TopicTrick Logo
Topictrick
Enterprise ArchitectureSecuritySABSATOGAF Masterclass

Security Architecture: Integrating SABSA with TOGAF

TT
TopicTrick
Security Architecture: Integrating SABSA with TOGAF

In many organizations, security is treated as a "bolt-on" at the end of a project. This leads to friction, higher costs, and often, critical vulnerabilities. True Enterprise Architecture requires a Secure by Design approach.

The industry-standard way to achieve this is by integrating the SABSA (Sherwood Applied Business Security Architecture) framework with the TOGAF ADM.

What is SABSA?

SABSA is a business-driven security architecture framework. While TOGAF focuses on the "what" and the "how" of the enterprise, SABSA focuses on the "Why" (the business drivers) and the "With Whom" (the trust relationships).

The secret sauce of SABSA is the Business Attribute Profile (BAP). Instead of starting with technical controls like "Firewalls" or "Encryption," SABSA starts with business attributes like "Trustworthy," "Compliant," or "Available."

Integrating SABSA into the ADM

You don't need a separate security project. You simply "infuse" security into every phase of the TOGAF cycle.

1. Preliminary & Phase A (Contextual)

During the Architecture Vision, you identify the security stakeholders and define the "High-Level Business Attributes." If the business goal is "Global Expansion," the security attribute might be "Regulatory Compliance."

2. Phases B, C, and D (Conceptual & Logical)

As you design your Business, Data, and App architectures, you map security services to the components.

  • Phase B (Business): Who is authorized to perform this process?
  • Phase C (Data): How is this information classified? (e.g., Public, Internal, Confidential).
  • Phase D (Technology): What physical controls enforce the logical rules?

3. Phase G & H (Operational)

Security governance ensures that the developers aren't cutting corners. The Architecture Board uses the SABSA attributes to measure if the final product is actually "secure" according to the business's original definition.

The Power of Business Attribute Profiling (BAP)

A BAP is a list of attributes that the architecture MUST satisfy.

  • Attribute: Traceable
  • Definition: All transactions must be recorded for audit purposes.
  • Metric: 100% of ledger entries must have a corresponding audit log.

By defining security in these terms, you speak the language of the business, making it much easier to get budget and buy-in for security initiatives.

Summary

Security is not a technical problem; it is a business risk problem. By integrating SABSA with TOGAF, you move from "stopping threats" to "enabling the business" to take calculated risks safely. An architect who understands security is an architect who provides true strategic value.

In our next post, we look at another modern architectural challenge: Green IT & Sustainability: Architecture for the Planet.

This post is part of the TOGAF 9.2 Masterclass series. Don't forget to check out our previous post on Interactive Mock Exam: TOGAF 9.2 Certified.