SABSA and TOGAF for Security Architecture

Publish date:

I have had a couple of queries recently about using SABSA as a security architecture method and I think it would be useful to put some thoughts about it here. SABSA is a Zachman-like architecture method. It is described as a security architecture method, but it takes a very wide view of security architecture. Indeed, […]

I have had a couple of queries recently about using SABSA as a security architecture method and I think it would be useful to put some thoughts about it here.
SABSA is a Zachman-like architecture method. It is described as a security architecture method, but it takes a very wide view of security architecture. Indeed, it covers a whole variety of availability, usability and agility issues, to the point where it addresses the complete set of non-functional requirements.
SABSA, being based on Zachman, organises a security architecture into a 6*6 matrix of views and aspects. The views roughly correspond to stages of a development lifecycle and the aspects correspond to security elements such as users or domains.
TOGAF is a little simpler than SABSA/Zachman, essentially it has a 4*4 matrix. Views such as design and operation are not covered, neither is the element of time. At present, TOGAF does not give much specific guidance on how to address security issues (though there are initiatives in place ot correct this). TOGAF can be considered as a subset of SABSA/Zachman.
Which should you use? Well, SABSA has a wider scope but it is very heavyweight. Although I admire the completeness of vision of SABSA, I can’t see many real-world organisations making full use of it, especially in today’s economic climate. TOGAF, on the other hand, is closer to the way real-world architectures work but lacks specific security guidance.
There’s an excellent book on SABSA which is worth reading even if you don’t intend to use the method. It’s particularly valuable IMO for helping architects to understand the inmportance of non-functional requirements.
As an aside, I have documented a TOGAF-based approach to security architecture that could be considered as SABSA-lite.

Related Posts

#gradathon

Customer service – a path to a fulfilling and successful career

Ramesh Balasubramanian
Date icon September 29, 2020

Putting the customer front and center of our business can give you the confidence to provide...

ADMnext

How to design and implement a POD-based DevOps operating model

Venky Chennapragada
Date icon September 29, 2020

POD models vary from enterprise to enterprise and significantly depend on current operating...

social listening

Social Listening for B2B Organization

Seema Karve
Date icon September 29, 2020

With the advent of new disruptive technologies, organizations are finding new ways to reach...