Gunnar once again hits home with an excellent post defining what he calls the Security Architecture Blueprint (SAB):
The purpose of the security architecture blueprint is to bring focus to the key areas of concern for the enterprise, highlighting decision criteria and context for each domain. Since security is a system property it can be difficult for Enterprise Security groups to separate the disparate concerns that exist at different system layers and to understand their role in the system as a whole. This blueprint provides a framework for understanding disparate design and process considerations; to organize architecture and actions toward improving enterprise security.
I appreciated the graphical representation of the security architecture blueprint as it provides some striking parallels to the diagram that I created about a year ago to demonstrate a similar concept that I call the Unified Risk Management (URM) framework.
(Ed.: URM focuses on business-driven information survivability architectures that describes as much risk tolerance as it does risk management.)
Here are both the textual and graphical representations of URM:
Managing risk is fast becoming a lost art. As the pace of technology’s evolution and adoption overtakes our ability to assess and manage its impact on the business, the overrun has created massive governance and operational gaps resulting in exposure and misalignment. This has caused organizations to lose focus on the things that matter most: the survivability and ultimate growth of the business.
Overwhelmed with the escalation of increasingly complex threats, the alarming ubiquity of vulnerable systems and the constant onslaught of rapidly evolving exploits, security practitioners are ultimately forced to choose between the unending grind of tactical practices focused on deploying and managing security infrastructure versus the strategic art of managing and institutionalizing risk-driven architecture as a business process.
URM illustrates the gap between pure technology-focused information security infrastructure and business-driven, risk-focused information survivability architectures and show how this gap is bridged using sound risk management practices in conjunction with best of breed consolidated Unified Threat Management (UTM) solutions as the technology anchor tenant in a consolidated risk management model.
URM demonstrates how governance organizations, business stakeholders, network and security teams can harmonize their efforts to produce a true business protection and enablement strategy utilizing best of breed consolidated UTM solutions as a core component to effectively arrive at managing risk and delivering security as an on-demand service layer at the speed of business. This is a process we call Unified Risk Management or URM.
(Updated on 5/8/07 with updates to URM Model)
The point of URM is to provide a holistic framework against which one may measure and effectively manage risk. Each one of the blocks above has a set of sub-components that breaks out the specifics of each section. Further, my thinking on URM became the foundation of my exploration of the Security Services Oriented Architecture (SSOA) model.
You might also want to check out Skybox Security's Security Risk Management (SRM) Blueprint, also.
Thanks again to Gunnar as I see some gaps that I have to think about based upon what I read in his SAB document.