Understanding cyber security architecture and its role in managing risks is fundamental in ensuring the protection of an organisation’s assets. In this blog, we will explore cyber security architecture, how it helps align security strategies with business objectives, and the differences between enterprise security architecture, solution architecture, and design.

Cyber security architecture defined

Cyber architecture guides good design and enables cyber security professionals to consistently manage cyber security risks, with defined and repeatable security solutions. The US Cyber Security Capability Maturity Model (C2M2) defines Architecture as “how cybersecurity practices and controls are structured and implemented to maintain the confidentiality, integrity, and availability of the organisation’s assets and services”. It also defines Enterprise Architecture as an adaptation of the US Department of Energy Risk Management Plan.

The design and description of an enterprise’s entire set of IT and OT assets should be considered:

• How they are configured
• How they are integrated
• How they interface with the external environment at the enterprise’s boundary
• How they are operated to support the enterprise mission
• How they contribute to the enterprise’s overall security posture.

Physical Architecture is also used as an example to describe computer security architecture. The well-known Enterprise Security Architecture framework, SABSA, notes in its whitepaper that,

Architecture has its origins in the building of towns and cities, and everyone understands this sense of the word, so it makes sense to begin by examining the meaning of ‘architecture’ in this traditional context. Architecture is a set of rules and conventions by which we create buildings that serve the purposes for which we intend them, both functionally and aesthetically.”

Importantly, cyber security architecture is more than just a security control catalogue, it gives guidance on how to apply security capabilities to manage risk. Architecture helps align and balance competing requirements and priorities to manage cyber security risk.

How does architecture help an OT cyber security program?

An architectural approach enables asset operators to make justified, defensible, and risk-informed decisions. Architectural activities can be scoped to consider whole enterprise, security program, or project-level security decisions. An architectural approach also helps an organisation consider the security solutions at a capability level, which is the combination of people, process, and technology, rather than a specific technology control, as per most security control catalogues.

Where security standards and security control frameworks provide an excellent reference for control selection, they often do not provide specific guidance on how to choose the correct control nor how to make risk trade-off decisions for security controls.

The difference between Enterprise Security Architecture, Solution Architecture, and Design

It is common for people to mix up Enterprise Security Architecture, Solution Architecture, and Design – they are related concepts but quite different. Let’s take a moment to unpack each one.

Enterprise Security Architecture

This is the highest level of security architecture. Enterprise security architecture (ESA) considers cyber security across the entire scope of the enterprise. It considers what assets the business must protect, the value generating business processes, how to manage security processes and controls, and the people structures to support all activities. An ESA can span from a single business unit, business geography, and to the entire enterprise. An ESA will ensure an enterprise can achieve its enterprise objectives whilst maintaining a target risk profile. A robust ESA should integrate with existing enterprise risk management functions and work across all people, process, and technology considerations.

Solution Architecture

Most cyber security architecture professionals will work with security solution architecture. This work considers how to define security requirements and approaches for solutions. It can range from emerging technologies to business-as-usual technology projects. Architects will typically use tools like security principles, security standards, and security patterns to guide and support project teams in development of secure systems.

Design

This is where the rubber hits the road. This work involves the design of secure systems, configuration, and technologies. Although it varies across organisations, in most organisations solution architecture and design activities may be done by the same teams.

One of the main differences of these activities is the frequency of their use and the time between reviewing and refreshing activities. Whilst design activities often occur daily, an enterprise security architecture project refresh may occur every 5 years.

More than a set of measures

Cyber security architecture offers more than a set of security measures; it is an approach that provides strategic guidance to manage risk effectively. Understanding the distinctions between enterprise security architecture, solution architecture, and design allows organisations to take a holistic approach to security, ensuring they not only protect their most critical assets but can meet their business objectives too. A well-implemented security architecture is essential for sustainable and adaptable security in today’s complex and constantly evolving cyber landscape.

Architecture frameworks and helpful resources

SABSA and the SABSA White Paper

Practical Cybersecurity Architecture – Second Edition: A guide to creating and implementing robust designs for cybersecurity architects by Diana Kelley

SABSA World Australia is also an active community of SABSA Cyber Security Practitioners in Australia

Whether it’s conducting risk assessments, developing security policies, or ensuring compliance with industry standards, Secolve’s experts are here to support you. Securing your organisation’s digital assets is not a one-time task – it requires continuous effort and expertise. Let Secolve be your trusted partner on the journey to a safer and more secure future. 

Contact us today to learn more about how we can empower your organisation to navigate the ever-evolving cyber landscape and stay one step ahead of potential threats!