Foundations

OSA Landscape

In order to determine that OSA has the correct topic coverage we need to define the landscape for security architecture. That way we can identify topics that have poor coverage, determine priorities for new patterns, and help the community co-ordinate their activities.

OSA Process Landscape

The OSA process landscape arranges typical IT (security) processes into areas or capabilities. We differentiate between a pattern landscape which defines architectural patterns of interest, and a process landscape where the purpose is to define expected activities by a Cyber Security function in an organisation.

OSA Actors

In OSA patterns we refer to a number of generic roles, we call them actors. To ensure the consistency between the patterns we collect the description of these actors centrally.

OSA Lifecycle

The OSA community has not yet decided on the primary reference model in terms of SDLC (Solution/System/Software Development Life Cycle). Help us decide!

Design Principles

Initial draft of design principles that underlie Open Security Architecture.

How to use OSA

OSA offers readily re-usable material on several abstraction layers. On the top level, OSA provides an overall landscape, actors (soon coming) as well as a terminology and taxonomy. On the next level OSA provides security patterns and finally OSA provides a threat modeling and a (NIST based) controls catalog.

Writing a Pattern

Recipe for pattern writing is available here.

OSA Taxonomy

The OSA Taxonomy depicts the entities and relationships that are relevant for OSA. The taxonomy helps to understand how OSA is related to other security concepts, and allows us to consider how we will develop OSA in the future.

Links to related

In this section anyone with Author status can post articles about their favorite links to IT security architecture related material. We follow the same quality policy as Wikipedia and take the liberty to delete articles that might not be up to common sense quality standards.

OSA design principles

Initial draft of design principles that underlie Open Security Architecture.

[References to be added]

Glossary

Term	Definition	Source
Actor	An actor is a prototypical business role. In an attempt to create a simple actor model, aspects of different business roles can also be combined into one actor. OSA patterns visualize with actors, the set of responsibility that can be assigned to a prototypical role, in a given setup.	OSA
Architecture	A set of design artifacts, that are relevant for describing an object such that it can be produced to requirements (quality) as well as maintained over the period of its useful life (change). The design artifacts describe the structure of components, their inter-relationships, and the principles and guidelines governing their design and evolution over time.	OSA
Security	Security provided by IT Systems can be defined as the IT system's ability to being able to protect confidentiality and integrity of processed data, provide availability of the system and data, accountability for transactions processed, and assurance that the system will continue to perform to its design goals.	OSA
Security Architecture	The design artifacts that describe how the security controls (= security countermeasures) are positioned, and how they relate to the overall IT Architecture. These controls serve the purpose to maintain the system's quality attributes, among them confidentiality, integrity, availability, accountability and assurance.	OSA
Security Control	A technical countermeasure, an organizational setup or a process, that helps to maintain an IT systems security-quality properties	OSA
Security Incident	In IT Security: A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.	NIST
Issue	Issue is the gap between desired state and current state of an organization, a process or a technical system. An issue arises if an authority points out the aboved mentioned gap and demands that the gap should be closed.	OSA
Security Event	An event is a notable occurrence at a particular point in time. Typicallly we record thousands or million events and scan them for typical patterns that might indicate a malicious or accidential violation of availability, integrity, or confidentiality	Wikipedia

OSA Taxonomy

You will note from the diagram that the main value that OSA brings you is in relating controls to security architecture, by helping to identify common patterns that occur when you design security architectures to solve security challenges in IT systems. There are hyper links to definitions in the SVG version of the diagram.

Currently OSA is focused on controls, and patterns

We have some mappings in the catalog to other control frameworks and policy sets such as ISO and COBIT, but plan to add more, for example PCI-DSS, FSA, APRA. We also want to create a consistent set of generic polices (or principles and control objectives) as we think that ISO and ISF SOGP are not consistent enough, and COBIT is not granular enough for IT Security control objectives.

Our threat catalog is still taking shape, and while we plan to supplement the control catalog with tests this has not been started.

We also believe we have some exciting ideas for helping you formulate IT strategy as part of your Information Security Management System planning, that will make it easier to prioritise and plan investments to ensure you maintain appropriate security levels and meet your business goals.

Open Security Architecture

The OSA vision:

"OSA distills the know-how of the security architecture community and provides readily usable patterns for your application. OSA shall be a free framework that is developed and owned by the community.

OSA is licensed in accordance with Creative Commons Share-alike. We believe that Open Source principles result in more secure systems, and want the computing architectures that we depend on for our daily lives to be as secure and reliable as possible