Security Architecture

Security Architecture

There isn't one common definition to the term 'Security Architecture'. However, from experience, 'it is the combined process and product of identifying information security risks and the controls to mitigate those risks in alignment with an overall solution architecture. TemplatesIT has derived its security architecture methodology based on the following principles:

• Life-cycle based

• Risk driven

• Defense in depth

• Traceability assured

Risk driven

Information security is all about protecting information and information systems from threats or in other words, treating risks. A security architecture must identify all the relevant security risks and identify the controls necessary to treat the risks. Therefore, the security architecture must identify the risks and controls in detail.

Traceability Assured

Any architecture (security or not) should have a mechanism to trace back to its overall requirements that drives them. In the absence of traceability, it may not be visible why certain controls are necessary in the overall architecture.

Life-cycle based

All systems get designed, built, implemented, operated and eventually retired. A security architecture has en element in each phase of this life-cycle. The major life-cycle phases are:

• Requirements gathering

• Design

• Implementation

• Operation 

Defense in Depth

Defense in depth is a security principle that is applied to protect an organization's information assets. Security of an information asset should not rely solely on a single component. It must be layered around like onion rings, such that failure of one control should not result in a security breach. Any component implementation should follow the identify, protect, detect, respond and recover approach of NIST cybersecurity framework.