Recently as part of some ongoing architecture work for a client, I was asked to specify the security details for a solution. Unfortunately, within my current enterprise we do not have a dedicated security architect so I was required to provide architectural details within an architecture domain I’m not an authority in. I required a reference model I could utilise quickly and also model which is fairly comprehensive from a security perspective. My initial instinct was to refer to the TOGAF. However, I found that TOGAF’s take on security architecture to be of a generally high level (as you’d expect from an Enterprise Architecture framework). I needed something more specific at the solutions architecture level.

Open Security Architecture

Through my research, I found the Open Security Architecture.

In a nutshell the OSA purpose (taken from their own site):

“OSA distills the know-how of the security architecture community and provides readily usable patterns for your application. OSA shall be a free framework that is developed and owned by the community.”

The OSA is create a reference library of security architecture. These architectures are grouped by individual controls into patterns and cross referenced the controls against the security bodies such as NIST, ISO, ISF etc. The reference library contains a catalog of Controls, Risks and Patterns that can be readily referenced as part of your own ongoing Architecture endeavour.

The patterns have been categorised further into Infrastructure, Application and Business.


The pattern landscape contains a list of common security patterns that can be applied and used within the enterprise. Other patterns include Data Security, Cloud Computing and Public Wireless Hotspot which gives you some indication of the wide range of patterns available.

Here’s an example from the SP-008: Public Web Server pattern.


You can drill down and select individual controls applicable to each pattern, apply controls independent of patterns and view guidance in the appliance of controls. For example, here’s the SC-09 Transmission Confidentiality control. The list of all the controls can be found within the Controls Catalogue.


I’m impressed by this  as a method for delivery and as a library. TOGAF admits that in terms of architecture patterns, their use is still in its infancy. What I believe the OSA have managed to do is show how a reference library can be modelled online and applied as a set of specific patterns to address a number of common architectural scenarios. The experience is enhanced by the use of Tango which provides an icon library, this provides a nice way of modelling architecture as a diagram rather than a catalog which at times can be hard to digest.

I’d be interested in what peoples thoughts are on the OSA particularly its relevancy and if anyone has any critique’s for its use.