About

Why have OSA?

OSA can provide significant benefits for you in the longer term due to the nexus of a number of trends that are playing out at the moment in the IT industry.

Who uses OSA?

We have developed a few personas to help us think about OSA, and the needs of the community.

License Terms

We strongly believe that security architecture can benefit from an Open source, community based approach, and therefore all materials on this site are available according to the Creative Commons share-alike license.

FAQ

Answers to the common questions that we receive.

Who uses OSA?

We have developed a few personas to help us think about OSA, and the needs of the community.

Steve, the corporate expert
  • Has a CISSP, works for a large corporation.
  • Worked for 5-10 years as security expert.
  • Needs to come up with some effective security designs in the projects he is involved.
Why Steve values OSA
  • In new projects Steve is often confronted with new or complex problem spaces.
  • He knows that referring to a best practice pattern will buy him credibility and will reduce the amount of peer review time that is required in his corporation.
  • Having a pattern that is based on NIST 800-53 will give him certainty that he has the best grounds for the discussions with the corporate auditors.

Madeleine, the consultant
  • CISSP, works for a large consulting company.
  • Heads up a security practice, is often involved in project security reviews.
Why Madeleine values OSA
  • She looks at OSA as “my visual checklist”.


Jose, the industry expert
  • Industry expert, has worked in many start-ups and vendor organizations.
  • Worked for many years in Security and Risk.
  • Wants to bring some of his experience to benefit the wider community and improve the state of security.
Why Jose values OSA
  • He looks at OSA as "my opportunity to contribute and improve the foundations of computing".


Srinivas, the student
  • Student who has not yet graduated from his Computer Science BSc.
  • Wants to to focus his final year studies for his course on Computer Security.
Why Srinivas values OSA
  • He looks at OSA as "my reference library on best practice".


Jackie, the IS professor
  • Professor who lectures on Information Security at a university.
  • She wants to create lectures that include practical examples that reflect relevant industry problems and solutions
  • She wants material that is freely available and is not tied to any industry or technology lobby.
Why Jackie values OSA
  • She regards OSA as "my source for current industry solutions"
  • She appreciates the OSA patterns for tutorials and lab work.

Where do our visitors come from?

As of 2021 our visitor profile covers a large part of the world as shown in the map below. The darker the colour, the more visitors. Help us get a complete coverage!

Last updated: Sept 2021

Frequently Asked Questions

Q1. How do you maintain and assure quality?

A1. Rigorous peer review of patterns before they are promoted. A release cycle every 6-8 months chunks new patterns together so we can look for synergies and overlaps, and therefore determine which parts should be modules.

 

Q2.If I reference controls/patterns how do I know that the site will persist?

A2. We are committed to maintaining this site indefinitely. The hosting costs are negligible and are covered by donations from the core team. Over time we expect that there will be income to cover costs from certification and training.

 

Q3. How will you stabilize OSA? If I reference a pattern in my work I don't want it to suddenly change.

A3. We will use a release cycle to ensure that the existing OSA controls and patterns are usable while new items are being developed. The current release will be locked and when superseded will be deprecated but available in perpetuity so that specific implementations can always reference. The development candidate will be available for update, and features will be determined by the community per a published road map.

 

Q4. Why does this website look awful using IE5/6?

A4. Unfortunately these browsers are very non compliant with current standards for XHTML and Cascading Style Sheets. They do not support transparency on PNG's and the site menus will also not work properly. Treat yourself to a proper browser like Firefox, Opera or Safari. At a push IE7 should also work for you.

 

Q5. What should I use to create patterns?

A5. We recommend a vector graphics editor that supports SVG such as Corel Draw, Adobe Illustrator or Inkscape. We prefer Inkscape because its Open Source, very usable, and generates high quality files. Take a look at the tutorials, download the icon packages and pattern templates and away you go.

 

Q6. Can I use these materials for a commercial profit making organisation?

A6. Yes. The only aspect of the license that needs to be considered is the requirement to share back any improvements with the community. That way we all benefit. You should also credit OSA when you use the patterns, that way we hope more people will learn about us, and join the cause :-)

 

Q7. I want to use OSA but the first question I will get is, which other organizations are using it. Can you tell me?

A7. Basically No. It would be a breach of our users privacy to advertise or make public any organisations using these materials.

You should decide whether to use OSA based on the quality of the materials provided, not the names of the organisations that may be using.

However we are proud to see the traction that OSA has achieved. Some of the world's largest companies and organizations consider OSA  to be of outstanding quality and are using (parts of ) the framework and materials.

 

Q8. How long has OSA been available?

A8. The first OSA articles and patterns were published early 2008. Before that some of the ideas underpinning OSA were developed and prepared over the course of 10+ years by the founders.

Q9. How actively is OSA developed?

A9. Considering the fact that this is an open source project in a highly specialized field, and that we all carry out the development in addition to a day job, we are happy with the frequency of the updates and have received very positive feedback from all around the globe so far.

License terms

We strongly believe that security architecture can benefit from an Open source, community based approach, and therefore all materials on this site are available according to the Creative Commons share-alike license.

This means that you are welcome to use these materials in your work as long as you:

  • share any improvements back with the community on the same terms.
  • credit the materials used to Open Security Architecture and provide a link to this site.

Ideally we would like you to join the community and help create new patterns and improve the ones we already have in place, but we understand that many people will not have the time to do this and welcome any feedback on your experiences using these materials, however brief.

More information on the license is available from the Creative Commons Site links below.

Creative Commons License
This work is licenced under a Creative Commons Licence

Because OSA is licensed free free of charge there is no warranty of any kind either expressed or implied to the extent permitted by applicable law, including but not limited to the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality of the materials supplied is with you. Should the materials prove defective, you assume the cost of all remediation or correction.

Why have OSA?

OSA is of value to you for 4 reasons

  1. A single, consistent, clearly defined control catalog provides an excellent means to simplify requirements from numerous standards, governance frameworks, legislation and regulations.
  2. Patterns are a great way to show the best practice set of controls that should be specified for a given situation.
  3. Many eyes make for better security, the OSA community helps create high quality material through the experience of the group.
  4. Applying OSA patterns in your work gives you a fast start, improves the quality of the solution you deploy, and reduces overall effort.

Longer term strategic considerations

OSA can provide significant benefits in the longer term due to the nexus of a number of trends that are playing out at the moment in the IT industry.

 



1) The IT world is changing to an environment where services will be provided and consumed in complex webs. Companies prefer to buy IT services rather than implement, build and operate.
  • Many large IT consumers have already outsourced the specification, creation, implementation, operation and management of IT systems to other providers, and these providers also often subcontract further e.g. (India to China).
  • Software as a Service is becoming a viable model given ubiquitous access to high bandwidth connections, and the economies of scale that be derived from common hardware and software platforms. Service oriented Architectures provide the means for IT consumers to access complex combinations of these services.

2) Assuring the appropriate security of IT services become ever more important as we place more reliance on them for critical tasks.

  • The confidentiality of a chain of components is only as good as the weakest link.
  • The availability of a chain of components is the availability of each component multiplied together (therefore lower than any individual component)
  • The integrity of a chain of components is only as good as the weakest link.

3) In addition IT consumers need to assure that an IT service will meet the Governance, Risk and Compliance (GRC) requirements for the business process that is being supported. If the service is provided by one or more suppliers it can be intuitively appreciated that the complexity of this task increases. Furthermore this is a task that must be repeated to ensure that the IT service continues to meet these requirements. GRC requirements are often hard to articulate and can be specified by multiple, inconsistent, and often overlapping standards.

  • There are many security standards such as ISO27001, ISF SOGP.
  • There are many Governance standards such as COBIT, COSO and ITIL.
  • Legal and regulatory standards vary by jurisdiction.

By mapping regulations and legislation against a standard controls catalog we can reduce duplication, increase clarity and improve the ability to implement within specific systems. Additionally by linking the Open Controls catalog to Implementation specific problems we can provide a standard set of "use cases" that show the controls needed to provide conformant and performant services.

  • GRC requirements can be easily mapped to the control objectives.
  • Control objectives can be easily mapped into solution architectures, with links to the underlying implementation standards.
  • Efficiency and effectiveness is increased by creating a standard set of very high quality artifacts that can be deployed many times.

Benefits

OSA can provide benefits to IT service consumers, IT service suppliers and IT vendors, giving the entire IT community an interest in using and improving.

  • IT service consumers need to integrate diverse architectures from many suppliers in complex chains. They win using OSA because they can better specify or assess services or products they purchase, and improve the quality of products they build. They can reduce knowledge risks from the architecture being in the suppliers control. Additionally they increase confidence in the ability to integrate services, improve conformance with GRC requirements and reduce audit costs.
  • IT service suppliers want to supply services to the maximum number of consumers, minimizing the cost to specify, implement and operate, while ensuring that the services meet the consumers requirements. They win using OSA as they can provide conformant solutions at the least cost to the largest market.
  • IT vendors want to supply products that meet market needs and have a low TCO for the IT service supplier that will operate. They win using OSA as they are able to build systems with relevant and appropriate controls.

But why Open?

The reason we believe an open approach is best is because we do not think any one party can represent the interests of all parties who will participate in these complex webs of services. An open approach means that the patterns and catalogues will benefit the whole community and can be more quickly improved and refined by the common experience of participants.

In the same way that the Internet uses design standards for communication protocols and applications, we feel that the time has come to apply these same concepts at a higher abstraction level i.e. architecture.

By implementing as a closed system we would simply perpetuate "Yet Another Control Standard" and would fail to win the real prize of unifying the control standards with architecture patterns and implementation standards.