Architectural Services | Resources | Views | Contact Arctec Group

    Arctec Views

    September 10, 2003

    In this issue:

          * Security Architecture Elements
          * Enterprise Architecture News
          * Arctec Group News:
      • Arctec Group is featured speaker at Blackhat Federal Security conference (
      • Arctec Group New Saint Paul Office opening


    Arctec Group is an architectural services company focused on Enterprise Architecture issues. With this newsletter, we aim to serve our clients, partners, and colleagues by providing our view on current issues and best practices in Enterprise Architecture as well as aggregating interesting news from around the globe.

    We hope you find the newsletter useful and enlightening. We would like to hear your thoughts on current affairs and ideas to improve this offering. If you would like to unsubscribe to Arctec Views monthly newsletter, simply send an email to from the email account you would like to unsubscribe. Please include the word "unsubscribe" in the subject or first line of the email.

    Previous issues are available at


    Beyond Prevention: Security Architecture Elements


    This month, we will examine architectural elements which support effective enterprise security design. Noted author/security guru, Bruce Schneier (see "Resources" below for a list of some of his work) states that information security is comprised of three parts: prevention, detection, and response. However, the industry as a whole primarily focuses only on prevention technologies. Consider one of the first products which leaps to mind in security today: the firewall.

    Firewalls and prevention technologies are an important part of a security solution, but prevention alone does not comprise an entire solution. An art museum cannot solely rely upon preventative measures such as locked doors, vaults, and velvet ropes around paintings to protect valuable artwork. The alarm bells announcing detection of a thief are worthless without a response mechanism to snare the thief and control the threat. The prevention layer must exist, but threats must be detected, analyzed and responded to in a manner commensurate with the risk they present.

    The detection layer must also have some intelligence to differentiate real attacks from accidental misuse. A painting may be guarded with a motion detector which trips an alarm both when an art thief tries to steal the painting, and when a child accidentally touches its frame. Responding to these two threats with similar alarms will require very different measures.

    In an effective security solution, the three elements of prevention, detection, and response must work together in a systematic way.

    Why Have Security Architecture?

    Before we discuss the constituents in a security architecture, we should ask why does an organization need security architecture at all? Classical IT organizational structures are usually defined along a vertical path addressing a specific technology or functional business area. The architect is focused horizontally. Architecture is necessary to synthesize multiple viewpoints and to maximize collaboration, efficiency and quality among IT groups and other IT stakeholders such as business partners.

    An IT team which has a sole focus of firewall technology without understanding how firewalls fit into the overall enterprise security design and business goals is doomed to underperform by not having a complete context to guide their decisions and activities. Through analysis, design and collaboration, the architect can build a comprehensive enterprise security view. The security blueprint addresses business goals for the security program and shows the relationship between the security mechanisms. For example, at a network security level the security blueprint must show how the prevention (firewall), detection (Intrusion detection system), and response (intrusion analysis and incident response plans) mechanisms work together as an integrated whole.

    Constituents in a Security Architecture

    Before addressing the specific prevention, detection, and response security mechanisms, it is important to build a coherent picture of business and strategic concerns, forces and constraints. It may seem obvious that these business questions should be addressed before choosing technology implementations, but it is surprising in practice to see how frequently security technology is selected without understanding the risks to be mitigated.

    Risk Assessment

    The risk assessment defines the value of the business assets at risk. While this metric is not always easy to define, it is absolutely critical in determining security solutions. In the example of the art museum, a van Gogh painting will not have the same security design as a clay mug from the county art fair. Key questions to be answered in the business risk assessment include: what is the value of the information to your organization or competitor organizations? What is the cost of downtime or unavailability? What are the legal or regulatory implications of improper use or access to data?

    Domain Risk Models

    Another level down in technical detail are the domain risk models. In conjunction with the risk assessment, a domain risk model should be developed for system components. The domain risk model shows at a more technical level which systems are at risk, the different types of threats to the systems, and where the key vulnerabilities to be addressed exist. Between the domain risk models and risk assessment, the reader should clearly understand the type of business risks posed, the likelihood of threat occurence, and severity of the threat impacts to the business. The goal of the domain risk model is to be able to prioritize security issues going forward into design.

    Security Policy

    The Security Policy defines a strategic contract at a logical, i.e. non-technical, level to articulate the parameters under which the system operates. The Security Policy is an important document to bridge the gap between strategic senior management concerns and the more tactical implementation level. The Security Policy provides a framework for teams to use to base design decisions on. The policy contents should be short and to the point, and while written at a high level to engage both business and technical parties, must provide an overall framework to base design decisions upon. The technical team is then tasked with building the plans and technical mechanisms which implement the policy.

    Organizational Aspects

    Effective security initiatives require organizational leadership and support, and clear accountability for implementing and enforcing the policy. Without clear security program leadership, critical components are often not addressed, leaving the company at substantial risk. For example, value and risk assessments are often not completed, leading to an absence of any decision making context in an area where the extreme sides of the issues (wild, wild West vs. Alcatraz)) are often represented. The security team must provide leadership in a solution-focused manner for its disparate stakeholders to efficiently implement appropriate solutions. An effective tactic is to establish security representatives within vertically-focused teams to ensure policy knowledge and solution accountability within groups and collaboration between the groups.

    In next month's edition we will explore prevention, detection and response security architectural elements.

    -Gunnar Peterson
    Artec Group

    Further Reading

    As mentioned at the beginning, Bruce Schneier's work is invaluable primer to the issues faced by both security professionals and all of us whose daily business and personal lives depend upon these digital systems. The writing is very engaging and useful to both technical and non-technical readers.

    "Secrets and Lies" discusses threats and countermeasures in the digital security landscape.

    "Beyond Fear" separates the hype from the reality in our post 9/11 world

    For a more detailed and technical understanding, two books stand out by providing sage, practical advice in a world cluttered with panacea-centric security books.

    Eric Greenberg's "Mission Critical Security Planner" takes a business-focused view of security problems, and details specific, pragmatic solutions

    "Security Engineering: A Guide to Building Dependable Systems" by Ross Anderson is quite simply a gem. This book combines experience in military, financial, and healthcare systems.


    Enterprise Architecture News

    Another View on Outsourcing
    The frequently prescient Robert X. Cringeley discusses the downsides of IT outsourcing. This piece demonstrates flaws in the current outsourcing approach and some trends which may emerge.

    Next Wave: Service Oriented Architecture to Eclipse Object-Oriented
    Microsoft's Don Box who is a leading figure in both the COM and .Net spaces weighs in on the next big architectural movement.,3959,1220397,00.asp

    Power Point Is Evil
    Edward Tufte whose groundbreaking work on graphic design pioneered many of today's most effective concepts has an insightful piece in this month's Wired magazine. Hopefully, the next Power Point presentation you see will be done by someone who has read this.

    Bill Joy to Leave Sun
    Sun CTO Bill Joy announced he was leaving the company he helped become a technology leader, Sun Microsystems. His achievements include pioneering work on many technologies we take for granted like BSD and NFS.

    SCO Slammed
    SCO continues to underwhelm the IT industry and now Linus Torvalds has characterized SCO's case as beneath discussion.,3959,1227128,00.asp

    Stay Tuned for Security Improvements
    A development that went unnoticed by major IT media which may turn out to have positive and broad implications for security and development occurred at Elemental Security. Python programming language inventor Guido van Rossum joined the very productive Dan Farmer, author of security tools such as SATAN and COPS, at Elemental Security.


    Have your say

    Agree? Disagree? Insufficient data to judge? Email us at, we want to hear from you.


    Arctec Group News

    Arctec Group CTO Gunnar Peterson will present a talk on "Security Design Patterns" at the Black Hat Federal briefing in Washington, DC. The Black Hat briefings focus on "Digital Self Defense" and combine experts from both the white hat and black hat community. For more information on this conference, visit:

    Arctec St.Paul headquarters were completed in August
    This was a small but challenging renovation project within a historic building, which inspired many comparisons with legacy system renovation (let's call them "vintage" to make us feel better)! Stay tuned for an introductory event to be scheduled this fall.


    Arctec Group: Strategic Technology Blueprints

    Arctec Group Newsletter is a free monthly newsletter. If you would like to subscribe to Arctec Views, simply send an email to from the email account you would like to receive the newsletter. Please include the word "subscribe" in the subject or first line of the email.

    If you would like to unsubscribe to Arctec Views monthly newsletter, simply send an email to from the email account you would like to unsubscribe. Please include the word "unsubscribe" in the subject or first line of the email.

Copyright © 2003 Arctec Group, LLC All Rights Reserved