You might remember me talking about the 3 different kinds of security architecture you’re really going to need to build – or, more correctly, discover – as part of the process I call architecture archaeology. Two of them are probably pretty-familiar to you, because we tend to use them all the time as either excuses or motivations, but to avoid any confusion of what I mean when I say them, let’s quickly recap the definitions I use.
Top-down architecture archaeology is the process by which you start from a set of requirements and you figure out how those requirements are actually currently being met by the organization. This is generally also referred to as the “as-is” architecture…
…and it’s the one that’s probably either the most scarce – or the most seductive – of the architecture work you’ll do.
I probably don’t need to explain the “scarce” part, because there’s a lot of organizations that just don’t have any good views of how things really happen outside of the memories and vague recollections that are in people’s heads that are doing specific jobs.
But the “seductive” aspect is actually the femme fatale of architecture. She’s hot. She’s sexy. She’s well presented. And she just happens to show up when you want her to…
…but there’s at least a 90% chance that whatever it is she tells you is, at best, out of date…and at worst, will leave you blindfolded and walking off a cliff at gunpoint.
Bottom-up, on the other hand, is kinda the traditional approach to building the “as-is” architecture, because you go digging through the infrastructure and process landscape, looking for “architecture bones” – a.k.a. “components” – that someone, somewhere in the dim and distant past associated with a line item on a PO.
It’s the “what you can kick” architecture, and like trying to assemble the fossilized bones of a dinosaur into what it probably once looked like, you generally can figure out the general shape and structure of how things are connected, what data they manage and the functions they perform.
Note that the scope here is the key in both cases. We’re talking about “whole world” architecture—we take whatever we can find and try to make sense out of it to build a picture of the whole world. As you might imagine, this is the red-headed, third cousin, twice removed of boiling the ocean, but we’ll leave the architecture genealogy for another time.
Now, middle-out is a term you probably haven’t heard much before. Think of it as the mirror image of traditional solution architecture—after the individual solution has been deployed for about 6 minutes and everyone tosses everything they knew about it into the documentation scrapyard…er, I mean the enterprise content management system.
In this case, the objective of this particular architecture effort is to pick some identifiable subset of something that helps make the organization tick, and then you start to trace both upwards…
…towards the requirements it’s supposed to support…
…and downwards to the bits, bobs and blinken boxen that are the current manifestation of how it works.
The key thing to note here is that it IS NOT supposed to be a “boil the ocean” type of operation. It’s tactical…like a surgical drone strike which, instead of blowing great gaping holes in the ground…
…is supposed to illuminate and illustrate significant portions of the operational architecture of the organization.
The good news is, that by the time we talk about all of this stuff in Lesson 9 of Building Effective Security Architectures during the last week of Module 3, you’re already going to know all the super-secret, battle-tested architecture-fu you need to know to do it faster than you ever thought possible…
…and to expose it in a way that makes it both insightful and actionable to both yourself and the rest of the team.
However, the bad news is that unless you’re part of the cohort that kicks off next week, it’s probably going to either:
- remain a mystery as to what you actually need to do to prioritize your efforts and “get it done”, or
- it’ll be something you won’t think about doing again…
…until maybe you might remember me yaking about it as something that might be a handy way to avoid biting off more of an architecture mouthful than you – or anyone else – cares to chew—most likely after it’s already happened…again. And I know this, because I’ve done it—and because it’s so easy to slip into doing.
Bottom line?
If you want to learn how to effectively do this – along with about a bazillion other insights, tips and tricks I’ve picked up over 14 focused years of applying SABSA in my own work – there’s just one thing you need to make sure you do:
Go now, before the deadline of 11:59pm US/Eastern THIS FRIDAY, with your hot little credit card in hand and register using this link:
…or don’t. It’s a choice only you can make—but if you really want to do it, I’m sure you’ll find a way to make it happen.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
