Call for SABSA Model Students!
Whether this mantra should be credited here or elsewhere, it’s certainly true that the guiding principle of the SABSA philosophy is that security initiatives that are misaligned with the context they serve, in design, construction and operation, are unlikely to be successful. Hence the six serving men of context (what, why, how, who, where & when) are the reference backbone of the framework in all layers.
Many years later as a seasoned security architect, perhaps the most common misconception that I encounter is the bright-eyed security programme, premised on some form of “cookbook”, that maps a catalogue of threats (though more often than not, mislabelled as risks) directly to a predefined list of controls that must be dutifully ticked-off.
Thanks to SABSA training, it’s clear from the outset that, because the cookbook is totally detached from context, the project is pretty much doomed from a security perspective. From what I’ve seen, they fail in two stages:
- First, the project collapses under the weight of control measures (I’ve seen 2,800+) as every control requirement encountered in every framework, regulation, policy and maturity model (as well as those implemented in practice) is piled, stripped of context, into the catalogue;
- Then the control list is pruned drastically to a few dozen high-level statements. A green traffic light of victory over security risk is duly ‘declared’.
Except that it isn’t.
What results is a basic security hygiene checklist masquerading as a security strategy.
But let’s not waste time deconstructing the well-intentioned efforts of others. Let us instead examine what we can offer as security architects to bring the SABSA Model’s secret sauce of context back to the forefront of our approach.
As true disciples, we already know what to do in theory but often face challenges in establishing SABSA as a normal, agile, cost-effective practice within our organisation. In particular, the number of artefacts that are contained within the SABSA Matrices, and which then must be maintained in referential integrity, represent a considerable document management overhead when applied at scale.
This is not a problem unique to security: it is inherent in the development of complex, multi-faceted systems. It is also one that has been addressed in similarly complex domains by moving away from traditional documentation towards a model-based systems engineering (MBSE) approach, supported by tooling. Enterprise Architecture, of which security is an indispensable aspect, has access to such an MBSE approach through the adoption of EA tools into its core practice.
Unfortunately, ‘out-of-the-box’ support for the security perspective is somewhat under-developed in the leading EA notations and certainly insufficient to support SABSA’s richness, rigour, and attention to detail.
In response, The SABSA Institute, in conjunction with The Open Group, has developed a Security Overlay for the leading EA notation, ArchiMate® that is specifically designed to fill this gap.
In essence, this Overlay defines a set of properties, elements, conventions, and patterns that enable the security perspectives required by the SABSA Framework, to be expressed in ArchiMate and overlaid onto conventional EA models, providing that all-important relationship between security and context.
This approach also offers a number of other advantages:
- a model-driven approach to EA is extended to security architecture, bringing the full benefits of MBSE (agility, communication, cost-efficiency, error reduction, reusability etc.) to the task of securing systems of scale and complexity;
- by using inbuilt extension mechanisms, it is vendor-neutral: fully compatible with existing EA Tools;
- because for the first time the security perspective is set out as a standard, tooling support and other sharable resources are made increasingly possible.
Modelling SABSA Attributes
This Security Overlay has recently been updated and published. Download Modelling SABSA with ArchiMate, v2.0 from our resources section.
We are also pleased to announce that it will be offered as a 2-day training course in the Summer of 2022, view the course overview.