hard enough and use your architect’s eye.
But here is the punchline: does anybody care? More specifically, does anybody use them as foundations for their security architecture? Can security architecture frameworks even keep up with the evolution of IT? After all, there wasn’t much agile cloud mobile DevOps in the 1990s … Furthermore, we all know of people who use ISO series or NIST CSF (or NIST 800s) as control lists or policy advice, but perhaps not so many use them as architectural foundations…. If you do, please comment.
Posts related to this research:
*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: https://blogs.gartner.com/anton-chuvakin/2018/10/24/security-architecture-frameworks-yay-or-nay/
