This research note is restricted to the personal use of johnny.garcia@entel.pe.

Definition: Security Architecture

Published: 25 April 2018 ID: G00349116

Analyst(s): Rob McMillan, Tom Scholtz

The term "security architecture" has returned to common use. However, the
term can be interpreted in different ways, depending on the context, biases
and knowledge of the interlocutors. Security and risk management leaders
must be careful to clarify their meaning to avoid misunderstandings.

Key Findings
■ Despite common use, the term "security architecture" often means different things to different
people, which counterproductively hinders the benefits of trying to take a strategic approach to
security planning.
■ There remains no formal, universally accepted definition of the term "security architecture."
■ The term is most commonly used in relation to enterprise architecture, but it is also used in
relation to other components of an information security program, such as policy framework
and/or organizational structure.

Recommendations
Security and risk management leaders responsible for information security management programs
should:

■ Specify the context and the intended outcome from the use of the term; for example, enterprise
architecture, solutions architecture, organizational structure, policy framework, process catalog
or some other intended collation.

Table of Contents

Analysis.................................................................................................................................................. 2
Define Security Architecture Yourself, and Seek Clarification From Counterparts as to How They Use
the Term........................................................................................................................................... 2
Precision in Your Use of the Term Provides Clarity About Your Context and Intent.............................4
Gartner Recommended Reading............................................................................................................ 5

This research note is restricted to the personal use of johnny.garcia@entel.pe.

 This research note is restricted to the personal use of johnny.garcia@entel.pe.

List of Figures

Figure 1. The Architecture Continuum.....................................................................................................3

Figure 2. Examples of Architectural Components....................................................................................4

Analysis
"Security architecture" is a broad term that often means different things to different people,
1
depending on context. Consequently, the scope or intent of a person using the term is not always
clear to other interlocutors.

Gartner defines the term "architecture" to mean "a framework and set of guidelines to build new
2
systems."

However, there is no formal, universally accepted definition of the term "security architecture" (see
Note 1). It is most commonly used in relation to enterprise architecture, but it is also used in relation
to other components of an information security program, such as policy framework or organizational
structure.

When confusion arises in relation to this term, it is often because the two people communicating
attach different meanings to the term, and erroneously assume that their audience attaches that
same meaning. The purpose of this note is point out the regularity of this misalignment of meaning
and provide a workable definition, rather than to be a primary reference relating to all things
"security architecture."

Define Security Architecture Yourself, and Seek Clarification From Counterparts as to

How They Use the Term
As noted above, there is no formal, universally accepted definition of the term "security
1
architecture." Gartner's experience is that clients use the term to mean different things.

Gartner defines the term "security architecture" to be "the

discipline and associated process of planning and designing
organizational, conceptual, logical, and physical components
that interact in a coherent fashion, aligned with business
requirements, in order to achieve and maintain a state of
managed security-related risk."

In this context, security capabilities can be either the security elements of other technical
nonsecurity solutions (such as the security functions of a new core banking application) or a
security-specific capability (such as an identity and access management [IAM] application or a

Page 2 of 8 Gartner, Inc. | G00349116

This research note is restricted to the personal use of johnny.garcia@entel.pe.

 This research note is restricted to the personal use of johnny.garcia@entel.pe.

security operations center [SOC] design). Practitioners sometimes draw distinctions between these
two ideas (see Note 2), although this is not of primary concern in this research note.

Conventional architecture planning is based on iterative steps, starting from the business context
through increasingly detailed layers of abstraction — conceptual, logical and implementation —
ultimately arriving at an operational solution (Figure 1). For each of these layers, artifacts
(documents, models, diagrams, standards and so on) are published in order for them to be reused
within some limitations (see "Security Architecture Process for Digital Initiatives").

Figure 1. The Architecture Continuum

Source: Gartner (April 2018)

The notion of "security architecture" permeates all of the abstraction layers and many, if not all, of
their components, applying a security focus in each case.

In addition, when a security-specific solution has to be developed (such as an IAM architecture or a

SOC design), the security architecture process should follow the generic process outlined in Figure
1. Some disciplines may have more detailed processes specific to that discipline (for example,
enterprise architecture).

Gartner, Inc. | G00349116 Page 3 of 8

This research note is restricted to the personal use of johnny.garcia@entel.pe.

 This research note is restricted to the personal use of johnny.garcia@entel.pe.

Precision in Your Use of the Term Provides Clarity About Your Context and Intent
As well as the various layers of abstraction — conceptual, logical, implementation — an architecture
framework can have different view; for example, technology, process, information. There may be
between zero and many components (artifacts) within each layer/view combination. A series of
examples is shown in Figure 2. An example of this approach in practice is illustrated in "How to
Craft and Plan Your Security Policy."

Figure 2. Examples of Architectural Components

Source: Gartner (April 2018)

In Gartner's experience, practitioners use the term "security architecture" to refer to the security
elements in a range of different (often unspoken) domains. These may be enterprise architecture,
technical design, organizational structure, policy framework, process catalog, or some other
1
intended focus area. Because of this, the use of the term may be interpreted by interlocutors in
different ways or to refer to different things. For example, one person may be thinking of security
personnel in the organization, whereas their counterpart may be thinking of the functional security
requirements of an enterprise architecture model and how they will ultimately apply to a detailed
design. For this reason, it's important to be precise in your scope and intent when using the term or,

Page 4 of 8 Gartner, Inc. | G00349116

This research note is restricted to the personal use of johnny.garcia@entel.pe.

 This research note is restricted to the personal use of johnny.garcia@entel.pe.

alternatively, to use a different term that reflects the scope and intent to which you are referring. This
drives the type of conversations that one is likely to have and the artifacts that one is likely to
expect (see Figure 2).

One of the more common uses of the term is in reference to enterprise architecture. The concept of
"security architecture" in this context supports the work of security architects (see "Toolkit:
Enterprise Security Architect Job Description") to fashion solutions that meet business and
functional security requirements in alignment with an existing enterprise architecture (see "Rethink
EA Governance, Assurance and Review Boards in the Digital Business Era").

Gartner Recommended Reading

Some documents may not be available as part of your current Gartner subscription.

"Security Architecture Process for Digital Initiatives"

"Aligning Security Architecture and Enterprise Architecture: Best Practices"

"The Structure and Content of an Information Security Architecture Framework"

"Rethink EA Governance, Assurance and Review Boards in the Digital Business Era"

"Three Ways EA Can Help the Organization Focus on Security"

"Use Quality Attributes to Align Business Requirements and Guide Solution Architecture"

Evidence
1 Since the beginning of 2016, Gartner has fielded over 23,000 inquiries that included the term
"architecture," and of these, well over 3,000 also included the term "security." These inquiries were
spread over 24 different initiatives, such as technical network security, organizational security
strategy and structure, enterprise architecture, data security, data management, and others.

It is perhaps not surprising, given that there is no consistent meaning to the term, even between
significant industry bodies (see Note 1).

2 See the Gartner IT Glossary entry on "architecture."

Note 1 One Term, Many Definitions, No Consistency

There are some well-known sources that discuss the meaning of the term "security architecture"
within the context of enterprise architecture.

Sherwood Applied Business Security Architecture (SABSA) is a framework and methodology for
enterprise security architecture and service management. The SABSA Institute has published a
white paper providing an executive summary of the method:

Gartner, Inc. | G00349116 Page 5 of 8

This research note is restricted to the personal use of johnny.garcia@entel.pe.

 This research note is restricted to the personal use of johnny.garcia@entel.pe.

"Enterprise Security Architecture," Sherwood, J., Clark, A., and Lynas, D., SABSA Ltd,
1995-2009.

This white paper cites a major reference work on the topic:

Sherwood, J., Clark, A., and Lynas, D., "Enterprise Security Architecture: A Business-Driven
Approach," CRC Press, first edition (1995).

Page 2 of this book offers this definition of the term:

Security architecture is the art and science of designing and supervising the construction of
business systems, usually business information systems, which are: free from danger, damage,
etc.; free from fear, care, etc.' in safe custody; not likely to fail; able to be relied upon; safe from
attack.

The Open Group Architecture Framework (TOGAF) is a framework for enterprise architecture that
provides an approach for designing, planning, implementing and governing enterprise information
technology architecture.

The Open Group offers this definition of the term:

A Security Architecture is a structure of organizational, conceptual, logical, and physical

components that interact in a coherent fashion in order to achieve and maintain a state of
managed risk. It is an enabler/driver of secure behavior, safe behavior, resilient behavior, reliable
behavior, and upholding of privacy at risk areas throughout the whole enterprise.

See The Open Group, "Integrating Risk and Security within a TOGAF Enterprise Architecture," 2016.

Meanwhile, the National Institute of Standards and Technology (NIST) Computer Security
Resource Center in the United States offers three similar definitions:

An embedded, integral part of the enterprise architecture that describes the structure and
behavior for an enterprise's security processes, information security systems, personnel and
organizational sub-units, showing their alignment with the enterprise's mission and strategic
plans.

Source(s): NIST SP 800-39

An embedded, integral part of the enterprise architecture that describes the structure and
behavior for an enterprise's security processes, information security systems, personnel and
organizational subunits, showing their alignment with the enterprise's mission and strategic
plans.

Source(s): NIST SP 800-53 Rev. 4

A description of the structure and behavior for an enterprise's security processes, information
security systems, personnel and organizational sub-units, showing their alignment with the
enterprise's mission and strategic plans.

Source(s): NIST SP 800-30 (NIST SP 800-39)

Page 6 of 8 Gartner, Inc. | G00349116

This research note is restricted to the personal use of johnny.garcia@entel.pe.

 This research note is restricted to the personal use of johnny.garcia@entel.pe.

Finally, Gartner also provides a definition specific to an enterprise architecture context. See "Hype
Cycle for Enterprise Architecture, 2017" and "Rethink EA Governance, Assurance and Review
Boards in the Digital Business Era."

Note 2 The Difference Between "Security Architecture" and "Secure Architecture"

Inquiries from some clients indicate that practitioners sometimes draw a distinction between the
terms "security architecture" and "secure architecture." A reasonable way of distinguishing between
the terms, if required, is this:

■ "Security architecture" centers on the way tools, capabilities and services that have a security
function as their primary purpose have been architected.
■ "Secure architecture" describes the frameworks and guidelines that underpin how tools,
capabilities and services that do not have a security function as their primary purpose have
been built and designed, and how they operate.

Although this may seem like esoteric wordplay, our experience is that disagreements about these
roles implied by these terms occasionally lead to "turf wars."

Gartner, Inc. | G00349116 Page 7 of 8

This research note is restricted to the personal use of johnny.garcia@entel.pe.

 This research note is restricted to the personal use of johnny.garcia@entel.pe.

GARTNER HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096

Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM

For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp

© 2018 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access
this publication, your use of it is subject to the Gartner Usage Policy posted on gartner.com. The information contained in this publication
has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of
such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the
opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject
to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal
advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may
include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include
senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or
influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see
“Guiding Principles on Independence and Objectivity.”

Page 8 of 8 Gartner, Inc. | G00349116

This research note is restricted to the personal use of johnny.garcia@entel.pe.