Two years ago, in the last article of 2015, The Attributer previously published this same title. So why choose the title again? That previous article examined the global geo-political threat landscape and the reasons to take it seriously. In the final paragraph of the article The Attributer wrote:
We need to shift into a different gear in our thinking and planning. The current approach of treating cyber-security as a technical problem with local technical solutions will not serve us if (when) this future unfolds. We need end-to-end, wall-to-wall thinking – the type of thinking that SABSA practitioners use in developing business and technology architectures.
Two years on and we see the same struggle to create a paradigm shift in approach. We are still treating cyber security and cyber defence as a purely technical issue with local solutions. It will never work. In this second article we examine the way in which SABSA can help to change the way we tackle cyber security.
Architecture often benefits from principles, so let’s start with some principles:
- Cyber security is as much a business issue as it is a technology issue. (If it didn’t have a business impact, why would you care?)
- Cyber space is a deeply nested system of systems of immense complexity. Treating it as a set of discrete technical components is a systems engineering mistake.
- Such complex systems exhibit emergent properties – behaviours that are not caused by component failure but by unforeseen component interactions. Many cyber exploits rely on the attacker discovering an emergent property and using it against your system.
- The human components, their behaviour and their interactions are the least predictable, and as such need to be addressed perhaps more carefully than the purely technical components.
- Cyber security requires an architectural approach, not a collection of discrete components.
Figure 1 shows the SABSA Business Stack™. This is what The Attributer means by architecture – a series of interdependent, closely coupled layers. Note the Business Attributes Profile™ (BAP) at every layer of the stack and in People and Processes that cut across every layer. Every layer is a service consumer and a service provider (Everything-as-a-Service: EaaS). Attributes are inherited and interpreted at every layer by the layer below. There is an SLA between all layers with measurable performance targets for every Attribute.
If you apply this stack model with rigour, you stand a chance of avoiding emergent properties by keeping a tight focus on each layer and its service interface. What is essential is that the integrity of the layered supply and demand model is maintained throughout. Disintermediation of a layer by skipping to a lower layer for a service request is forbidden. See Figure 2. Only service requests for services exposed in the service interface are allowed. For example, an application can measure the performance of the network for its latency, accuracy of delivery and sequencing, but it cannot measure whether confidentiality services are switched on in the network layer. Therefore it cannot (and must not) rely on that service being provided.
Architectural rigour will never guarantee that emergent properties are eliminated, but it will deliver significant improvements. It is time for the cyber security community to start taking a proper architectural approach. It is time for the adoption of SABSA as the framework of choice.