ArchiMate_SABSA
06 Modeling the Contextual Security Architecture
- 06 Modeling the Contextual Security Architecture
6.0 Overview
The SABSA Matrix illustration:
Sourse: https://www.slideshare.net/MVeeraragaloo/sabsa-implementationpart-viver10
another Matrix view with Lifecycle context:
Source: https://www.alctraining.com.sg/course/sabsa-foundation/
Table 19: SABSA Contextual Architecture
Using Protégé tool, the snapshot ontology model is here: sabsa_matrices_2018_table19.rdf
Putting SABSA Contextual Architecture layer in the middle, below is the screenshot from onto-graph, base on Table19:
Figure 29: Developing and Maintaining the Contextual Security Architecture
Tha above outline enables us to visualize the set of processes and activities necessary to create and maintain an Architectural Description of the Contextual Architecture, expressed in ArchiMate Specification in below Figure 29.
Snapshot ArchiMate Model: Model till Figure29
Table 20: Contextual Elements
Here are the summarization of native ArchiMate elements that are available to model the contextual layer:
Snapshot ArchiMate Model: Archi Model till Table20
6.1 Business Assets
6.1.1 Capability and Value Stream
Value Streamis a behavioral element within ArchiMate’s Strategy Layer- A key principle of a
Value Streamis that its value is always defined from the perspective of the Stakeholder, the consumer of the product, service, or deliverable, and not on its intrinsic value; i.e., the cost of production - The value of
Value Streamcan be modeled in the ArchiMate language using theValueelement.
Here is an example of a Value Stream is provided by the ArchiMate Specification:
Snapshot ArchiMate Model: Figure 30 Value Stream Modeling
6.1.2 Business Object
Business Objectrepresent Information Assets.
| Element | Schema File | Schema Visualization |
|---|---|---|
| Business Object | Business Object JSON |  |
Below Figure 31 shows the relation with SABSA Attributes: a Business Object (Medical Record) has confidentiality property of “CONFIDENTIAL” and is also tagged with the SABSA Attribute of the same name.
Snapshot ArchiMate Model: Figure31 Model
Label Expression for Business Object - Medical Record:
${name}
---------------------------------
confidentiality: ${property:confidentiality}
integrity: ${property:integrity}
authenticity: ${property:authenticy}
pii: {
"classification":"${property:pii-classification}"
"couldBeMinor":"${property:pii-couldBeMinor}"
"reviewPeriod":"${property:pii-reviewPeriod}"
}
retention: ${property:retention}
6.1.3 Business Service, Interface, and Service Level Agreements
In terms of asset analysis, the most important aspects of service elements are those committed in a Service Level Agreement (SLA) that incurs panalties if not delivered.
- Business Layer services need a distinct property set when they are offered through human interfaces.
- SLA is using
Contractelement, a bespokeRequirement/Constraintmay also be used where a simple property is insufficient. Business Services may be offered via multiple interfaces (Business Interface)
| Element | Schema File | Schema Visualization |
|---|---|---|
| Business Servie (SLA) | Business Service (SLA) JSON |  |
| Business Interface | Business Interface JSON | |
6.2 Business Risk
- Risk, threats, vulnerabilities, and opportunities can be modeled at the Business and Strategy level using the orthodox ArchiMate approach discussed in Section 4.3
- The Security Overlay adds stereotyps(«») of motivational layer elements for this purpose, introduced in Section 5.5
6.3 Business Process/Function/Interaction
Business Processare often categorized in terms of their criticality to core business mission, capabilities, and value chains.- Behavioral elements may also be deemed sensitive due to the way they operate on information.
| Element | Schema File | Schema Visualization |
|---|---|---|
| Business Behavior Elements (Process/Function/Interaction) | Business Behavior Elements JSON |  |
| Access Relationship | Access Relationship JSON |  |
6.4 Business Roles and Actors
In ArchiMate Specification, Actors represent human or organizational entities that can be assigned to Roles that describe:
- The extent of their responsibilities with respect to a given
business process - Their use of
business and application services
| Element | Schema File | Schema Visualization |
|---|---|---|
| Business Actor | Business Actor JSON |  |
| «DataSubject» | «DataSubject» JSON |  |
| Business Role | Business Role JSON |  |
| Business Collaboration | Business Collaboration JSON |  |
| Serving Relation | Serving JSON |  |
6.4.1 Governance
Governance runs like a seam through the People column of the SABSA Matrix.
RACI presents an interesting design consideration in the ArchiMate Specification. Applying “Subject-Verb-Object” syntax to RACI requires considering what the “Process of Being Accounatable” means and what it would look like.
Snapshot ArchiMate Model: Figure32: Representing RACI Relationships
Refer to 5.3.1 for similar Singularities issues.
| a) A Pattern Repeated in Multiple Views | b) … Causes Entanglement in the Underlying Model |
|---|---|
 |
 |
Snapshot ArchiMate Model: Figure33
| a) Solved by a Tetiary Relationship | b) Solved by Specialization of an Abstract Base Role |
|---|---|
 |
 |
Snapshot ArchiMate Model: Figure34
| Element | Schema File | Schema Visualization |
|---|---|---|
| «RACI» | RACI JSON |  |
6.4.2 Threat Actors
Seurity models, by definition, have to consider the potential abuse of a system through malicious intent.
Three possible asys of modeling Threats are:
- As an
Actor: A constituency that is known to pose an accidental or intentional threat - As a
Role: Representing a malicious intent, directed against the target system - As an action (a behavior or event) that occurs by error, omission, or intent
6.5 Business Geography
- Business geography is easily modeled using the ArchiMate
Locationelement unadorned (朴素).
6.6 Business Time Dependencies
- The SABSA Time cell is concerned with the delivery schedule of
goalsand responding toevents. - Target dates in the ArchiMate Specification are intrinsic to the definition of a
Goal(a desired state to be reached by a defined point in time) and can be make explicit throughImplementation and Migrationviews. - The
Business Eventelement can be used unadorned.
Any comments, feel free to post to the Discussion Board.