Security Zone: Enterprise architecture is too often a missed opportunity for security

As more and more organisations use enterprise architecture as a tool to fight IT complexity and increase business alignment and agility, security is often...

As more and more organisations use enterprise architecture as a tool to fight IT complexity and increase business alignment and agility, security is often treated as a service component within a technical reference model, writes Matt Came, CISSP, senior technology consultant at PricewaterhouseCoopers.

But this approach is inadequate. The key to understanding the spider's web of different systems a company needs to go about its daily business is enterprise architecture. This is a method for assessing a company's collective systems and ensuring that it is aligned to business objectives.

The discipline of enterprise architecture, by building a holistic view of the business, application, data and infrastructure, provides an approach and set of tools to achieve this alignment and presents a perfect model for enhancing security as well. Unfortunately, rather than being considered integral to architecture, security is often only perceived narrowly, in terms of technology infrastructure, and too many risks go unrecognised.

Many organisations have invested heavily in sophisticated security technology, often in response to specific security incidents. This reactive approach means there is no time to sit back and assess the real risk to the business, and many businesses tackle the symptom not the disease. Technology can help enforce policy decisions, acting as an enabler, and ensure employees follow appropriate processes reinforcing expected behaviours, but this needs to be planned in a co-ordinated manner to maximise effectiveness and ensure that the technology does not restrict the business.

Enterprise architecture strips the organisation back to basics and builds a coherent model of the systems in place at a number of layers: business operating model; business process; information; applications and infrastructure. Each layer informs the structure and objectives of the other layers, ensuring the model is coherent and pragmatically achievable. Risks identified at each level can be understood and mitigated effectively at that level. For example, process weaknesses can be addressed in the inherent design rather than relying on a clumsily applied technology solution to plug the hole later.

Considering security throughout ensures that good practice is integrated from the start and integrated at all levels of the solution. The architecture team must consider security through every stage and every layer of the emerging architecture. As risks that could compromise security are identified they can be tackled with a solution at the right level to ensure that the cost is minimised and the benefits maximised.

Once this process is complete, residual risk can be identified and addressed in the infrastructure in a more traditional way, although applying the architectural approach at this stage will still deliver benefits. Targeting solutions in the most effective way at each level causes the maximum reduction on risk. Alignment between the layers ensures that risk does not creep into the gaps between the layers overall, ensuring that a holistic view of the security infrastructure is considered and opportunities to rationalise and simplify the security architecture are identified makes the complex task of managing the security simpler and increases its effectiveness - the technology spend is optimised, which is the core objective of enterprise architecture.

Read more on IT risk management