SABSA – Security architecture for enterprise architecture

SABSA is the best method to develop your security architecture for your enterprise architecture. It is simple to say 'Security Architecture is a Cross-Cutting Concern.' What that means is for every domain, every element, we must consider every decision in terms of risk and security.

SABSA's comprehensive business driven approach balances gain and potential loss is the path to take. SABSA balances reward and cost. SABSA manages enterprise risk.

SABSA Overview

SABSA is based on a comprehensive top-down model. The SABSA model drives the SABSA Development Process that develops the security architecture domain of your enterprise architecture. First, you understand the strategic context creating foundational business requirements. Step-by-step you extend the chain of traceability through the entire security architecture.

The basic questions are answered

  • what is being considered
  • when is the activity performed
  • how is the activity performed
  • who performs the activity
  • where is the activity performed

Asking the questions top-down ensures you have continually developed architecture specifications. For example, What at the Contextual Layer traces directly to What at the Component Layer.

SABSA's tools were built from practical experience, and work together. Some of the most important include the SABSA Model, the SABSA Business Attributes Profile, the SABSA Risk Model, and the SABSA Domain Model.

SABSA is what type of Enterprise Architecture Framework

SABSA is a Domain Architecture Framework. Domain Architecture Frameworks are optimized for one architecture domain. SABSA is optimized for Security Architecture and provides detailed techniques and method. Conexiam enterprise architecture consulting recommends every enterprise architect take SABSA Certification.

>> See why it is TOGAF and SABSA not TOGAF vs SABSA

The SABSA Model

The SABSA Model

At the heart of SABSA is the SABSA Model. The SABSA Model specifies the security architecture layers and the perspectives each layer is considered from.

While the security architecture layers and perspectives provide a comprehensive model like all good iterative enterprise architecture development methods, you do just enough to answer the question.

A top-down approach that drives the SABSA Development Process. This process analyses the business requirements at the outset, and creates a chain of traceability through the SABSA Lifecycle phases of ‘Strategy & Planning’, ‘Design’, ‘Implement’ and ongoing ‘Manage and Measure’ to ensure preservation of the business mandate. Framework tools created from practical experience support the whole method.

SABSA Security Architecture Layers

SABSA Architecture Perspectives (Columns)


Asset Perspective

Assets, goals, objectives, the vision for the future

SABSA Interpreted Matrix

The SABSA Model is difficult to represent in an enterprise architecture model. Implementing enterprise architecture tools to support SABSA takes care in the model construction. Conexiam Naviagate focuses on SABSA's domain and risk models. We represent most of the SABSA Model in other enterprise architecture models.

SABSA Business Attributes Profile

The heart of SABSA is the SABSA Business Attributes Profile. It is the best ‘architecture requirements engineering’ technique we have found. In SABSA you start security architecture development with a shared taxonomy of stakeholder preferences. While SABSA doesn't mention the normal enterprise architecture concepts of stakeholder's concerns and architecture views, the business attribute profile is the best method if identifying them and enabling best practice architecture development.

Through the entire SABSA method at every stage you return to the business attribute profile to ensure your architecture development consistently addresses your stakeholders objectives, vision, preferences and trade-off.

The Business attributes profile provide a taxonomy, or checklist of possibility aligned with your organization's priorities. Stop brainstorming from a blank piece of paper, and start with a standard list. This increases the amount of time you spend on analysis.

For the attributes you select, the process of identify the metrics, or performance targets, moves your understanding past the label. These attributes make your stakeholder's hopes and fears tangible. Using the SABSA Business Attributes Profile is central to ensuring your business mandate, risk profile, goals and objectives are carried through the entire architecture development.

SABSA Risk Model

Enterprise risk management is all about removing the uncertainty of reaching your objective. The higher your uncertainty, the higher your risk.

In most casual conversations we use risk differently, we use risk as a synonym for a threat. Or, a synonym for something that can go wrong. SABSA takes us down the path of professional risk management, with a focus on removing uncertainty.

The reason for focusing risk on uncertainty is simple - everything we do in business carries an upside and downside. We launch a product with an upside and downside. We enable customers to remotely access our systems for an upside with a potential downside. The product launch has an objective - market share, revenue, competitive position. Remote access also had an objective. When a bad thing happens we fail to reach our objective.

What are you doing to increase your ability to reach an upside? What are you doing to lower the probability of the downside? What are you doing to ensure you reach your objective.

In short, the SABSA Risk Model helps us optimize our business. Remove uncertainty. Reach our objectives.

SABSA Risk and Opportunity

SABSA Domain Model

SABSA Domain Model resolves complexity in risk ownership, governance, & policy management. It does this by exposing ownership and delegated accountability.

Every Domain has a definable boundary. Everything inside a Domain shares common trust, policy, and risk appetite. Whenever these things change you need a new Domain. A Domain may delegate risk appetite or performance targets to a specialist domain at a lower level of abstraction.

The concept of Domains can be difficult to grasp. We observe architects either immediately grasp that Domains are a flexible logic construct or try to map to a rigid structure. Keep in mind that Domains are logical constructs.  All Domains have a relationship to something larger, something smaller, or a peer. SABSA Domain Model

Domains have rules and expectations delegated to them. They may in-turn delegate further. Use the Business Attributes Profile to confirm you are delegating the right issues, expectations, and performance targets.

The SABSA Domain model is an incredible foundation for governance, including enterprise architecture governance. With a good Domain model you enable

  • Embraced Ownership
  • Clarity of accountability and responsibility
  • Consistent risk appetite and performance targets
  • Reporting against risk appetite and targets
  • Systemic relationships to be identified, understood, and resolved
  • Traceability of risk treatments and solutions to requirements

Since we started using SABSA, we have always built the foundation of risk architecture with SABSA Domain Models and used that for enterprise architecture governance.

SABSA Domain Model

Do it Yourself Improved Risk and Security Using SABSA

Top-to-bottom guidance for building an effective enterprise architecture team

Industry Standard EA Capability Reference Model

Specialized guidance for building a government EA Team to support a significant initiative

Improve your end-to-end enterprise architecture development.

Risk and Security Case Studies

We use SABSA beyond traditional Information Security and threat protection. The SABSA Business Attributes Profile, the SABSA Risk Model, and the SABSA Domain Model. make us better security architects, IT architects, and enterprise architects. These case studies show how we integrated best practice risk and security into our enterprise architecture.

Scroll to Top