安全架构安全漏洞?

Drumroll…. I think it is this one:

击鼓…。 我认为是这样的：

What is Security Architecture?

什么是安全架构？

嗯，以斯帖，你确定吗？ 对我来说似乎很基本。 (Uhm, Esther, are you sure? Seems pretty basic to me.)

When me and my team were creating our new Security Architecture brochure at Deloitte, we got a lot of feedback on a certain slide. Our definition slide. “Why do you need to explain what it is, isn’t it clear?” and “We never put in definition slides in our brochures.” And this is fair as for most security capabilities the answer is very intuitive. E.g. our incident response team helps you respond to cybersecurity incidents. They come in, assess the situation, take actions to limit the damage and get you back on your feet. But what do security architects do? They help you architect your enterprise’s security? But what does that actually mean?

当我和我的团队在德勤创建新的安全体系结构手册时，在某些幻灯片上我们得到了很多反馈。 我们的定义幻灯片。 “为什么你需要解释它是什么，不是很清楚吗？” 和“我们从未在手册中放入定义幻灯片。” 对于大多数安全功能来说，这很公平，答案非常直观。 例如，我们的事件响应团队可以帮助您响应网络安全事件 。 他们进来，评估情况，采取措施限制损失并使您重新站起来。 但是安全架构师做什么？ 他们可以帮助您构建企业的安全性吗？ 但这实际上意味着什么？

When one meets a security architect one has not met before, it is like meeting a new animal species. What kind of architect are they? Business-oriented? Deep into the technology? Somebody who loves to model and document everything? Or rather evangelises a set of max 10 principles? Are they concerned with only network architecture or solution architecture? There are as many types of security architects as there are birds in the sky.

当一个人遇到一个安全建筑师之前从未见过时，就像遇到一个新的动物物种。 他们是什么样的建筑师？ 以业务为导向？ 深入技术？ 有人喜欢建模和记录所有内容吗？ 还是传布了最多10条原则？ 他们只关注网络架构还是解决方案架构？ 安全架构师的类型与空中的鸟一样多。

为什么这个问题值得回答？ (Why is this question worth answering?)

You might just think — Esther, can’t we just get on with doing it? Yes, yes, of course that matters a lot. But if we don’t know ourselves what we mean, how are others supposed to? What if I would like to explain to my other colleagues in 1 or 2 sentences what security architecture is? What if a client asks me what security architecture is? Do you have a clear cut answer ready? It is very important to be clear what we mean when we talk about security architecture, otherwise we could get into all kinds of misunderstandings, misconceptions and misgivings. Hence my personal need to figure out a good definition. I found most definitions to only cover part of our understanding of the concept. And so me and my team set out on a journey amongst definitions to find our answer.

您可能只是想-以斯帖，难道我们不能继续做下去吗？ 是的，是的，这当然很重要。 但是，如果我们不了解自己的意思，别人应该怎么做？ 如果我想用一两句话向其他同事解释什么是安全架构？ 如果客户问我什么是安全架构，该怎么办？ 您有明确的答案了吗？ 明确谈论安全体系结构时的含义非常重要，否则我们可能会陷入各种误解，误解和疑虑。 因此，我个人需要找出一个好的定义。 我发现大多数定义仅涵盖了我们对该概念的部分理解。 因此，我和我的团队开始了定义之间的旅程，以找到我们的答案。

告诉我，那是什么？ (Tell me, what is it then?)

First, we looked at the definition of OpenSecurityArchitecture.org. This is an open-source volunteer platform focussed on creating architecture patterns. They say:

首先，我们看一下OpenSecurityArchitecture.org的定义。 这是一个专注于创建架构模式的开源志愿者平台。 他们说：

“The design artifacts that describe how the security controls are positioned, and how they relate to the overall IT Architecture. These controls serve the purpose to maintain the system’s quality attributes, among them confidentiality, integrity, availability, accountability and assurance.”

“设计工件描述了安全控件的位置以及它们与整个IT架构的关系。 这些控制措施旨在维护系统的质量属性，其中包括机密性，完整性，可用性，问责制和保证。”

This is a great definition because of the explicit link towards IT architecture. I believe security architecture should never exist in isolation from the enterprise or IT architecture. From the definition it is also clear that we use controls to achieve a certain set of attributes related to security. But the definition equals architecture to the ‘design artefacts’ it produces, its output. The process of ‘doing architecture’ is not explained? Just artefacts that magically fall from the sky.

这是一个很好的定义，因为它与IT体系结构有着明确的联系。 我认为安全架构永远不应与企业或IT架构隔离存在。 从定义中还可以清楚地看出，我们使用控件来实现与安全性相关的特定属性集。 但是定义等同于其产生的“设计制品”及其输出的体系结构。 不解释“做架构”的过程吗？ 只是从天而降的人工制品。

The second definition comes from the SABSA framework. SABSA is a business-driven, risk- and opportunity-focussed security architecture framework. They say:

第二个定义来自SABSA框架。 SABSA是一个业务驱动，以风险和机会为重点的安全体系结构框架。 他们说：

“Security architecture is the art and science of designing and supervising the construction of business systems , usually business information systems, which are: free from danger, damage, fear and care; in safe custody, not likely to fail, able to be relied upon and safe from attack.”

“安全体系结构是设计和监督业务系统(通常是业务信息系统)的构建的技术和科学，这些系统没有危险，损坏，恐惧和关怀； 在安全的监护下，不太可能失败，可以依靠并且不受攻击。”

This definition speaks of security architecture as a ‘discipline’. It aims to protect against all kinds of risks, rather than the traditional CIA attributes. But this definition remains quite unspecific about how we reach those goals.

此定义将安全体系结构称为“学科”。 它旨在防止各种风险，而不是传统的CIA属性。 但是，对于我们如何实现这些目标，这个定义仍然非常不确定。

The third definition we appreciated was that of Gartner, the well-known research institute:

我们赞赏的第三个定义是著名研究机构Gartner的定义：

“The discipline and associated process of planning and designing organizational, conceptual, logical, and physical components that interact in a coherent fashion, aligned with business requirements, in order to achieve and maintain a state of managed security related risk.”

“规划和设计组织，概念，逻辑和物理组件的学科和相关过程，它们以一致的方式进行交互，并与业务需求保持一致，以实现并维持与安全性相关的可管理风险状态。”

This definition is nice as it pulls out the specific components of an architecture. It is not very specific about what the aim is of those components though! That they are on different architectural layers is not interesting to the layman.

这个定义很好，因为它提取了体系结构的特定组件。 但是，这些组件的目标不是很明确！ 外行并不知道它们位于不同的建筑层上。

So here’s our suggested definition that we feel comprises the best of the three above:

因此，这是我们建议的定义，我们认为其中包含以上三个方面中的最佳者：

“Security architecture is a discipline (methodologies, reference frameworks, processes, technologies, organization and communication) that produces and maintains architectural artefacts providing structured direction and control to coherent decisions about security in (complex) business and IT landscapes.”

“安全体系结构是一门学科(方法，参考框架，流程，技术，组织和通信)，其产生并维护体系结构制品，从而为(复杂)业务和IT环境中的安全性相关决策提供结构化的指导和控制。”

Let’s break this down:

让我们分解一下：

1. What? We recognize that term ‘security architecture’ is both the discipline and resulting artefacts. It comprises creating architectural strategy, designing and implementing architecture, and maintenance of artefacts.

   什么？ 我们认识到“安全架构”一词既是学科，也是由此产生的人工制品。 它包括创建架构策略，设计和实施架构以及维护文物。

2. Why? The aim of ‘architecting’ is to direct and control coherent security decisions. As Gartner says these are often focused on managing risks. But we also account for costs, the organizational future and enterprise architecture.

   为什么？ “架构”的目的是指导和控制一致的安全决策。 正如Gartner所说，这些通常集中在风险管理上。 但是，我们还要考虑成本，组织的未来和企业架构。

3. How? We use methodologies, reference frameworks, processes, technologies, organization and communication to deliver.

   怎么样？ 我们使用方法论，参考框架，流程，技术，组织和沟通来交付。

4. Whom, where and when? We do (enterprise) security architecture in complex business and IT landscapes. This entails the organization is either quite large or there are a lot of moving security parts and changes. Security architecture is overkill for overseeable organizations like the bakery around the corner (IT architecture and solution architecture have lower ‘usability’ threshold though).

   谁，何时何地？ 我们在复杂的业务和IT环境中进行(企业)安全架构。 这意味着组织要么很大，要么有许多移动的安全性部分和变更。 对于即将到来的面包店等可监督的组织，安全体系结构是过大的(尽管IT体系结构和解决方案体系结构具有较低的“可用性”阈值)。

那么，这不仅是网络安全中的所有内容吗？ (So isn’t it just everything within cybersecurity?)

This is a comment I get often, e.g. from colleagues who are trying to place it in relation to their own specialty. For instance, a colleague who specialises in risk assessments might feel that I have just absorbed their expertise along with 40 other specializations. I cannot stress the following two points enough:

这是我经常收到的评论，例如，正在尝试将其与自己的专业相关的同事。 例如，一个专门从事风险评估的同事可能会觉得我刚刚吸收了他们的专业知识以及40个其他专业。 我不能充分强调以下两点：

• Security Architecture is about providing insight and oversight for the organization in its security risks and controls. Many of the other security disciplines deliver a part of that objective (e.g. a risk assessment). But the critical issue is that many fail organizations fail to tie the results for that discipline to other disciplines (e.g. the implementation of controls or evaluating the impact on their business strategy). So you need an architect to make sure that everything from the business strategy to the technical implementation is aligned.
  安全体系结构旨在为组织提供有关安全风险和控制方面的见解和监督。 其他许多安全学科都实现了该目标的一部分(例如，风险评估)。 但是关键问题是，许多失败的组织未能将该学科的结果与其他学科联系在一起(例如，实施控制措施或评估对其业务战略的影响)。 因此，您需要一名架构师来确保从业务战略到技术实施的所有方面都保持一致。
• Being an architect does not mean I do everything that my architecture needs. I might well rely on experts in the other disciplines to get me that risk assessment or help me craft a network design. Unless you’ve been in the game for 50 years and have been in the fortunate position of constantly being able to develop yourself, I am going to come out and say it is very rare for an architect to be able to do everything from the super-strategic to the super-technical. There is not enough time in the world to become a superhero like that. Most architects were something else before to they turned to architecture. I used to specialise in strategy, risk assessments and maturity assessments and therefore as an architect I excel in the strategy, business logic and logical architecture layers. I am continuously develop myself technically, especially in the field of Cloud (various certificates coming up), but I might never be as comfortable with the technical nitty-gritty as an architect who used to be a sysadmin or a network specialist would be. And vice versa. In the beginning this made me quite insecure, but more on this in another article to come “Help?! I want to be a great Security Architect”.
  成为一名建筑师并不意味着我会做我的建筑需要的一切。 我可能会依靠其他学科的专家来进行风险评估或帮助我进行网络设计。 除非您从事游戏已有50年，并且一直处于能够不断发展自己的幸运位置，否则我将走出来，说一位建筑师能够完成超级项目中的所有工作非常难得-对超级技术具有战略意义。 世界上没有足够的时间成为那样的超级英雄。 大多数建筑师在转向建筑之前都是其他人。 我曾经专门研究策略，风险评估和成熟度评估，因此，作为一名架构师，我在策略，业务逻辑和逻辑架构层方面表现出色。 我一直在技术上不断发展自己，尤其是在Cloud领域(即将出现各种证书)，但是我可能从未像以前是sysadmin或网络专家的架构师那样对技术细节感到满意。 反之亦然。 刚开始时，这使我感到很不安全，但是在另一篇文章中，更多内容是“帮助？！”。 我想成为一名出色的安全架构师”。

所以呢？ (So what?)

A clear definition of what we are talking about is fundamental for good discussions. Think I am wrong about this being the most difficult question to answer? Have you got a better answer? GOOD! Let’s have it then! As far as I can tell nobody has written a similarly extensive argumentation around what it is we actually do. Leave your comments below!

明确定义我们所讨论的内容是进行良好讨论的基础。 认为这是最难回答的问题，我认为错了吗？ 你有更好的答案吗？ 好！ 那我们来吧！ 据我所知，没有人针对我们的实际情况写过类似的论据。 在下面留下您的评论！

翻译自: https://medium.com/@esthervanluitNL/the-most-difficult-security-architecture-question-out-there-8fca5fd7910c

安全架构安全漏洞?