SABSA History

SABSA is a six-layer model for security architecture widely accepted today as the most mature and most comprehensive security architecture framework available.   

SABSA is based on an idea first developed by John Sherwood in 1995 and published in 1996 as ‘SABSA: A Method for Developing the Enterprise Security Architecture and Strategy’.  SABSA was originally an acronym for ‘Sherwood Applied Business Security Architecture’and was the basis on which the Sherwood team (including David Lynas and Andy Clark the leading players in the ongoing development of the methodology and in its use in delivering client consulting assignments) built their world-wide reputation for thought leadership in the area of security architecture. 

The starting point for this work was ISO 7498-2 1989: ‘Information processing systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture’.  This standard is relatively unsophisticated in terms of business drivers, but it sets out an important framework in terms of ‘security services’ – the logical architecture, ‘security mechanisms’ – the physical architecture, and ‘security management’ – the operational architecture.  The Sherwood team added two upper layers to provide a business-driven approach (contextual and conceptual architectures), and a lower layer to map onto real tools and products (component architecture).

Unknown to Sherwood at the time, this work was closely related to work being carried out in the USA on the wider context of overall enterprise architectures, authored by John Zachman, published by the Zachman Institute for Framework Advancement and known as the ‘Zachman Framework’

John Sherwood presented the SABSA work at COMPSEC 96 in London and published the follow-up paper on it later that year.  At that time he had never heard of Zachman’s work.  In April 1998 Sherwood was working for an international client as the security architect on a team engaged in developing entirely new global infrastructure architecture.  As part of that activity he was fortunate enough to visit a conference entitled ‘Enterprise Architecture’ in San Francisco, and one of the key note speakers at that conference was John Zachman.

The Sherwood team was able to re-work SABSA to incorporate some of the language and ideas that Zachman had talked about in his presentation.  However, the original concepts of SABSA remained pretty much unchanged.

Since then the methodology has been promoted in many seminars and applied in a number of client situations in several countries and in several regions, where it has been enthusiastically received.  To meet the ever-increasing demands of the global market and provide more extensive support for increased use of the method on a global scale, the methodology was launched on a major scale, partly through the publication of the SABSA book ‘Enterprise Security Architecture: A Business Driven Approach’ (by Sherwood, Clark and Lynas), partly through the continued training and education seminars on the subject, and partly through the creation of the SABSA Institute and this web site.  Initiatives to support the world-wide growth in the use of SABSA include the world-wide launch of the SABSA Certification programme to provide assurance to employers and peers over competency of professionals and service providers to use SABSA.