Security Architecture (SecA)

Security Architecture, Cyber Security or IT Security Architecture is the coherent set of concepts and their principles that are (to be) implemented in an organization.

The better your implemented SecA is, the safer and more secure your company is.

Every company has a form of security architecture (a coherent set of concepts and their principles) implemented.

The question is how much or mature your current state security architecture is aligned with your strategy and policies.

To find that out and get insights into, an overview of your security architecture, one can collect data on and document the used concepts, principles, elements, rules, and standards.

With that data one can create or generate architecture visualizations at a conceptual, logical, and physical level.

On this page, we introduce an example of conceptual and logical level security architecture visualization.

The definition of Security

Security is often defined as a process to increase the reliability of a system in terms of confidentiality, integrity, and authenticity.

The Dragon1 open EA method proposes to sharpen that definition for security like this:

The security of a system is the coherent set of measures taken to improve control over access and usage of a system.

Security is not so much a process but a state of a system. Securing a system is a process, like defending is a process.

Why does this nuance matter?

This matters because you can have a great security management process, but still bad security (control over the access and usage of your system).

Security Architecture Atlas

Most companies worldwide never have heard of security architecture let alone document or visualize their security architecture.

Dragon1 as an open EA method promotes daily updates and uses a security architecture atlas, meaning a coherent set of visualizations and views of security architecture for key stakeholders in your company.

Security Architecture Frameworks

Dragon1 promotes making use of a security architecture framework.

Dragon1 has defined a five-layer framework with concepts for governing security, detecting attacks and breaches, protecting systems, responding to attacks and breaches, and recovering from attacks and breaches.

This Dragon1 framework helps to measure, compare, control, and monitor the safety and security of your company's processes, applications, data and IT infrastructure, employees, and locations.

Security Architecture Concepts

Examples of generic and common security concepts are reliability, safety, identification, authentication, authorization, access, monitoring, auditing, and accountability.

Every company has a form of these concepts implemented.

The main security concept that ISO 27001, the international standard for Security, introduces, is ISMS. An ISMS is an Information Security Management System.

An Information Security Management System (ISMS) is defined as a set of rules that a company needs to establish to make the company safer and more secure.

Dragon1 considers the following security concepts to be key for every company:

  • Information Security Management System (ISMS)
  • Monitor->Improve->Secure (MIS)
  • Intrusion Detection
  • Intrusion Detection System (IDS)
  • Intruder Detection Lockout (IDL)
  • Network Activity Monitoring
  • Malicious Activity monitoring
  • Event
  • Incident
  • Event Monitoring
  • Incident Monitoring
  • Process Chain Disruption
  • Process Disruption
  • Task/Activity Disruption
  • Security Operation Center
  • Zero Trust Security
  • Privacy by Design
  • Least Privilege
  • Fault Tolerant
  • Default Deny
  • Layered Security
  • Passive Attack
  • Active Attack
  • Denial of Service Attack
  • Cryptographic Attack
  • Spoofing
  • Fishing
  • Controling (Automated) Decision making in processes
  • Application Access
  • Data Access
  • Application Hack
  • Network Hack
  • Data Breach
  • Software Virus
  • Ransomware
  • Antivirus software
  • Firewall
  • Single Signon
  • User Authentication
  • Machine Authentication
  • Demilitarized Zone (DMZ)
  • Security Policy
  • Security Measures
  • Acces Control policies
  • Authorization Policies (to access an application)
  • Layering
  • Abstractions
  • Obfuscation
  • Data Hiding
  • Data Encryption
  • Vital Infrastructure
  • Tenet
  • Segementation
  • Micro Segmentation
  • Compromised Network
  • Compromised Machine
  • Mission Critical Systems

The C-suite and senior management of every organization (government agency, foundation, and commercial company) in the world should understand how well the above concepts are implemented and aligned with the strategy and policies. Download here the Security Architecture [PDF]

Security Architecture Elements

A concept consists of logical and functional elements at the physical level of technical components.

In architecture we need both views of a concept.

Elements in their turn can be viewed as concepts themselves.

Let's take a look at the DMZ concept.

A DMZ or demilitarized zone is a physical or logical sub-network that contains and exposes an organization's external-facing services to an untrusted, usually larger, network such as the Internet (according to Wikipedia).

Common elements in a DMZ are services like web servers, FTP servers, Mail Servers, and VoIP Servers.

There are two main types of DMZs: The Single Firewall DMZ and the Dual Firewall DMZ.

So next to services, servers, firewalls are also common elements of a DMZ.

Using the above knowledge and information is it possible to analyze whether or not the concept of DMZ is implemented, what type of DMZ there is, and what could and should be done to improve the quality (effectiveness) of the DMZ.

Security Architecture Principles

Every Security concept has one or more ways of working or working mechanisms. A working mechanism of a concept we call the concept principle.

Guidelines are recognized to help implement the principle.

The list below shows per concept a principle.

  • Zero Trust Security - By never trusting anyone and always verifying someone's identity, the network becomes safer.
  • Privacy by Design - By designing an IT system where sensitive and personal data is automatically protected from unauthorized access, the IT system per definition is made more secure.
  • Least Privilege - By designing an IT system where only the necessary features are provided role-based, the IT system per definition is made more safe and secure.
  • Layered Security - By building providing security controls at various places or levels in the IT-Infrastructure, breaching one place or level does not mean an entity has access to everything right away, thus making the entire system more safe and secure.
  • Fault Tolerant - By creating a system that includes redundancy, fault isolation, fault detection and annunciation, and online repair, the system will be fault tolerant and highly available
  • Default Deny - By denying a user access by default and only granting access after verification, a network and application are made more safe and secure.

More Reading on Security Architecture

Here you can read what you can do with Security Architecture:

Architecting Solutions

DEMO: Concept Mapping Software

How to use Dragon1 EA Tool

Learn to generate architecture diagrams using repositories
DEMO: BPMN Onboarding Process Example

DEMO: BPMN Onboarding Process Diagram - Measure Rules Compliance

Manufacturing, Financial Solutions
DEMO: Enterprise Architecture Blueprint Template

DEMO: Generate an Enterprise Architecture Blueprint to discover and solve RISK

Banking, Logistics, Healthcare
DEMO: Data Mapping Software

DEMO: Generate Application Landscape for SECURITY

Automotive, Financial Services, Health Care
DEMO: Strategy Mapping Software

DEMO: Generate Strategy Map for CLOUD ADOPTION

Government, Logistics, Banking
DEMO: Process Application Map

DEMO: Generate Landscape for RPA AUTOMATION

Retail, Agriculture, Energy, Oil & Gas