Review: Open Enterprise Security Architecture (O-ESA)

April 2013 

O-ESA, by the Security Forum of the Open Group, describes a framework for policy-driven security architecture. The context of security here is maintaining the confidentiality, availability and integrity of the electronic form of information. Enterprise security architecture is defined as the component of the overall enterprise architecture to fulfil these objectives.

The book views enterprise security architecture in the larger context as part of an overall enterprise security program with relations to Corporate IT Governance, Risk Management, Physical Security and Enterprise Architecture. A good layout of enterprise security program is given in the introduction section as four concentric rings of responsibility; program management, governance, technology architecture and operations.

The program management function is the outmost ring and it is left outside the main scope of the book. However a short topic is included describing the overall enterprise security program framework. This part defines the processes and other components of the framework and builds its relationship with security architecture. The inner rings narrow the definition of the components and processes to be provided by the framework and form the main scope of the book.

The vision of the book builds strong links among governance, technology architecture and operations. This linkage is provided via the policy framework of the governance model and further via the policy-driven security architecture framework of the technology architecture and the operations model. Security governance forms a major section of the book as a critical component ensuring that technical solutions support the business mission and objectives. Governance framework is defined in detail with a process-oriented view. Identification of principles, authorisation of enforcement through policies, and implementation of the policies leading to technical standards, guidelines and procedures are covered. The policy framework is formed with these processes along with ongoing assessments and enforcement activities. A useful list of governance principles is provided (consolidated from National Institute of Standards and Technology Engineering Principles for IT Security) and an overview of a policy template is included (based on the ISO/IEC 27002 standard). The section is concluded with a few examples of principles, policies and standards. The detail of information here looks satisfactory in order to understand the governance model.

Security Technology Architecture is the next section and it is described at four levels of abstraction; conceptual framework, conceptual architecture, logical architecture and physical architecture. The conceptual framework describes the components at the highest level; a policy management authority composing the electronic representations of policies into a policy repository and a policy decision point making runtime policy decisions upon request of the policy enforcement point as per electronic policy information stored in the policy repository. These components are further defined as lists of policy management services and runtime security services thru the conceptual architecture level. The book does not drill down the logical and physical architecture components of these services further as they are believed to be specific to individual requirements and may lead to excessive detail of information leading beyond the scope of the book. Nevertheless, identity management and border protection services are covered in detail as examples of the logical decomposition of high-level services to the physical level of details. The final part of this section provides very basic guidance for the design and development of these services.

The Operations section provides a high level security operations framework with two key types of processes. Administration, compliance and vulnerability management is the first type of processes required to ensure technology as deployed conforms to policy and provides adequate protection. Administration, event and incident management is the other type required to enforce policy within the environment. These processes are briefly described but no further detail is given regarding their attributes such as good practices of implementation and/or operation. The abstraction at this section is more noticeable and readers will likely need other frameworks (ITIL, COBIT, etc) or other publications for reference about security operation processes.

The last two sections of the book complement the content with a vision of policy automation where policies at the business level are automatically presented at the lower levels of enforcement by means of relevant standards and protocols. Recommendations and conclusions to users, vendors and standards organisations are also included in order to drive the need for vendor neutral industry standards and protocols for seamless flow of policy information into operation.

This book is a good resource for security architects looking for a framework to model the security architecture of an enterprise. There is not much technical detail covered in the book which might be preferable for high level / conceptual designers. For those looking for more detail regarding the security services and standards, complementary resources will be needed. Some resources are advised in the book though and there are also examples provided to help designing architecture components at the physical level. These examples may guide practitioners to apply similar approaches for any other security services.

The guidance is downloadable at