SABSA and TOGAF for Security Architecture

Publish date:

I have had a couple of queries recently about using SABSA as a security architecture method and I think it would be useful to put some thoughts about it here. SABSA is a Zachman-like architecture method. It is described as a security architecture method, but it takes a very wide view of security architecture. Indeed, […]

I have had a couple of queries recently about using SABSA as a security architecture method and I think it would be useful to put some thoughts about it here.
SABSA is a Zachman-like architecture method. It is described as a security architecture method, but it takes a very wide view of security architecture. Indeed, it covers a whole variety of availability, usability and agility issues, to the point where it addresses the complete set of non-functional requirements.
SABSA, being based on Zachman, organises a security architecture into a 6*6 matrix of views and aspects. The views roughly correspond to stages of a development lifecycle and the aspects correspond to security elements such as users or domains.
TOGAF is a little simpler than SABSA/Zachman, essentially it has a 4*4 matrix. Views such as design and operation are not covered, neither is the element of time. At present, TOGAF does not give much specific guidance on how to address security issues (though there are initiatives in place ot correct this). TOGAF can be considered as a subset of SABSA/Zachman.
Which should you use? Well, SABSA has a wider scope but it is very heavyweight. Although I admire the completeness of vision of SABSA, I can’t see many real-world organisations making full use of it, especially in today’s economic climate. TOGAF, on the other hand, is closer to the way real-world architectures work but lacks specific security guidance.
There’s an excellent book on SABSA which is worth reading even if you don’t intend to use the method. It’s particularly valuable IMO for helping architects to understand the inmportance of non-functional requirements.
As an aside, I have documented a TOGAF-based approach to security architecture that could be considered as SABSA-lite.

Related Posts

Business Strategy

Be like water – The key IT trends for 2021

Gunnar Menzel
Date icon January 20, 2021

Learn how to stay on top of Business Trends and be as adaptable as water.

AI and analytics

Does your UX float like a butterfly, and bring user glee?

Date icon January 20, 2021

AI-driven customer behavior analytics provide the capabilities to sieve through the data to...

Advanced Analytics

Building brand trust in a post-pandemic world

Date icon January 20, 2021

To attract and retain customers you need to know them.