ArchiMate_SABSA

06 Modeling the Contextual Security Architecture

• 06 Modeling the Contextual Security Architecture
  • 6.0 Overview
    • Table 19: SABSA Contextual Architecture
    • Figure 29: Developing and Maintaining the Contextual Security Architecture
    • Table 20: Contextual Elements
  • 6.1 Business Assets
    • 6.1.1 Capability and Value Stream
    • 6.1.2 Business Object
    • 6.1.3 Business Service, Interface, and Service Level Agreements
  • 6.2 Business Risk
  • 6.3 Business Process/Function/Interaction
  • 6.4 Business Roles and Actors
    • 6.4.1 Governance
    • 6.4.2 Threat Actors
  • 6.5 Business Geography
  • 6.6 Business Time Dependencies

6.0 Overview

The SABSA Matrix illustration:

Sourse: https://www.slideshare.net/MVeeraragaloo/sabsa-implementationpart-viver10

another Matrix view with Lifecycle context:

Source: https://www.alctraining.com.sg/course/sabsa-foundation/

Table 19: SABSA Contextual Architecture

Using Protégé tool, the snapshot ontology model is here: sabsa_matrices_2018_table19.rdf

Putting SABSA Contextual Architecture layer in the middle, below is the screenshot from onto-graph, base on Table19:

Figure 29: Developing and Maintaining the Contextual Security Architecture

Tha above outline enables us to visualize the set of processes and activities necessary to create and maintain an Architectural Description of the Contextual Architecture, expressed in ArchiMate Specification in below Figure 29.

Snapshot ArchiMate Model: Model till Figure29

Table 20: Contextual Elements

Here are the summarization of native ArchiMate elements that are available to model the contextual layer:

Snapshot ArchiMate Model: Archi Model till Table20

6.1 Business Assets

6.1.1 Capability and Value Stream

• Value Stream is a behavioral element within ArchiMate’s Strategy Layer
• A key principle of a Value Stream is that its value is always defined from the perspective of the Stakeholder, the consumer of the product, service, or deliverable, and not on its intrinsic value; i.e., the cost of production
• The value of Value Stream can be modeled in the ArchiMate language using the Value element.

Here is an example of a Value Stream is provided by the ArchiMate Specification:

Snapshot ArchiMate Model: Figure 30 Value Stream Modeling

6.1.2 Business Object

• Business Object represent Information Assets.

Element	Schema File	Schema Visualization
Business Object	Business Object JSON

Below Figure 31 shows the relation with SABSA Attributes: a Business Object (Medical Record) has confidentiality property of “CONFIDENTIAL” and is also tagged with the SABSA Attribute of the same name.

Snapshot ArchiMate Model: Figure31 Model

Label Expression for Business Object - Medical Record:

${name}
---------------------------------
confidentiality: ${property:confidentiality}
integrity: ${property:integrity}
authenticity: ${property:authenticy}
pii: {
    "classification":"${property:pii-classification}"
    "couldBeMinor":"${property:pii-couldBeMinor}"
    "reviewPeriod":"${property:pii-reviewPeriod}"
}
retention: ${property:retention}

6.1.3 Business Service, Interface, and Service Level Agreements

In terms of asset analysis, the most important aspects of service elements are those committed in a Service Level Agreement (SLA) that incurs panalties if not delivered.

• Business Layer services need a distinct property set when they are offered through human interfaces.
• SLA is using Contract element, a bespoke Requirement/Constraint may also be used where a simple property is insufficient.
• Business Services may be offered via multiple interfaces (Business Interface)

Element	Schema File	Schema Visualization
Business Servie (SLA)	Business Service (SLA) JSON
Business Interface	Business Interface JSON

6.2 Business Risk

• Risk, threats, vulnerabilities, and opportunities can be modeled at the Business and Strategy level using the orthodox ArchiMate approach discussed in Section 4.3
• The Security Overlay adds stereotyps(«») of motivational layer elements for this purpose, introduced in Section 5.5

6.3 Business Process/Function/Interaction

• Business Process are often categorized in terms of their criticality to core business mission, capabilities, and value chains.
• Behavioral elements may also be deemed sensitive due to the way they operate on information.

Element	Schema File	Schema Visualization
Business Behavior Elements (Process/Function/Interaction)	Business Behavior Elements JSON
Access Relationship	Access Relationship JSON

6.4 Business Roles and Actors

In ArchiMate Specification, Actors represent human or organizational entities that can be assigned to Roles that describe:

• The extent of their responsibilities with respect to a given business process
• Their use of business and application services

Element	Schema File	Schema Visualization
Business Actor	Business Actor JSON
«DataSubject»	«DataSubject» JSON
Business Role	Business Role JSON
Business Collaboration	Business Collaboration JSON
Serving Relation	Serving JSON

6.4.1 Governance

Governance runs like a seam through the People column of the SABSA Matrix.

RACI presents an interesting design consideration in the ArchiMate Specification. Applying “Subject-Verb-Object” syntax to RACI requires considering what the “Process of Being Accounatable” means and what it would look like.

Snapshot ArchiMate Model: Figure32: Representing RACI Relationships

Refer to 5.3.1 for similar Singularities issues.

a) A Pattern Repeated in Multiple Views	b) … Causes Entanglement in the Underlying Model

Snapshot ArchiMate Model: Figure33

a) Solved by a Tetiary Relationship	b) Solved by Specialization of an Abstract Base Role

Snapshot ArchiMate Model: Figure34

Element	Schema File	Schema Visualization
«RACI»	RACI JSON

6.4.2 Threat Actors

Seurity models, by definition, have to consider the potential abuse of a system through malicious intent.

Three possible ways of modeling Threats are:

1. As an Actor: A constituency that is known to pose an accidental or intentional threat
2. As a Role: Representing a malicious intent, directed against the target system
3. As an action (a behavior or event) that occurs by error, omission, or intent

All of above three raise concerns shown in below Figure 35:

Snapshot ArchiMate Model: Figure 35: Possibilities for Modeling Threat Actors

Below Figure 36 shows sensitivity in the representation of threats:

Snapshot ArchiMate Model: Figure 36: Sensitivity in the Representation of Threats

The profile for the Threat Agent element is shown as below schema:

Element	Schema File	Schema Visualization
Threat Agent	Threat Agent JSON

6.5 Business Geography

• Business geography is easily modeled using the ArchiMate Location element unadorned (朴素).

6.6 Business Time Dependencies

• The SABSA Time cell is concerned with the delivery schedule of goals and responding to events.
• Target dates in the ArchiMate Specification are intrinsic to the definition of a Goal (a desired state to be reached by a defined point in time) and can be make explicit through Implementation and Migration views.
• The Business Event element can be used unadorned.

---

---

Any comments, feel free to post to the Discussion Board.

This site is open source. Improve this page.