Enterprise security architecture is an incredibly complex and comprehensive plan for ensuring that a business has proper overall security by using the security technologies that are available.
Many people get this mixed up with security infrastructure but there is a distinct difference between the two and, in this case, the word, “architecture” is very important.
Enterprise security architecture is representative of a cohesive design that ensure all pieces of the security infrastructure work together properly and that there are no gaps or issues.
Provided the enterprise has the right security tools and resources, in theory, they should be ok. Unfortunately, many of these tools are not used in the right way and the results are not going to be what is needed.
For example, if there is inconsistency in the use of the security tools, one part of the infrastructure may not be as secure an another.
Keeping that in mind, enterprise security architecture has to rely on several concepts to be implemented properly, including security domains, tiered networks and trust levels, planning tools that are used to look at all the different parts of the process and security systems.
The security engineers will work to provide a security architecture that works across all principles and ensures that the business resources are fully working and performing to the correct level to provide comprehensive security.
The goals of an enterprise security architecture are to:
- Provide cohesiveness, coherence and structure
- To enable alignment between business and security
- Define top-down starting with strategy
- Ensure that every model and every implementation can be traced to the business strategy. Key principles and specific business requirements
- Provide abstraction so that all possible complicating factors, like technology and geography can be taken out and reinstated with different detail levels as and when required
- Establish an easy to understand security language across the entire enterprise
The right enterprise security architectural process will provide the answers to these questions, and more like it:
- What, if any, is the risk posture to information security within the enterprise?
- Does this architecture support and add any value to enterprise security?
- How can the architecture be modified to add more value?
- Based on all that is known about the future requirements of the enterprise, will this architecture support or hinder those requirements?