For many companies,intellectual property (IP) stands to be a key asset that is worth protecting in order to secure business survival and growth.
Examples of IP are patent details (both existing and in development), trademarks, and artistic works.
In relation to the information security, intellectual property is typically a digitally-based asset, represented in computer systems as a file or a collection of files. This is where the modern information security architecture works at its best. Organisations need to implement comprehensive programmes in all areas of information security, in order to ensure a standing chance against IP theft attacks.
There are several good frameworks, and standards that cover the specifics of such information security programmes; with the ISO2700x series standing out as the most accepted international set of standard related to information security.
However, as much as ISO2700x talks about what needs to be in place, it is fairly weak on how to go about implementing the controls.
Read more about halting IP theft
I believe in a security architecture programme that implements security controls that businesses need. There is nothing better available for helping with building security architectures than the Sherwood Applied Business Security Architecture (SABSA) method. SABSA stands shoulder-to-shoulder with the Open Group Architecture Framework (TOGAF), which is the widely accepted standard for implementing enterprise architectures.
In fact, organisations will struggle to implement security architecture without having enterprise architecture foundations in place.
Now back to the protection of IP. Let us assume that my company produces digital media for the consumption and purchase by consumers.
My business will not flourish if I fail to secure the digital files when these are created by artists, handled internally by product managers, or distributed to consumers by third parties.
The ISO2700x framework will give me high-level requirements for overall security programme, while SABSA will guide me through the process of obtaining business requirements, constraints, setting the scope, building contextual, conceptual, logical and physical architectures, completed by operational architecture. SABSA, together with TOGAF, will also guide me in creation of enterprise architecture governance, for example, a process to ensure subsequent changes to architectures and designs are in line with the organisations strategy.
Finally, the key component of any successful security architecture is the senior management buy-in. The senior stakeholders will understand the importance of IP protection, however sometimes they need to be convinced of benefits of implementing a comprehensive security programme and architecture – a cost that may seem unjustified.
It is the job of a lead security architect to communicate and sell the benefits of security architecture, compared to ad hoc projects and firefighting. Only then will a company stand a chance of properly, cost-efficiently and measurably protecting its intellectual property.
Vladimir Jirasek, director of research, UK chapter Cloud Security Alliance
This was first published in October 2012