Security Architecture is defined as a set of methods, principles, processes, and technologies which are designed to keep systems & data safe. A solid architecture is the blueprint of a good security program, and usually leads to fewer security issues. It can speed up response time following incidents, increase operational efficiency, and - if done correctly - create a better user experience across the enterprise.

Establishing Security Architecture

To establish a successful security architecture, create and follow a framework using the steps below. There are several existing security architecture frameworks, such as TOGAF, SABSA, or OSA, which provide well-structured approaches to designing and implementing security architectures.

  1. Define objectives - determine high level goals and the scope of coverage
  2. Asses - identify threats & vulnerabilities, and utilize a gap analysis to understand existing controls compared to what is needed
  3. Create policies - create security policies, standards, and procedures to govern the security program and drive requirements
  4. Design the security architecture - define architectural elements (see below) and leverage industry standard control frameworks that closely match required objectives and goals
  5. Implementation - implement technical and non-technical controls
  6. Documentation - document security architecture and provide relevant training
  7. Continuous improvement - develop key metrics and processes for continuous review and improvement

Architectural Elements

A comprehensive security architecture framework should minimally include the elements listed below.

  • Governance, including policies, standards, risk management best practices, and compliance requirements
  • Asset inventory and classification
  • Identity and access management, including authentication, authorization, and privileged access management
  • Network access controls such as firewalls and IDS/IPS, as well as network segmentation and a zero-trust framework
  • Endpoint security, Antivirus, and EDR
  • Secure coding practices, SDLC, and application firewalls
  • Vulnerability and patch management
  • Cloud security controls and assurances structured around the cloud shared responsibility model
  • Encryption
  • Data loss prevention, content filtering, and email security
  • Change control and configuration management
  • System hardening
  • IOT Security
  • Physical security
  • Third party and hardware / software supply chain security
  • Monitoring, detection, and incident response
  • Training for users, developers and administrators
  • Metrics and reporting
  • Assessment, testing, and continuous improvement

Don't forget the People

Security architecture requires a unique mix of analytic skills, business acumen, and a wide range of technical knowledge. Make sure the right talent is on board and that they've taken the time to fully understand the requirements and the environment while developing mature relationships with other key resources in Information Security and the rest of technology.