Data Model Hierarchy

The purpose of this document is to clarify the hierarchy of our product data isolation and management. In particular, we cover use cases and workflows to manage threat models and security reviews in organizations based on their size, team composition, and workflows.

Data Hierarchy

Organization

Organization (“Org”) is the highest level of abstraction in DevArmor’s data model. Org usually correlates to the company as a whole, or a single unit of risk management. One way to think about Org is that there is usually one Org per CISO.

Team

A Team is a unit of organization that prioritizes security actions and decisions together. Different teams can share some risks together, or have totally separate risks. The key concept that ties a team together is planning and prioritization. A Team roughly corresponds to a unit of organization under a VP or Director of Security.

A single organization can have many teams.

Project

A Project is an abstraction layer that corresponds to a product, feature, or service within an organization. A project usually corresponds to a unit of product development and release schedule. Alternatively, one can think of a project as a unit of engineering work or organization, such as an engineering team.

A single team can have many projects.

Threat Model

A threat model is the lowest level of abstraction in this model, and represents a single body of analysis of risks, threats, mitigation plans, and actors.

A project can have multiple threat models.

Data Isolation

DevArmor supports sharing security and product context across projects and teams. This will be set at the Org level.