Publication Date: 25 January 2006 ID Number: G00137069
Integrating Security Into the Enterprise Architecture Framework Gregg Kreizman, Bruce Robertson
Enterprise architecture frameworks should integrate and separate security and other EA deliverables to offer value to security professionals and other business and IT planners.
© 2006 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.
WHAT YOU NEED TO KNOW
An enterprise architecture (EA) framework should allow for security-related requirements and artifacts to be organized within primary EA viewpoints, but should also have these security elements abstracted to a security-only viewpoint. This allows different stakeholders to view these requirements and artifacts in ways that best help them do their jobs while ensuring that security requirements are built in to all aspects of solutions.
An architecture framework provides a structure and a common set of semantics that enforce consistency across the wide range of participants in enterprise architecture initiatives who typically come from diverse areas of the business. Without a framework, it is difficult to relate work in different areas to each other and to integrate that work. With a framework, work in different areas by different constituencies can be better related and thus optimized to eliminate overlaps and contradictory guidance as well as to define gaps that are otherwise not getting planned at all. The framework should simplify enterprise architecture development, because it helps articulate how the different components of the architecture relate to one another (see "Gartner Enterprise Architecture Framework: Evolution: 2005"). Frameworks are abstract. However, real-world physical instantiation of a framework must provide organization or structure for the documents, charts, models and other artifacts that comprise the enterprise architecture (EA) — including the guidance to leverage in project implementations — and can be referenced by the EA's diverse user community. Viewing relevant portions of a collection of artifacts from the viewpoints of various stakeholders — such as the viewpoint of the security professional — should also be easy. By using an EA framework, EA and other nonsecurity constituencies in IT and the business can better see the value of security planning. Likewise, security planners can better see the work of nonsecurity constituencies and can better understand how to support those efforts. In "Incorporating Security into the EA Process" we describe how to ensure that security and privacy requirements are holistically incorporated into the enterprise architecture development, management and governance processes. Ultimately, this ensures that business solutions have security and privacy controls "baked in," and that these controls are commensurate with enterprise business needs and risks. This organizational and process work is ultimately more important than how to organize security artifacts in an EA framework. Nevertheless, when architects and security professionals work through these processes, they can create a broad set of artifacts that provide the records of the process work and help guide future desirable solutions, behaviors and controls. These artifacts must be...