InfoSec: Enterprise Architecture Building Codes
There are many types of criminals. These include thrill-seeking hackers, politically motivated hackers, organized criminals after financial gain, and state-sponsored groups after financial gain and intellectual property or both. Any of these have the potential to break these capabilities through information loss, or denial of service. Business processes and their associated transactions need to look at information security as a key component of any architectural design we might create as Enterprise Architects.
Security architecture is dependent on the idea of “security.” Security by some definitions is the trade-off of convenience for protection. When I am unloading the car and have an armful of groceries, it's challenging to unlock the front door at the same time. Alternatively I could just leave the front door unlocked but that might invite guests I had not planned for. So I trade convenience for protection.
- Security is often seen as in conflict with business users; however, security is a process that protects the business and allows it to effectively operate.
- Security is in response to perceived business risks.
- Security can be seen as a benefit and a business enabler and can aid organizations to achieve their business objectives.
Forrester Vice President, Principal Analyst Randy Heffner wrote in his article of May 2011, “The Future Of Solution Architecture, Part 1: Business Processes Within A Capability,” on set of architectural views to describe the enterprise and the processes and systems that make up the enterprise. Randy defines six design focal points that define successful business technology implementation. As I read this article I thought it important to provide the information security perspective on Randy’s approach.
My father was a general contractor so I really like the use of construction metaphors when I discuss systems development. (We in the technology business could learn a lot from the building trades.) All construction is done to a set of “building codes.” These codes are there to make sure the building is built in a safe and secure way and to ensure the building is “fit for purpose.” There are codes for structure, electric, and plumbing to name a few. These codes represent best practices, academic and empirical research on building safety.
Information security policies, procedures, standards and guidelines are some of the building codes we need to adhere to when we build IT systems:
- Business processes, inasmuch as they define the “who,” “what,” “when,” and “where” for the organization, are also the foundation for any business system. Like the frame of a house, key business processes are the foundation for value creation. Information security represents the building codes we build this infrastructure.
- Customers, employees, all interact with this business process foundation to create or benefit from this value. Customers represent the “why” dimension of our architecture. They are the reason we do anything in any business endeavor. Value creation for the customer should be at the core to decisions or actions in a well-defined business process. Information security is a fundamental component in value creation. When we design a process, we need to consider the safety of this process and its ability conduct business in a way that protects the interests of the customer and the organization.
- Once we understand process we have transactions, queries (applications) modeled as services to provide a flexible toolset to process digital and non-digital business. Building these components to the specific standards, including information security, is critical to these services performing as planned.
- These applications use and create information (data) to create value but to also create insights into future wants and needs of potential customers as well as providing opportunities for employees to become more efficient.
- The business processes that provide the requirements for applications require controls and optimization points to ensure the business does its business with integrity (some might say security) and efficiency.
- As businesses grow and use outside parties to provide more to their customers and increase employee efficiency, the ability to work with third parties and make sure they build and operate to "code" becomes paramount.
Security is based on five design principles. Please note for all you purists out there, yes I have extended the original CAI security model.
- Confidentiality – Is the design consideration that information should be seen only by users authorized to see this information and no others.
- Availability – Is the design consideration that systems and the use of information by authorized users should not be arbitrarily restricted or denied by unauthorized persons or parties.
- Integrity – Is the design consideration that information is accurate and has been consistent and that no authorized or unauthorized user has tampered with the information.
- Privacy – Is the design consideration that extends confidentiality and ensures that lawful user activities and information determined to be private to an individual or group remain private and that information that may identify a person – personally identifiable information (name, address, Social Security Number (US), taxpayer identification number, medical records, etc.) remain private as well.
- Compliance is the design consideration that extends all of the other design considerations to ensure that the organization’s policies, procedures, and systems meet external government and regulatory requirements.
As we think about Enterprise Architecture we need to make sure we build our systems “ to code.” When we operate these systems we also need to make sure we operate them in secure, safe ways. Information security best practices need to be designed into these new systems. Trained inspectors need to review these systems as they are built and check on them as they operate to maintain the security we design into them.