Logical Security Architecture
As we know SABSA is broken down into many layers, here I'll give a quick overview of how logical security architecture develops more detail to flesh out the bones of the conceptual framework that you will have developed at the second layer of the security architecture model. The logical layer will be largely concerned with the functional view of security, defining a comprehensive set of functional requirements. However, It important to note that it does not pay attention to the security mechanisms that will be used later to deliver those functions as those are part of the next layer for physical security architecture.
As an example of how one might create a Logical Security Architecture diagram, I'll take a random network diagram from the internet as a reference point for a fictional company. Note: This is not part of the SABSA process, but to merely utilize as a reference point of comparison of what others in an IT field would be used to seeing vs one based on SABSA.
As you can the above is from a somewhat basic physical network diagram from a corporate or university infrastructure. Utilizing SABSA framework we then assess the data from the previous layer, conceptual, and transpose that data into a logical network architecture diagram.
As you may be able to see, this organization has a number of people that regularly work from the campus, remotely working while traveling who will need to communicate with and utilize the company’s production resources. To facilitate the external access, another logical domain is created called external services through which any application or information required can be made safely available to those externally located employees and partners. Both the internal and external groups need to have access to a myriad of informational services and production support services that live in production.
To facilitate this those subsets of tools are rolled into a service package called intranet services. Only the data-center operations staff will have direct hands on access to any production business applications and to the internal services. As such those applications and services are contained in our production domain. This way any business users will have to gain access through an inter-domain multi-layered architecture. While the public has limited access to only the web-services via the internet.
To facilitate this those subsets of tools are rolled into a service package called intranet services. Only the data-center operations staff will have direct hands on access to any production business applications and to the internal services. As such those applications and services are contained in our production domain. This way any business users will have to gain access through an inter-domain multi-layered architecture. While the public has limited access to only the web-services via the internet.