I have had a couple of queries recently about using SABSA as a security architecture method and I think it would be useful to put some thoughts about it here.
SABSA is a Zachman-like architecture method. It is described as a security architecture method, but it takes a very wide view of security architecture. Indeed, it covers a whole variety of availability, usability and agility issues, to the point where it addresses the complete set of non-functional requirements.
SABSA, being based on Zachman, organises a security architecture into a 6*6 matrix of views and aspects. The views roughly correspond to stages of a development lifecycle and the aspects correspond to security elements such as users or domains.
TOGAF is a little simpler than SABSA/Zachman, essentially it has a 4*4 matrix. Views such as design and operation are not covered, neither is the element of time. At present, TOGAF does not give much specific guidance on how to address security issues (though there are initiatives in place ot correct this). TOGAF can be considered as a subset of SABSA/Zachman.
Which should you use? Well, SABSA has a wider scope but it is very heavyweight. Although I admire the completeness of vision of SABSA, I can’t see many real-world organisations making full use of it, especially in today’s economic climate. TOGAF, on the other hand, is closer to the way real-world architectures work but lacks specific security guidance.
There’s an excellent book on SABSA which is worth reading even if you don’t intend to use the method. It’s particularly valuable IMO for helping architects to understand the inmportance of non-functional requirements.
As an aside, I have documented a TOGAF-based approach to security architecture that could be considered as SABSA-lite.