Tag Archives: whitepaper

Successful Enterprise Architecture using the TOGAF® and ArchiMate® Standards

By Henry Franken, BiZZdesign

The discipline of Enterprise Architecture was developed in the 1980s with a strong focus on the information systems landscape of organizations. Since those days, the scope of the discipline has slowly widened to include more and more aspects of the enterprise as a whole. This holistic perspective takes into account the concerns of a wide variety of stakeholders. Architects, especially at the strategic level, attempt to answer the question “How should we organize ourselves in order to be successful?”

An architecture framework is a foundational structure, or set of structures, which can be used for developing a broad range of different architectures and consists of a process and a modeling component. TOGAF® framework and the ArchiMate® modeling language – both maintained by The Open Group® – are the two leading standards in this field.

TA

Much has been written on this topic in online forums, whitepapers, and blogs. On the BiZZdesign blog we have published several series on EA in general and these standards in particular, with a strong focus on the question: what should we do to be successful with EA using TOGAF framework and the ArchiMate modeling language? I would like to summarize some of our findings here:

Tip 1 One of the key success factors for being successful with EA is to deliver value early on. We have found that organizations who understand that a long-term vision and incremental delivery (“think big, act small”) have a larger chance of developing an effective EA capability
 
Tip 2 Combine process and modeling: TOGAF framework and the ArchiMate modeling language are a powerful combination. Deliverables in the architecture process are more effective when based on an approach that combines formal models with powerful visualization capabilities. Even more, an architecture repository is an valuable asset that can be reused throughout the enterprise
 
Tip 3 Use a tool! It is true that “a fool with a tool is still a fool”. In our teaching and consulting practice we have found, however, that adoption of a flexible and easy to use tool can be a strong driver in pushing the EA-initiative forward.

There will be several interesting presentations on this subject at the upcoming Open Group conference (Newport Beach, CA, USA, January 28 – 31: Look here), ranging from theory to case practice, focusing on getting started with EA as well as on advanced topics.

I will also present on this subject and will elaborate on the combined use of The Open Group standards for EA. I also gladly invite you to join me at the panel sessions. Look forward to see you there!

Henry FrankenHenry Franken is the managing director of BiZZdesign and is chair of The Open Group ArchiMate Forum. As chair of The Open Group ArchiMate Forum, Henry led the development of the ArchiMate Version 2.o standard. Henry is a speaker at many conferences and has co-authored several international publications and Open Group White Papers. Henry is co-founder of the BPM-Forum. At BiZZdesign, Henry is responsible for research and innovation.

2 Comments

Filed under ArchiMate®, Enterprise Architecture, TOGAF®

Data Protection Today and What’s Needed Tomorrow

By Ian Dobson and Jim Hietala, The Open Group

Technology today allows thieves to copy sensitive data, leaving the original in place and thus avoiding detection. One needn’t look far in today’s headlines to understand why protection of data is critical going forward. As this recent article from Bloomberg points out, penetrations of corporate IT systems with the aim to extract sensitive information, IP and other corporate data are rampant.  Despite the existence of data breach and data privacy laws in the U.S., EU and elsewhere, this issue is still not well publicized. The article cites specific intrusions at large consumer products companies, the EU, itself, law firms and a nuclear power plant.

Published in October 2012, the Jericho Forum® Data Protection white paper reviews the state of data protection today and where it should be heading to meet tomorrow’s business needs. The Open Group’s Jericho Forum contends that future data protection solutions must aim to provide stronger, more flexible protection mechanisms around the data itself.

The white paper argues that some of the current issues with data protection are:

  • It is too global and remote to be effective
  • Protection is neither granular nor interoperable enough
  • It’s not integrated with Centralized Authorization Services
  • Weak security services are relied on for enforcement

Refreshingly, it explains not only why, but also how. The white paper reviews the key issues surrounding data protection today; describes properties that data protection mechanisms should include to meet current and future requirements; considers why current technologies don’t deliver what is required; and proposes a set of data protection principles to guide the design of effective solutions.

It goes on to describe how data protection has evolved to where it’s at today, and outlines a series of target stages for progressively moving the industry forward to deliver stronger more flexible protection solutions that business managers are already demanding their IT systems managers provide.  Businesses require these solutions to ensure appropriate data protection levels are wrapped around the rapidly increasing volumes of confidential information that is shared with their business partners, suppliers, customers and outworkers/contractors on a daily basis.

Having mapped out an evolutionary path for what we need to achieve to move data protection forward in the direction our industry needs, we’re now planning optimum approaches for how to achieve each successive stage of protection. The Jericho Forum welcomes folks who want to join us in this important journey.

 

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

1 Comment

Filed under Cybersecurity

Understanding security aspects of Cloud initiatives

By Stuart Boardman, Getronics; and Omkhar Arasaratnam, IBM

The Open Group recently published a whitepaper, An Architectural View Of Security For Cloud, which is the first in a series being produced by the Security For The Cloud and SOA project. In this whitepaper we introduce a method that helps organizations to model and therefore understand the security aspects of their Cloud initiatives.

Security is still often cited as the biggest concern about the Cloud. This topic was even raised during the recent survey by The Open Group on Cloud Computing. But does the concern reflect a genuine level of risk? If so, in what way and under what circumstances? It would be irresponsible not to take this seriously, but right now we’re suffering from a “here be dragons” mentality. Despite all the good work done by The Open Group, the Cloud Security Alliance (CSA) and others, we still see far too much discussion of this kind: “The biggest single security threat in the Cloud is…” This helps no one, because these are generalizations and every organization’s situation is specific (This is borne out by other surveys, by the way). The result is FUD (fear, uncertainty and doubt) and therefore stagnation. And as people lose patience with that, the reaction is sometimes the taking of inappropriate risks.

One of the challenges in understanding Cloud-based architectures is that each party, whether it is primarily a consumer or primarily a provider, is part of an ecosystem of different entities, providing and consuming Cloud services. The view of the architecture for each player may be different but each of them must take the entire ecosystem into account and not just its own part. When you couple this with the fact that there are so many possible types of Cloud service and delivery, and so many different kinds of data one might expose in the Cloud, it’s clear that there is no one generic model for Cloud. You need to understand the particular situation you are in or can foresee being in. That can be quite complex.

The Open Group’s Security for the Cloud and SOA project is developing a security reference architecture, which will help architects and security specialists to develop their view and understanding of their situations. Using the architecture and the associated method and combining this with the advice coming from other groups such as CSA or The Open Group Jericho Forum®, you can create a comprehensible view of a complex situation, determine risks, test your solution options and set up controls to manage all this in a production situation.

The fundamentals of our approach are architectural building blocks, security principles and a scenario-driven modeling method. We have defined a set of principles but also take into account identity principles from the CSA – and in the future, will work to combine all these effectively with the recently published Jericho Foundation Identity Commandments. Policy-driven security is for us a basic principle and itself is how most other principles are supported. By using the method to model responsibility for the building blocks, you can understand how policy is managed across the ecosystem and make an informed analysis of risks, mitigations and opportunities.

In the whitepaper, we illustrate the approach for the area of identity, entitlement and access management policy. We use a scenario involving one consumer organization and three SaaS providers supporting travel booking. We look at three situations which might apply depending on the capabilities and flexibility of the various parties. Here’s an example of how responsibility for the building blocks is distributed in one of these situations and how open standards can help to support that.

This happens to be the situation which best supports the principles we highlight in the whitepaper. In other situations you can see exactly how principles are compromised. That helps an organization weigh up risks and benefits. Take a look at the whitepaper and let us know what you think. We’re happy with any input we receive. More whitepapers will follow soon extending the method to other areas of security. Later on we’ll start building realizations that will, we hope, help to promote the use of open standards and bring us closer to Boundaryless Information Flow™. We’re also running an “architectural decisions rodeo” at The Open Group Conference, Austin (July 18-22) during which we will discuss and document key architectural decisions regarding Cloud security.

Omkhar Arasaratnam is a Certified Senior Security Architect with IBM. He is a member of the IBM Security Architecture Board, the IBM Cloud Computing Security Architecture Board, and co-leads The Open Group Cloud Computing Work Group’s Security for the Cloud and SOA project. He is also actively involved in the International Standards Organization (ISO) JTC1/SC38 Study Group on Cloud Computing. Omkhar is also an accomplished author and technical editor of several IBM, John Wiley & Sons, and O’Reilly publications. He also has five pending patents in the field of information technology. Omkhar has worldwide responsibility for security architecture in some of IBM’s Cloud Computing services.

Stuart Boardman is a Senior Business Consultant with Getronics Consulting where he co-leads the Enterprise Architecture practice as well as the Cloud Computing solutions group. He is co-lead with Omkhar Arasaratnam of The Open Group Cloud Computing Work Group’s Security for the Cloud and SOA project and a founding member of both The Open Group Cloud Computing Work Group and The Open Group SOA Work Group. Stuart is the author of publications by the Information Security Platform (PvIB) in The Netherlands and of his previous employer, CGI. He is a frequent speaker at conferences on the topics of Cloud, SOA, and Identity.

1 Comment

Filed under Cloud/SOA