I am doing a consulting for a company. They want me to create a security architecture for their company. The problem is, there are several meanings to "security architecture".
In one book, "security architecture" means application or software security. In Cisco's and Microsoft's views (at least from their papers), security architecture relates to network security. In CISSP books, security architectures refers to access control (and the different models). From a consulting firm, such as PWC, security architecture means a (security) framework, which is a high level concept. Another consulting firm thinks that security architecture means activities. Confusing.
My take on this? Well, I think security architecture is just like building architecture. It is composed of functional building blocks. In a house (or building), you have a living room, bedroom, kitchen, garage, garden, etc. In security, you'll have the equivalent building blocks, such as identity management system, authentication system, authorization and access control, and so on and so on. Now, all I have to do is arrange these blocks according to a certain engineering standard (and taste to make it elegant). Strangely, nobody has come up with this kind of idea.
What do you think? Pointers, please ...