One of the things that characterise a maturing business practice is the proliferation of architectures, models and frameworks that begin to proliferate. This phenomenon has clearly caught up with information security. It’s hard to sit through a presentation these days without seeing increasingly complicated pictures of tables, pyramids, cubes or clouds. Most are undecipherable to a lay person. And many are an expensive drain on valuable, problem-solving time and resources. Yet few offer any value over simple, textual descriptions of security requirements.
My book “Managing the Human Factor in Information Security” is pretty damning on enterprise security architectures. That’s not only because most of them turn out to be an expensive distraction in practice. It’s also because the theory behind them is often flawed. Models are a means to an end, not an end in themselves. Unfortunately, too often we get carried away by the challenge of designing a perfectly-formed construct, losing sight of the original goal, which needs to have a clear purpose and a defined audience.
Seen from that point of view, security architectures are very different from business or data architectures. The latter aim to provide a single, complete and consistent view across the enterprise, enabling systems to be built that will operate in harmony. In contrast, security architectures aim to provide guidance on security requirements and controls, some of which are incomplete, perhaps awaiting new products, and much of which needs to be tailored for individual stakeholders who have quite different perspectives.
We need families of security architectures, developed on a bottom-up basis, around selected, individual systems or assets, rather than on a top-down basis around business or governance processes. That means accepting a more fragmented and incomplete perspective of enterprise security. As I’ve often said, good, modern security architectures are ragged around the edges, full of holes and exist largely in the minds of practitioners. That’s the nature of real-world models, designed to help people carry out specific tasks rather than to impress other security practitioners.