The definition of security architecture has never been consistent among experts. While it is a framework for some, it’s a process or a detailed technical design for others.
According to Open Security Architecture, it is – “The design artifacts that describe how the security controls (= security countermeasures) are positioned, and how they relate to the overall IT Architecture. These controls serve the purpose to maintain the system’s quality attributes, among them confidentiality, integrity, availability, accountability and assurance.” This is the same definition found in wikipedia.
Tom Scholtz at Gartner says “Information security architecture is the process that delivers planning, design and implementation documentation (artifacts) in support of the program. The architecture framework is a consistent reference model for structuring the process and the deliverable documentation.”
He also says, “An effective architecture process must provide the consistent principles, mechanisms and guidelines that are used to derive the appropriate security solutions from business requirements so that organizations can become more effective and coordinated in their security practices.”
In another paper, Tom along with Jay Heiser and Christian Byrnes says, “The architecture provides the principles, methods (for example, domain structuring, trust modeling) and templates (such as security infrastructure architectures, application security templates) for selecting, designing and implementing appropriate security solutions.”
The Swiss Information Security Society defines it as – “A Security Architecture is a cohesive security design, which addresses the requirements (e.g. authentication, authorisation, etc.) – and in particular the risks of a particular environment/scenario, and specifies what security controls are to be applied where. The design process should be reproducible.”
According to FDIC – “The Security Architecture establishes a framework for integrating safeguards into all layers of the FDIC’s Enterprise Architecture. The security architecture uses a risk management and information assurance strategy that provides access control, confidentiality, integrity, and non-repudiation for the Corporation’s information and systems.”
The Arctec Group who were in the same dilemma as me came up with – “Security architecture: unifying framework and reusable services that implement policy, standards, and risk management decisions. The security architecture is a strategic framework that allows the development and operations staff to align efforts, in addition the security architecture can drive platform improvements which are not possible to make at a project level.”
One of the most detailed definition I found was that of W3 which is – “A plan and set of principles for an administrative domain and its security domains that describe the security services that a system is required to provide to meet the needs of its users, the system elements required to implement the services, and the performance levels required in the elements to deal with the threat environment. A complete security architecture for a system addresses administrative security, communication security, computer security, emanations security, personnel security, and physical security, and prescribes security policies for each. A complete security architecture needs to deal with both intentional, intelligent threats and accidental threats. A security architecture should explicitly evolve over time as an integral part of its administrative domain’s evolution.”
So where do we go from here? I believe security architecture is part of the framework that plan, design, implement and maintain appropriate solutions and controls for people, processes and technology in an organization. It should integrate with the enterprise architecture providing principles and methods to support confidentiality, integrity and availability of assets and information in the organization.