Archistry

Survivability by Design™ since 2006

  • Home
  • About
    • Who Is Andrew?
    • C2T System™
    • The Agile Security System™
  • Contact
You are here: Home / Archistry Daily / The mad magic of middle-out architecture

February 25, 2020

The mad magic of middle-out architecture

You might remember me talking about the 3 different kinds of security architecture you’re really going to need to build – or, more correctly, discover – as part of the process I call architecture archaeology. Two of them are probably pretty-familiar to you, because we tend to use them all the time as either excuses or motivations, but to avoid any confusion of what I mean when I say them, let’s quickly recap the definitions I use.

Top-down architecture archaeology is the process by which you start from a set of requirements and you figure out how those requirements are actually currently being met by the organization. This is generally also referred to as the “as-is” architecture…

…and it’s the one that’s probably either the most scarce – or the most seductive – of the architecture work you’ll do.

I probably don’t need to explain the “scarce” part, because there’s a lot of organizations that just don’t have any good views of how things really happen outside of the memories and vague recollections that are in people’s heads that are doing specific jobs.

But the “seductive” aspect is actually the femme fatale of architecture. She’s hot. She’s sexy. She’s well presented. And she just happens to show up when you want her to…

…but there’s at least a 90% chance that whatever it is she tells you is, at best, out of date…and at worst, will leave you blindfolded and walking off a cliff at gunpoint.

Bottom-up, on the other hand, is kinda the traditional approach to building the “as-is” architecture, because you go digging through the infrastructure and process landscape, looking for “architecture bones” – a.k.a. “components” – that someone, somewhere in the dim and distant past associated with a line item on a PO.

It’s the “what you can kick” architecture, and like trying to assemble the fossilized bones of a dinosaur into what it probably once looked like, you generally can figure out the general shape and structure of how things are connected, what data they manage and the functions they perform.

Note that the scope here is the key in both cases. We’re talking about “whole world” architecture—we take whatever we can find and try to make sense out of it to build a picture of the whole world. As you might imagine, this is the red-headed, third cousin, twice removed of boiling the ocean, but we’ll leave the architecture genealogy for another time.

Now, middle-out is a term you probably haven’t heard much before. Think of it as the mirror image of traditional solution architecture—after the individual solution has been deployed for about 6 minutes and everyone tosses everything they knew about it into the documentation scrapyard…er, I mean the enterprise content management system.

In this case, the objective of this particular architecture effort is to pick some identifiable subset of something that helps make the organization tick, and then you start to trace both upwards…

…towards the requirements it’s supposed to support…

…and downwards to the bits, bobs and blinken boxen that are the current manifestation of how it works.

The key thing to note here is that it IS NOT supposed to be a “boil the ocean” type of operation. It’s tactical…like a surgical drone strike which, instead of blowing great gaping holes in the ground…

…is supposed to illuminate and illustrate significant portions of the operational architecture of the organization.

The good news is, that by the time we talk about all of this stuff in Lesson 9 of Building Effective Security Architectures during the last week of Module 3, you’re already going to know all the super-secret, battle-tested architecture-fu you need to know to do it faster than you ever thought possible…

…and to expose it in a way that makes it both insightful and actionable to both yourself and the rest of the team.

However, the bad news is that unless you’re part of the cohort that kicks off next week, it’s probably going to either:

  1. remain a mystery as to what you actually need to do to prioritize your efforts and “get it done”, or 
  2. it’ll be something you won’t think about doing again…

…until maybe you might remember me yaking about it as something that might be a handy way to avoid biting off more of an architecture mouthful than you – or anyone else – cares to chew—most likely after it’s already happened…again. And I know this, because I’ve done it—and because it’s so easy to slip into doing.

Bottom line?

If you want to learn how to effectively do this – along with about a bazillion other insights, tips and tricks I’ve picked up over 14 focused years of applying SABSA in my own work – there’s just one thing you need to make sure you do:

Go now, before the deadline of 11:59pm US/Eastern THIS FRIDAY, with your hot little credit card in hand and register using this link:

https://archistry.com/besa

…or don’t. It’s a choice only you can make—but if you really want to do it, I’m sure you’ll find a way to make it happen.

Stay safe,

ast
—
Andrew S. Townley
Archistry Chief Executive

Article by Andrew Townley / Archistry Daily / Agile Security, BESA, Bottom-Up, Middle-Out, SABSA, Security Architecture, Top-Down

  • Email
  • LinkedIn
  • Twitter
  • YouTube

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems architect and consultant, which in my view is a rare thing. He is innovative in his thinking and merits the title of 'thought leader' in his specialist domains of knowledge—in particular the management of risk. Andrew has embraced SABSA as a framework and, in doing so, has been a significant contributor to extending the SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work."

— Kevin Howe-Patterson, Chief Architect, Nortel - Wireless Data Services

"Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit in moving the process forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply enjoy listening to, as he manages to develop highly sophisticated subjects in very understandable way. His experience is actually surprising and his thoughts leave you without considerable arguments for any doubts in the subjects he covers."

— Biljana Cerin, Director, Information Security and Compliance

Recent Posts

  • If you want better security, you’d better have a better security architecture
  • The ultimate security song to keep you focused on what you’re doing
  • Security heroes
  • There’s always a people problem
  • Putting your data flow diagrams out to pasture…for good

Looking for something else?

  • Home
  • About
  • Contact

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Copyright © 2006-2025 Archistry Incorporated or its affiliates

"Archistry", the stained glass window logo, "Pragmantix" and the Pragmantix™ logo, "Archistry Execution Framework (AEF)", "Archistry Execution Framework, Cybersecurity Edition (ACS)", "The Agile Security System", "The Agile Business System", "Baseline Perspectives", "Architecture Wall", "Archistry Execution Engine", "Renegade Security", "Renegade Security System", "Security Value Delivery System (SVDS)" "Collapse-to-Traction", "Collapse-to-Traction System", "Adaptive Trust & Governance Model (ATGM)", and "Adaptive Trust & Governance Model for Organizations (ATGM4O)" are trademarks of Archistry Incorporated or its affiliates.