Security architecture is a special layer in that it does not contain its own set of elements. Instead this layer can be seen as a layer ”on top” of all the other layers. Therefore the security layer combines the security aspect to all different resources types in all layers in the organization.
At the center we see the security group that has members in the form of business roles. The security group controls resources via a specialized relationship that can be detailed with CRUD markings for what the security group can do with, for example, information.
Image: Security group controling access to a system and premises of a business unit
Image: Security group in relation to information objects
Image: Security groups in relation to information objects in matrix format
Within the EAS framework we talk about eZTA, Enterprise Zero Trust Architecture, which applies a strategy of not trusting anyone and only give access to what a role expressively needs, just like in traditional ZTA. Howerver eZTA takes it a little furter and applies it to all aspects of the organization including physical access to business units.
Note: security groups are often, but not always, represented by Active Directory groups.