Security Architecture
Design and implement comprehensive security architectures that protect systems, data, and users through layered defense strategies, zero trust principles, and risk-based security controls.
Purpose
Security architecture provides the strategic foundation for building resilient, compliant, and trustworthy systems. This skill guides the design of defense-in-depth layers, zero trust implementations, threat modeling methodologies, and mapping to control frameworks (NIST CSF, CIS Controls, ISO 27001).
Unlike tactical security skills (configuring firewalls, implementing authentication, scanning vulnerabilities), security architecture focuses on strategic planning, comprehensive defense strategies, and governance frameworks.
When to Use This Skill
Use security architecture when:
- Designing security for greenfield systems (new applications, cloud migrations)
- Conducting security audits or risk assessments of existing systems
- Implementing zero trust architecture across enterprise environments
- Establishing security governance programs and compliance frameworks
- Threat modeling applications, APIs, or microservices architectures
- Selecting and mapping security controls to regulatory requirements (SOC 2, HIPAA, PCI DSS)
- Designing cloud security architectures (AWS, GCP, Azure multi-account strategies)
- Addressing supply chain security (SLSA framework, SBOM implementation)
Core Security Architecture Principles
1. Defense in Depth
Implement multiple independent layers of security controls so that if one layer fails, others continue to protect critical assets.
9 Defense Layers (2025 Model):
- Physical Security: Data center access, environmental controls, hardware security modules (HSMs)
- Network Perimeter: Next-gen firewalls (NGFW), DDoS protection, web application firewalls (WAF)
- Network Segmentation: VLANs, VPCs, security groups, micro-segmentation
- Endpoint Protection: EDR, antivirus, device encryption, patch management
- Application Layer: Secure coding, WAF, API security, SAST/DAST scanning
- Data Layer: Encryption (at-rest, in-transit, in-use), DLP, backup/recovery
- Identity & Access Management: MFA, SSO, RBAC/ABAC, privileged access management (PAM)
- Behavioral Analytics: UEBA, ML-based anomaly detection, threat intelligence
- Security Operations: SIEM, SOAR, incident response, continuous monitoring
Key Principle: Each layer provides independent protection. Failure of one layer does not compromise the entire system.
For detailed layer-by-layer implementation patterns, see references/defense-in-depth.md.
2. Zero Trust Architecture
Implement "never trust, always verify" principles where every access request is authenticated, authorized, and continuously validated.
Core Zero Trust Principles:
- Continuous Verification: Authenticate and authorize every access request (no implicit trust)
- Least Privilege Access: Grant minimal permissions required, use just-in-time (JIT) access
- Assume Breach: Design systems expecting compromise, limit blast radius
- Explicit Verification: Verify user identity (MFA), device health, application integrity, context (location, time, behavior)
- Micro-Segmentation: Divide networks into small isolated zones, control east-west traffic
Zero Trust Architecture Components:
- Policy Engine: Centralized authorization decision point (allow/deny)
- Identity Provider (IdP): User/machine identity verification (Azure AD, Okta)
- Device Posture Service: Device health checks (MDM, EDR integration)
- Context/Risk Engine: Behavioral analytics, location, time, threat intelligence
- Policy Enforcement Points: Gateways enforcing decisions (ZTNA, API gateways)
For zero trust implementation roadmap and reference architecture, see references/zero-trust-architecture.md.
3. Threat Modeling
Systematically identify, prioritize, and mitigate security threats through structured methodologies.
Primary Methodologies:
| Methodology | Purpose | Complexity | Best For |
|---|---|---|---|
| STRIDE | Threat identification | Low | Development teams, quick threat analysis |
| PASTA | Risk-centric analysis | High | Enterprise risk management |
| DREAD | Risk scoring | Low | Prioritizing existing threats |
| Attack Trees | Visual threat analysis | Medium | Security architecture reviews |
STRIDE Threat Categories:
- Spoofing: Attacker impersonates another user/system (Mitigation: MFA, certificate validation)
- Tampering: Unauthorized data modification (Mitigation: Encryption, digital signatures)
- Repudiation: User denies action without proof (Mitigation: Audit logs, non-repudiation)
- Information Disclosure: Confidential data exposure (Mitigation: Encryption, access controls, DLP)
- Denial of Service: System unavailability (Mitigation: Rate limiting, DDoS protection, redundancy)
- Elevation of Privilege: Gaining higher privileges (Mitigation: Least privilege, input validation, patching)
STRIDE Application Process:
- Model the system using data flow diagrams (DFDs)
- Identify threats by applying STRIDE to each component/data flow
- Document threats with STRIDE categories
- Prioritize threats using DREAD scoring or business impact
- Design mitigation controls
For detailed threat modeling methodologies, PASTA process, DREAD scoring, and attack trees, see references/threat-modeling.md. For threat modeling examples, see examples/threat-models/.
Security Control Frameworks
Map security controls to industry frameworks to ensure comprehensive coverage and compliance.
NIST Cybersecurity Framework (CSF) 2.0
6 Core Functions:
- GOVERN (GV): Risk management strategy, policies, supply chain risk management
- IDENTIFY (ID): Asset inventory, risk assessment, continuous improvement
- PROTECT (PR): Access control, data security, platform security, infrastructure resilience
- DETECT (DE): Continuous monitoring, anomaly detection, security event analysis
- RESPOND (RS): Incident management, analysis, communication, mitigation
- RECOVER (RC): Recovery planning, execution, post-incident improvement
Usage: Map security controls to NIST CSF categories to ensure coverage of all security functions. Provides risk-based, flexible framework for security programs.
For detailed NIST CSF category mapping and subcategories, see references/nist-csf-mapping.md.
CIS Critical Security Controls v8
18 Controls organized in 3 Implementation Groups:
- IG1 (Basic): 56 safeguards for small organizations (asset inventory, access control, logging, backups)
- IG2 (Intermediate): +74 safeguards for mid-sized organizations with IT security staff
- IG3 (Advanced): +23 safeguards for large enterprises with dedicated security teams
Top Priority Controls (IG1):
- Inventory and Control of Enterprise Assets
- Inventory and Control of Software Assets
- Data Protection
- Secure Configuration of Enterprise Assets
- Account Management
- Access Control Management
- Continuous Vulnerability Management
- Audit Log Management
Usage: CIS Controls provide prescriptive, measurable security baseline. Start with IG1, progress to IG2/IG3 as security maturity increases.
For detailed CIS Controls implementation guidance, see references/cis-controls.md.
OWASP Top 10 Risk Mitigation
Map OWASP Top 10 application security risks to architectural controls:
| OWASP Risk | Primary Control | Framework Mapping |
|---|---|---|
| Injection | Parameterized queries, input validation | NIST PR.DS, CIS 16 |
| Broken Authentication | MFA, secure session management | NIST PR.AC, CIS 5, 6 |
| Sensitive Data Exposure | Encryption, key management | NIST PR.DS, CIS 3 |
| XXE | Disable external entities, use JSON | NIS |