Join today to become an NTA member and receive all of our wonderful benefits, which includes eligibility for Travel Exchange registration.
Learn moreIf the business requires "Confidential customer transactions," SABSA translates that into a technical requirement for "Encryption." If the business requires "Auditable compliance," SABSA translates that into "Log management and SIEM." Every technical control maps back to a business need. The heart of SABSA is a (6 \times 6) matrix. It consists of six horizontal layers (questions) and six vertical columns (assets). The six layers are crucial to understand because they force the architect to think holistically.
| Layer | Question | Description | | :--- | :--- | :--- | | | Why? | Business drivers, goals, and risk appetite. (Output: Business Requirements) | | 2. Conceptual | What? | The overall security strategy and high-level architecture. (Output: Security Principles) | | 3. Logical | How? | The logical groups of security services and policies. (Output: Security Services) | | 4. Physical | Where? | The actual technologies, servers, appliances, and software. (Output: Security Mechanisms) | | 5. Component | Who? | Detailed configurations, identities, and specific components. (Output: Security Products) | | 6. Operational | When? | Processes, procedures, and runtime management. (Output: Security Operations) | sabsa architecture model
It ensures that your SIEM alerts, your next-gen firewall rules, and your IAM policies are not just technically sound—they are business-relevant. By adopting SABSA, security transforms from a "cost center" and "business blocker" into a strategic enabler that drives trust, resilience, and competitive advantage. The six layers are crucial to understand because
"If you don't know where you are going, any firewall will do." — Paraphrased from the SABSA Philosophy. For security architects looking to deepen their knowledge, consider the official SABSA certification (Foundation, Practitioner, or Master). It remains one of the most respected credentials in the field of security architecture. (Output: Business Requirements) | | 2
From top to bottom (Strategy to Technology), the six layers are: