Task: Identify Security Patterns
Identify and select key security patterns that ensure the level of security required by the system.
Disciplines: Service
Purpose

Document the security requirements and high-level service solutions for the specified services.

Relationships
Main Description

IT solutions are conduits to sensitive corporate and customer information.  Here, the security architect identifies likely threats and documents requirements for mitigating the threats.  He identifies high-level security patterns appropriate to attach to architectural elements in response to security requirements and policies. These patterns are then refined with detailed patterns appropriate to particular technology and platform choices by down-stream design and implementation tasks.

Steps
Identify security requirements

Capture high-level security requirements in the Software Architecture document and in the system-wide requirements.  The security architect elicits these complex requirements from the stakeholders in the project, and captures them in easy to understand statements (intents). Document these in general, as well as for specific elements of the service model and the component model that might be of particular focus.

The reason for the emphasis on intent at this stage is that in many cases, when they are asked about security in a requirements gathering session, most stakeholders will respond that "of course, everything must be secure".  Does that mean that everything is encrypted, audited, and so on, to which the reply is "oh yes, please". At this point the security architect explains the implications of such a decision, the cost, the complexity, and the group starts to have a meaningful discussion about which patterns are relevant to which elements in the architecture. It is these patterns that express the intent of the system with regard to security, whereas the design-level patterns express the mechanisms for fulfilling the intent. Finally, implementation patterns express the technology used to fulfill the intent.

Identify trust boundaries
Identify the trust zones in the system and the levels of trust between the zones (see Trust Boundaries).  Document the decisions in the Software Architecture document.
Identify high-level security patterns

Associate each element of the service and  IT systems architectures that are affected by security requirements with an appropriate high-level security pattern.  Document the decision in the Software Architecture document, so that the solution can be refined during component design and realization activities.

More Information