SALSA - A METHOD FOR DEVELOPING THE ENTERPRISE SECURITY ARCHITECTURE AND STRATEGY

It is the experience of many corporate organizations that information security solutions are often designed, acquired and installed on a tac tical basis. A requirement is identified, a specification is developed and a solution is sought to meet that situation. In this process ther e is no opportunity to consider the strategic dimension, and the resul t is that the organization builds up a mixture of technical solutions on an ad-hoc basis, each independently designed and specified and with no guarantee that they will be compatible and interoperable. Worse st ill, there is no analysis of the long-term costs, especially the opera tional costs, and there is no strategy that can be identifiably said t o support the goals of the business. It does not have to be this way. The solution lies in the development of an enterprise security archite cture which is business-driven and which describes a structured inter- relationship between the technical and procedural solutions to support the long-term needs of the business of the organization. If the archi tecture is to work, then it must provide a rational framework within w hich decisions can be made upon the selection of security solutions, d erived from a thorough understanding of the business requirements, inc luding the need for cost reduction, modularity, scaleability, reusabil ity, operability, usability, interoperability both internally and exte rnally, and integration with the enterprise IT architecture and its le gacy systems. This paper describes a model for such an architecture (k nown as SALSA(1)) which has been developed by the author and which is currently being implemented successfully in a number of major corporat e clients. Its primary characteristic is that everything must be deriv ed from an analysis of the business requirements for security, especia lly those in which security has an enabling function through which new business opportunities can be developed and exploited. The model is l ayered, with the top layer being the business requirements definition stage. At each lower layer a new level of abstraction is developed, go ing through the definition of major security strategies, security serv ices, security mechanisms and finally at the lowest layer, the selecti on of technologies and products - in other words the shopping list. Th e model itself is generic and can be the starting point for any organi zation, but by going through the process of analysis and decision-maki ng implied by its structure, it becomes specific to the enterprise, an d is finally highly customized to a unique business model. It becomes in reality the enterprise security architecture, and it is of a strate gic programme of information security management within the organizati on.