McAfee Secure

Software Development security - Defining System and Security Architecture

Exam: CISSP - Certified Information Systems Security Professional

Software Development Security

Defining System and Security Architecture
This section provides an overview and introduction to the concept of both system and security architectures. The final topic discusses the Department of Defense Architecture Framework (DoDAF) and the Federal Enterprise Architecture Framework (FEAF) as examples of architectural models for information systems from a broad perspective.

Defining System Architecture
Before beginning, it is important to understand the concept of architecture and its design. The first definition is from IEEE 610 Standard Computer Dictionary: A Compilation of IEEE Standard Computer Glossaries: "Architecture is the structure of components that comprise a system, their relationships, and the principles, rules, and guidelines governing the design and evolution of the components and their relationships". An architectural design is the "process of defining a collection of hardware and software components and their interfaces to establish the framework for the development of a computer system"

The Open Group Architectural Framework (TOGAF) (2003) provides a framework for developing enterprise architecture and includes the following definitions:

  • Architecture has two definitions:
    1. A formal description of a system, or a detailed plan of the system at component level to guide its implementation.
    2. The structure of components, their interrelationships, and the principles and guidelines governing their design and evolution over time.
  • An architecture description is a formal description of an information system, organized in a way that supports reasoning about the structural properties of the system. It defines the components or building blocks that make up the overall information system, and provides a plan from which products can be procured, and systems developed, that will work together to implement the overall system. It thus enables you to manage your overall IT investment in a way that meets the needs of your business.
  • Architecture framework allows for developing a variety of different architectures. This tool describes a method and approach to design an information system of its building blocks. Architecture framework includes the tools, methodology and a common vocabulary. The methodology covers recommended standards that should be applied during the process.

Defining System Security Architecture
Security architecture is simply a view of overall system architecture from a security perspective. The security architecture should be established as an integral part of the system architecture. It provides insight into the security services, mechanisms, technologies, and features that can be used to satisfy system security requirements. It provides recommendations on where, within the context of the overall system architecture, security mechanisms should be placed. The security view of a system architecture focuses on the:

  • System security services and high-level mechanisms
  • Allocation of security-related functionality
  • Identified interdependencies among security related components, services, mechanisms, and technologies, while at the same time reconciling any conflict among them

The security (and information assurance) architecture consists of those attributes of the architecture that deal with the protection or safeguarding of operational assets, including information assets. Because security is an inherent property, the security architecture cannot be addressed independently of the rest of the architecture; instead it must be fully integrated with it (DoDAF, Workbook).

The security architecture is only one aspect of the enterprise or system architecture, which may also include network architecture or physical connectivity architectures. Keep in mind that there are many different systems, and thus there are different architectures. Ultimately, the goal of designing a system and security architecture is to provide a tool that will facilitate the functions and components of the system into the design and development phases.