Professional Documents
Culture Documents
The term "security architecture" has returned to common use. However, the
term can be interpreted in different ways, depending on the context, biases
and knowledge of the interlocutors. Security and risk management leaders
must be careful to clarify their meaning to avoid misunderstandings.
Key Findings
■ Despite common use, the term "security architecture" often means different things to different
people, which counterproductively hinders the benefits of trying to take a strategic approach to
security planning.
■ There remains no formal, universally accepted definition of the term "security architecture."
■ The term is most commonly used in relation to enterprise architecture, but it is also used in
relation to other components of an information security program, such as policy framework
and/or organizational structure.
Recommendations
Security and risk management leaders responsible for information security management programs
should:
■ Specify the context and the intended outcome from the use of the term; for example, enterprise
architecture, solutions architecture, organizational structure, policy framework, process catalog
or some other intended collation.
Table of Contents
Analysis.................................................................................................................................................. 2
Define Security Architecture Yourself, and Seek Clarification From Counterparts as to How They Use
the Term........................................................................................................................................... 2
Precision in Your Use of the Term Provides Clarity About Your Context and Intent.............................4
Gartner Recommended Reading............................................................................................................ 5
List of Figures
Analysis
"Security architecture" is a broad term that often means different things to different people,
1
depending on context. Consequently, the scope or intent of a person using the term is not always
clear to other interlocutors.
Gartner defines the term "architecture" to mean "a framework and set of guidelines to build new
2
systems."
However, there is no formal, universally accepted definition of the term "security architecture" (see
Note 1). It is most commonly used in relation to enterprise architecture, but it is also used in relation
to other components of an information security program, such as policy framework or organizational
structure.
When confusion arises in relation to this term, it is often because the two people communicating
attach different meanings to the term, and erroneously assume that their audience attaches that
same meaning. The purpose of this note is point out the regularity of this misalignment of meaning
and provide a workable definition, rather than to be a primary reference relating to all things
"security architecture."
In this context, security capabilities can be either the security elements of other technical
nonsecurity solutions (such as the security functions of a new core banking application) or a
security-specific capability (such as an identity and access management [IAM] application or a
security operations center [SOC] design). Practitioners sometimes draw distinctions between these
two ideas (see Note 2), although this is not of primary concern in this research note.
Conventional architecture planning is based on iterative steps, starting from the business context
through increasingly detailed layers of abstraction — conceptual, logical and implementation —
ultimately arriving at an operational solution (Figure 1). For each of these layers, artifacts
(documents, models, diagrams, standards and so on) are published in order for them to be reused
within some limitations (see "Security Architecture Process for Digital Initiatives").
The notion of "security architecture" permeates all of the abstraction layers and many, if not all, of
their components, applying a security focus in each case.
Precision in Your Use of the Term Provides Clarity About Your Context and Intent
As well as the various layers of abstraction — conceptual, logical, implementation — an architecture
framework can have different view; for example, technology, process, information. There may be
between zero and many components (artifacts) within each layer/view combination. A series of
examples is shown in Figure 2. An example of this approach in practice is illustrated in "How to
Craft and Plan Your Security Policy."
In Gartner's experience, practitioners use the term "security architecture" to refer to the security
elements in a range of different (often unspoken) domains. These may be enterprise architecture,
technical design, organizational structure, policy framework, process catalog, or some other
1
intended focus area. Because of this, the use of the term may be interpreted by interlocutors in
different ways or to refer to different things. For example, one person may be thinking of security
personnel in the organization, whereas their counterpart may be thinking of the functional security
requirements of an enterprise architecture model and how they will ultimately apply to a detailed
design. For this reason, it's important to be precise in your scope and intent when using the term or,
alternatively, to use a different term that reflects the scope and intent to which you are referring. This
drives the type of conversations that one is likely to have and the artifacts that one is likely to
expect (see Figure 2).
One of the more common uses of the term is in reference to enterprise architecture. The concept of
"security architecture" in this context supports the work of security architects (see "Toolkit:
Enterprise Security Architect Job Description") to fashion solutions that meet business and
functional security requirements in alignment with an existing enterprise architecture (see "Rethink
EA Governance, Assurance and Review Boards in the Digital Business Era").
"Rethink EA Governance, Assurance and Review Boards in the Digital Business Era"
"Use Quality Attributes to Align Business Requirements and Guide Solution Architecture"
Evidence
1 Since the beginning of 2016, Gartner has fielded over 23,000 inquiries that included the term
"architecture," and of these, well over 3,000 also included the term "security." These inquiries were
spread over 24 different initiatives, such as technical network security, organizational security
strategy and structure, enterprise architecture, data security, data management, and others.
It is perhaps not surprising, given that there is no consistent meaning to the term, even between
significant industry bodies (see Note 1).
Sherwood Applied Business Security Architecture (SABSA) is a framework and methodology for
enterprise security architecture and service management. The SABSA Institute has published a
white paper providing an executive summary of the method:
"Enterprise Security Architecture," Sherwood, J., Clark, A., and Lynas, D., SABSA Ltd,
1995-2009.
Sherwood, J., Clark, A., and Lynas, D., "Enterprise Security Architecture: A Business-Driven
Approach," CRC Press, first edition (1995).
Security architecture is the art and science of designing and supervising the construction of
business systems, usually business information systems, which are: free from danger, damage,
etc.; free from fear, care, etc.' in safe custody; not likely to fail; able to be relied upon; safe from
attack.
The Open Group Architecture Framework (TOGAF) is a framework for enterprise architecture that
provides an approach for designing, planning, implementing and governing enterprise information
technology architecture.
See The Open Group, "Integrating Risk and Security within a TOGAF Enterprise Architecture," 2016.
Meanwhile, the National Institute of Standards and Technology (NIST) Computer Security
Resource Center in the United States offers three similar definitions:
An embedded, integral part of the enterprise architecture that describes the structure and
behavior for an enterprise's security processes, information security systems, personnel and
organizational sub-units, showing their alignment with the enterprise's mission and strategic
plans.
An embedded, integral part of the enterprise architecture that describes the structure and
behavior for an enterprise's security processes, information security systems, personnel and
organizational subunits, showing their alignment with the enterprise's mission and strategic
plans.
A description of the structure and behavior for an enterprise's security processes, information
security systems, personnel and organizational sub-units, showing their alignment with the
enterprise's mission and strategic plans.
Finally, Gartner also provides a definition specific to an enterprise architecture context. See "Hype
Cycle for Enterprise Architecture, 2017" and "Rethink EA Governance, Assurance and Review
Boards in the Digital Business Era."
■ "Security architecture" centers on the way tools, capabilities and services that have a security
function as their primary purpose have been architected.
■ "Secure architecture" describes the frameworks and guidelines that underpin how tools,
capabilities and services that do not have a security function as their primary purpose have
been built and designed, and how they operate.
Although this may seem like esoteric wordplay, our experience is that disagreements about these
roles implied by these terms occasionally lead to "turf wars."
GARTNER HEADQUARTERS
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM
© 2018 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access
this publication, your use of it is subject to the Gartner Usage Policy posted on gartner.com. The information contained in this publication
has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of
such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the
opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject
to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal
advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may
include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include
senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or
influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see
“Guiding Principles on Independence and Objectivity.”