Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

CSA’s Enterprise Architecture: Technology Solution Services (TSS)

Published 06/16/2023

CSA’s Enterprise Architecture: Technology Solution Services (TSS)

Written by CSA’s Enterprise Architecture Working Group.

The Enterprise Architecture is both a methodology and a set of tools that enable security architects, enterprise architects, and risk management professionals to leverage a common set of solutions and controls. It can be used to assess opportunities for improvement, create road maps for technology adoption, identify reusable security patterns, and assess various cloud providers and security technology vendors against a common set of capabilities.

This blog describes the third of four domains from CSA’s Enterprise Architecture: Technology Solution Services (TSS). Read about the first domain, the second domain, and check back for the last blog on domain four.


IT solutions can be thought of as a technology stack: at the top are actual interactions the users have, with applications that accept the interactions and push data down where it may be manipulated, followed by the data that runs on them, with the computers and networks at the bottom layer. The four technology solution domains are Presentation Services, Application Services, Information Services, and Infrastructure Services:

Presentation Services

Presentation is the website you see when you go to an online bank, the voice on the phone when you call the airline reservation system, or the mobile platform you order remotely from. It is the domain where the end-user interacts with an IT solution.

The requirements for the domain vary on the type of user and type of service being provided. For example, a B2C website will have different security concerns than a social media website. The security requirements will also vary based on the types of endpoints being used by the end-user.

Example

A mobile device provides the risk of locally-stored data being lost with the device, and a shared public kiosk provides the risk of subsequent end-users having access to prior users’ data.

Application Services

Application Services are the processes that developers use to write code, as well as the code itself. They are the rules and processes behind the user interface that manipulate the data and perform translations for the user. In an online bank, this might be a bill payment transaction that deducts the payment amount from the user’s account and sends a check to the payee. In addition, the Application Services domain also represents the development processes that programmers go through when creating applications.

Example

A developer is writing an API that allows a banking system to exchange transactions with other banks. He scans the code with a source code analyzer that identifies a section of code that was not protected against invalid input that could corrupt the system. The change is made immediately, and the new API is now safe to use.

Information Services

One of the most common pain points across organizations is the amount of data generated across the company, sometimes including redundant data. Information Services refers to the storage of data, usually in databases, but sometimes just in files.

All the data needs to be transformed into useful information that business asset owners can use to prioritize, strategize, and manage the risk portfolio they own. All data containers are allocated on this domain, where eventually they can be extracted, transformed, and loaded into an operational data store and a data warehouse.

Example

When an administrator creates a user account, the ID and Password are stored in a user directory. When that user logs into the system, a log entry showing the data and time of that log-in is stored in the security-monitoring database.

Infrastructure Services

Infrastructure Services are the layered basic core capabilities that support higher-level capabilities in other architecture areas. These levels include virtual machines, applications, and databases, as well as networking, physical hardware, and facilities.

As they provide a foundation, Infrastructure Services are mostly invisible to end-users of the cloud service. For example, a customer will likely be required by due diligence to assure that cloud facilities provide physical security to match the risk characteristics of the uses they make of cloud services.

Example

Even the cloud needs to reside somewhere physically, i.e., at a data center. These data centers are physically secured with fences, cameras, security guards, man-traps, and badge-activated doors. Availability of the Infrastructure is ensured with lines to multiple internet service providers, power generators in case of a power failure, and multiple computers to do the same job in case one fails.


Read more in the CSA Enterprise Architecture Reference Guide.

Share this content on your favorite social network today!