All Research
Leadership Brief
An enterprise security architecture (ESA) is a critical component to an enterprise architecture (EA) that describes how IT services, processes, and technologies should be protected given a customer’s unique business, security, and compliance requirements.

1 Understanding ESA

Like a building, an enterprise IT environment needs an architecture to be most useful and efficient. Thus, the need for IT architecture, or “EA” is well-understood. But what is an ESA, and why should customers care?

Security architecture has different, or additional, perspectives to IT architecture. It must address risks, threats, and vulnerabilities without impeding the very business it is intended to protect. Security is also a weakest link problem; the defender must protect many different systems and components whereas the attacker need only compromise one – or a few – to break in.

Therefore, security architecture must exist in parallel with all elements of EA. As originally written, EA disciplines have not incorporated any security or risk management drill down. Security architecture has evolved as a separate discipline. However, the Open Group TOGAF EA group has worked over the last few years to better-align EA with security. Rather than reinventing the wheel by developing extensive security disciplines within TOGAF, the Open Group has chosen to reference existing ESA works, such as the Sherwood Applied Business Security Architecture (SABSA).

EA and ESA alignment is a relatively new concept in the industry. Must enterprises do not have an ESA yet. Instead, they have bits and pieces of security architecture that define how their existing systems are protected. Fortunately, much of the typical customer’s prior work on security architecture can be reused. Both EA and ESA (a la SABSA) modeling employ the following multi-layered architecture framework:

  • Contextual architecture: How does IT/security support and protect the business?
  • Conceptual architecture: What are the people, process, and technology “pieces” of IT and security (at a high level)?
  • Logical architecture: How can we specify policies, standards, interfaces, and rules to make the pieces (or components) fit together securely?
  • Physical, Component, or Solution architecture: How is each component designed, implemented, deployed, managed, or operated?

ESA can coexist with existing enterprise IT and security architecture specifications, fragmented though they may be. It is easy enough to see that the PowerPoint slides for Board of Directors may already provide a contextual and/or conceptual view. The abstract diagrams the CIO and the CTO teams communicate with may form part of a logical architecture, and the Cisco network diagrams a physical/solution architecture. Some may only be about IT, others about security, some are about both. Through its unifying framework and its connection to EA, ESA can coexist with them; incorporating some, rationalizing others, perhaps replacing a few, and unifying all. Through ESA, enterprises will have better-protected IT systems to support the business.

Full article is available for registered users with free trial access or paid subscription.
Log in
Register and read on!
Create an account and buy Professional package, to access this and 600+ other in-depth and up-to-date insights
Register your account to start 30 days of free trial access
Get premium access
Choose a package

Stay up to date

Subscribe for a newsletter to receive updates on newest events, insights and research.
I have read and agree to the Privacy Policy
I have read and agree to the Terms of Use