SECURITY ARCHITECTURE

The security architecture describes the appearance of thesecurity functions, what is to be done with them, where they willbe located within the organization, its systems, and its networks,and what materials will be used to craft them. Among other things,it will describe the following.

Duties, roles, and responsibilities — It willdescribe who is to do what. It specifies who management relies uponand for what. For every choice or degree of freedom within thesystem, the architecture will identify who will exercise it.

How objects will be named — It will describe howobjects are named. Specifically, it will describe how users arenamed, identified or referred to. Likewise it will describe howinformation resources are to be named within the enterprise.

What authentication will look like — It mustdescribe how management gains sufficient confidence in these namesor identifiers. How does it know that a user is who he says he isand that the data returned for a name are the expected data?Specifically, the architecture describes what evidence the userwill present to demonstrate her identity. For example, if the useris to be authenticated based upon something that he knows, what arethe properties (length and character set) of that knowledge?

Where it will be done — Similarly, the architecturewill describe where the instant data are to be collected, where thereference data will be stored, and what process will reconcile thetwo.

What the object of control will be — Thearchitecture must describe what it is that will be controlled. Inthe traditional IT architecture this was usually a file or adataset, or sometimes a procedure such as a program or atransaction type. In modern systems it is more likely to be a database object such as a table or a view.

Where access will be controlled — The architecturewill describe where, i.e., what processes, will exercise controlover the objects. In the traditional IT architecture we tried to centralize all access control in a single process, scaled to theenterprise. In more modern systems access will be controlled in alarge number of places. These places will be scaled to departments,applications, and other ways of organizing resources. They may beexclusive or they may overlap. How they are related and where theyare located is the subject of the design.

Generation and distribution of warnings and alarms —Finally, the design must specify what events or combinations ofevents require corrective action, what process will detect them,who is responsible for the action, and how the warning will becommunicated from the detecting process to the party responsiblefor the correction.

POLICY

A Statement of Management’s Intent

Among other things, a policy is a statement of management’sintent. Among other things, a security policy describes how muchrisk management intends to take. This statement must be adequatefor managers to be able to figure out what to do in a given set ofcircumstances. It should be sufficiently complete that two managerswill read it the same way, reach similar conclusions, and behavein similar ways.

It should speak to how much risk management is prepared to take.For example, management expects to take normal business risk, oracceptable and accepted risk. Alternately or in addition,management can specify the intended level of control. For example,management can say that controls must be such that multiple peoplemust be involved in sensitive duties or material fraud.

The policy should state what management intends to achieve, forexample, data integrity, availability, and confidentiality, and howit intends to do it. It should clearly state who is to beresponsible for what. It should state who is to have access to whatinformation. Where such access is to be restricted ordiscretionary, then the policy should state who will exercise thediscretion.

The policy should be such that it can be translated into anaccess control policy. For example, it might say that read accessto confidential data must be restricted to those authorized by theowner of the data. The architecture will describe how a givenplatform or a network of platforms will be used to implement thatpolicy.