Security Architecture

Identifying risks and mitigating controls to protect the business.

There isn't one common definition to the term 'Security Architecture'. However, from experience, 'it is the combined process and product of identifying information security risks and the controls to mitigate those risks in alignment with an overall solution architecture. TemplatesIT has derived its security architecture methodology based on the following principles:

Life-cycle based
Risk driven
Defense in depth
Traceability assured

Security Architecture

Information security is all about protecting information and information systems from threats or in other words, treating risks. A security architecture must identify all the relevant security risks and identify the controls necessary to treat the risks. Therefore, the security architecture must identify the risks and controls in detail.

Risk driven

Any architecture (security or not) should have a mechanism to trace back to its overall requirements that drives them. In the absence of traceability, it may not be visible why certain controls are necessary in the overall architecture.

Traceability Assured

All systems get designed, built, implemented, operated and eventually retired. A security architecture has en element in each phase of this life-cycle. The major life-cycle phases are:

Requirements gathering
Design
Implementation
Operation

Life-cycle based

Defense in depth is a security principle that is applied to protect an organization's information assets. Security of an information asset should not rely solely on a single component. It must be layered around like onion rings, such that failure of one control should not result in a security breach. Any component implementation should follow the identify, protect, detect, respond and recover approach of NIST cybersecurity framework.