There are some very good security models and reference architectures from NIST, COBIT and ISO. They all serve a different purpose in the IT architecture stack.
NIST is ‘tactical; meaning lower level. ISO is a checklist to identify security issues at the ops level. COBIT is good to align security with business strategy.
NIST is useful (though somewhat academic) in that it proposes 5 (very detailed) main areas around cyber or cloud security: Identify, Protect, Detect, Respond and Recover. Many firms invest efforts into 2 or 3 of these categories, but leave unattended important areas within the other groups. In particular Respond and Recover are 2 areas that most firms don’t spend much time on.
In the ‘Cloud’ for example, the general Principles covered by NIST and operational Cloud Best Practices Document are the following and these are embedded in a RACI or Responsibility-Accountability-Consult-Inform strategy:
- Cloud security planning and design
- Governance and operations
- Multitenant security
- Security in an automated cloud environment
- Data in transit and at rest
- Identity management and federation
- Data sovereignty and on-shore operations
- Cloud security standards and certifications
- Cloud security best practices
NIST (2017). NIST Cyber Security Framework. Available at: https://www.nist.gov/cyberframework (accessed: 10-10-17)