Security Architecture
Architecture patterns, defense in depth, secure design principles, and reference architectures.
Overview
Security architecture provides a structured approach to security design.
Architecture Patterns
Architecture Diagram
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā Presentation ā
ā (Web, Mobile, API) ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Application ā
ā (Business Logic, Auth) ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Data ā
ā (Database, Cache, Storage) ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Infrastructure ā
ā (Network, Servers, Containers) ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Secure Design Principles
| Principle | Description |
|---|---|
| Least Privilege | Minimum access needed |
| Defense in Depth | Multiple security layers |
| Fail Secure | Default to secure state |
| Separation of Duties | Split critical tasks |
| Complete Mediation | Check every access |
| Economy of Mechanism | Simple is better |
| Open Design | Don't rely on secrecy |
Reference Architecture
security_architecture:
perimeter:
- firewall
- waf
- ddos_protection
network:
- segmentation
- ids_ips
- vpn
application:
- authentication
- authorization
- encryption
data:
- encryption_at_rest
- encryption_in_transit
- backup
monitoring:
- siem
- logging
- alerting
Network Security Zones
Architecture Diagram
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā Untrusted ā
ā (Internet) ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā DMZ ā
ā (Public services) ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Internal ā
ā (Application servers) ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Restricted ā
ā (Databases, sensitive data) ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Practice
Design a secure architecture for a cloud-native application.