Documentos de Académico
Documentos de Profesional
Documentos de Cultura
JON_BOUCHER
Jon Boucher
Professor Moore
30 October 2017
Assignment.CS520.Week1.JON_BOUCHER
Each SABSA layer builds on the next to create a comprehensive framework for a security
architecture. This paper will reveal how the layers are interconnected and how they work in
concert together. The only way to arrive at these requirements is to examine the six “W’s” –
What, Why How, Who, Where and When. [1] The purpose of this paper is to explain the SABSA
framework layers and reveal each layer’s merits by comprehensively addressing the 6 “W’s”.
The first layer of the SABSA model is the contextual layer (“The Business view”).
Before designing a security architecture, one must ask themselves, what exactly are we trying to
protect and how will it be used? We need to decide on a high-performance vehicle and not a
truck or a family mini-van. Therefore, we have specific requirements that will be specific to this
class of car. The same goes for our security architecture. We will “require” the architecture to
“do” certain things. This is the essence of the contextual layer, we must first isolate and
construct some boundaries in which we can construct our security solution. Requirements
establishment is the core of the first layer, the contextual, “business view” layer.
While the contextual layer provides the high-level vision and purpose, the conceptual
layer provides more detail in the business-driven requirements and specific strategy. [1] This
next layer is referred to as the Conceptual layer (“The Architect’s view”). The strategic
questions addressed are: “What are our risk management objectives and information assurance
strategies?” The organization also needs to address what roles and responsibilities people will
assume within the framework. For example, we need to devise a concept of how people will
interact and interconnect with the system’s functionality.
While the contextual and conceptual layers consider the system’s purpose and strategic
design, the next several layers begin to add tangible, specific tactics. Back to the sports car
analogy. We know that we want to build a sports car, now we just have to decide what we need
under the hood to achieve the performance parameters. If our “business” is winning Formula
One race events, then we are going to need a certain type of driver, engine and tires. Deciding
which driver, engine and tires are accomplished in the next several layers of the SABSA model.
The next layer is the Logical layer (“The Designer’s view”). Here we start to further
refine and codify our strategies. The designer acts as the engineer and her job is to convert the
vision of the architect into a logical structure. [1] She will need to address which logical security
services to use and establish security domain definitions and associations. [1] The designer is the
lead implementer and the engineering voice who applies systems engineering best practices.
The next two layers are all about physically constructing the architecture or procuring
technology to bring to life the Architect’s ideas and the Engineer’s decisions. These layers are
referred to as the Physical layer (“The Builder’s view”) and the Component layer (“The
Tradesman’s view”). Now, we are under the hood of the Formula One racecar. The builder and
the tradesman physically assemble the internal components such as the engine, alternator,
Assignment.CS520.Week1.JON_BOUCHER
battery, cam shaft, etc. These people need to have the proper judgement and experience to make
sure that they are selecting the right components…they must also make sure that they are
integrated properly.
Some of the “W’s” addressed at the Physical layer are what business data
model/structures will be used; how the components will be physically arranged and what user
interface will be used. [1] The Component layer will augment the Builder and provide specific
expertise. The Component layer is best described as a team of experts assembled to assist the
Builder. In the case of the racecar this could include an electrician, mechanical engineer,
aerodynamics engineer and others.
The final two layers are operations related. The final official layer is the model is the
Operational layer (“The Facility Manager’s view”). This layer reveals the impact of the
decisions, strategy and technical compromises of the layers above. “When the building is
finished, those who architected, designed and constructed it move out, but someone has to run
the building during its lifetime.” [1] The unique aspect of the Operational layer is that it “cuts
through” all of the other layers. In other words, each layer should take into account the
operational (read: frequent and iterative) day to day considerations. Some examples include:
cyber training and awareness (conceptual layer) and execution of security rules (physical layer)
The seventh layer is the “Inspector’s view” and provides assurance that the architecture is
complete, consistent, robust and fit-for-purpose. [1]
References:
[1] John Sherwood, Andrew Clark and David Lynas (2005). “Enterprise security architecture - A
business-driven approach”. Boca Raton, Taylor & Francis Group, LLC.
[2] Shon Harris and Fernando Maymi (2016). “All in One – CISSP Exam Guide, 7th edition”
New York, McGraw Hill Education.