There isn't one common definition to the term 'Security Architecture'. However, from experience, 'it is the combined process and product of identifying information security risks and the controls to mitigate those risks in alignment with an overall solution architecture. TemplatesIT has derived its security architecture methodology based on the following principles:
Defense in depth
Information security is all about protecting information and information systems from threats or in other words, treating risks. A security architecture must identify all the relevant security risks and identify the controls necessary to treat the risks. Therefore, the security architecture must identify the risks and controls in detail.
Any architecture (security or not) should have a mechanism to trace back to its overall requirements that drives them. In the absence of traceability, it may not be visible why certain controls are necessary in the overall architecture.
All systems get designed, built, implemented, operated and eventually retired. A security architecture has en element in each phase of this life-cycle. The major life-cycle phases are:
Defense in depth is a security principle that is applied to protect an organization's information assets. Security of an information asset should not rely solely on a single component. It must be layered around like onion rings, such that failure of one control should not result in a security breach. Any component implementation should follow the identify, protect, detect, respond and recover approach of NIST cybersecurity framework.