This page covers enterprise-level security architecture — how to design, build, and operate secure systems at scale.
See Cybersecurity for foundational concepts and Ethical Hacking Advanced for offensive security.
This is experimental page for Design.
Security Architecture Fundamentals
What is Security Architecture?
The discipline of designing systems that are secure by design — not bolted on afterward.
Combines: risk management, technical controls, policies, and people.
graph TD
RISK["Risk Management<br/>Identify · Assess · Treat · Monitor"]
POLICY["Security Policy<br/>Governance · Standards · Procedures"]
ARCH["Technical Architecture<br/>Network · Identity · Data · App · Endpoint"]
OPS["Security Operations<br/>SOC · IR · Threat Hunting · Patching"]
AUDIT["Audit & Compliance<br/>ISO 27001 · PCI DSS · GDPR · HIPAA"]
RISK --> POLICY --> ARCH --> OPS --> AUDIT --> RISK
Security Architecture Domains
Domain Scope Key Controls Network Security Perimeter, segmentation, traffic Firewall, IDS/IPS, VPN, ZTNA Identity & Access Who can access what IAM, MFA, PAM, SSO Endpoint Security Devices and workstations EDR, disk encryption, patching Application Security Code and APIs SAST, DAST, WAF, secure SDLC Data Security Data at rest and in transit Encryption, DLP, classification Cloud Security Cloud workloads and services CSPM, CWPP, CASB Physical Security Buildings and hardware Access control, CCTV, locks Security Operations Detection and response SIEM, SOAR, SOC, IR
Risk Management Framework
graph LR
ID["Identify Assets<br/>What are we protecting?"]
THREAT["Identify Threats<br/>What could go wrong?"]
VULN["Identify Vulnerabilities<br/>What weaknesses exist?"]
RISK["Calculate Risk<br/>Likelihood × Impact"]
TREAT["Treat Risk<br/>Accept · Mitigate · Transfer · Avoid"]
MONITOR["Monitor<br/>Continuous reassessment"]
ID --> THREAT --> VULN --> RISK --> TREAT --> MONITOR --> ID
Risk Treatment Description Example Accept Risk is within tolerance Low-severity finding, cost > benefit Mitigate Implement controls to reduce risk Patch vulnerability, add MFA Transfer Shift risk to third party Cyber insurance, outsource Avoid Eliminate the risky activity Don’t collect unnecessary data
Zero Trust Architecture (Deep Dive)
Zero Trust Principles
graph TD
subgraph ZT["Zero Trust Architecture"]
ID["Identity<br/>Verify every user<br/>MFA · Passwordless · PAM"]
DEV["Device<br/>Verify device health<br/>MDM · EDR · Compliance"]
NET["Network<br/>Micro-segmentation<br/>Encrypt all traffic<br/>ZTNA replaces VPN"]
APP["Application<br/>Per-app access control<br/>App-level auth<br/>API security"]
DATA["Data<br/>Classify + protect<br/>DLP · Encryption<br/>Data governance"]
end
POLICY["Policy Engine<br/>Continuous evaluation<br/>Context-aware decisions"]
ID & DEV & NET & APP & DATA --> POLICY
Zero Trust vs Traditional Perimeter
Aspect Traditional Perimeter Zero Trust Trust model Trust inside network Never trust, always verify Network boundary Hard perimeter (castle + moat) No perimeter — identity is the boundary VPN Required for remote access Replaced by ZTNA Lateral movement Easy once inside Blocked by micro-segmentation User verification Once at login Continuous, context-aware Device trust Assumed if on network Verified health + compliance
Implementing Zero Trust
graph LR
P1["Phase 1 — Visualize<br/>Inventory all assets<br/>Map data flows<br/>Identify trust boundaries"]
P2["Phase 2 — Mitigate<br/>MFA everywhere<br/>Least privilege<br/>Micro-segmentation"]
P3["Phase 3 — Optimize<br/>Continuous monitoring<br/>Automated response<br/>User behavior analytics"]
P1 --> P2 --> P3
Technology Zero Trust Role IAM (Okta, Azure AD) Identity verification + SSO MFA / FIDO2 Strong authentication PAM (CyberArk, BeyondTrust) Privileged access control MDM (Intune, Jamf) Device health verification EDR (CrowdStrike, SentinelOne) Endpoint security posture ZTNA (Zscaler, Cloudflare Access) Replace VPN with app-level access CASB (Netskope, McAfee MVISION) Cloud app visibility + control Micro-segmentation (Illumio, NSX) East-west traffic control SIEM + UEBA Continuous monitoring + anomaly detection
Network Security Architecture
Enterprise Network Design
graph TD
INET["🌐 Internet"]
DDOS["DDoS Protection<br/>Cloudflare · AWS Shield · Akamai"]
FW1["Next-Gen Firewall<br/>Palo Alto · Fortinet · Check Point"]
DMZ["DMZ<br/>Web servers · Reverse proxies<br/>Email gateway · DNS"]
FW2["Internal Firewall<br/>Segment internal zones"]
CORP["Corporate LAN<br/>User workstations"]
SERVER["Server Zone<br/>App servers · Databases"]
MGMT["Management Zone<br/>Jump servers · PAM<br/>Monitoring · SIEM"]
OT["OT/IoT Zone<br/>Isolated from IT network"]
INET --> DDOS --> FW1 --> DMZ --> FW2
FW2 --> CORP & SERVER & MGMT & OT
Firewall Architecture
Firewall Type Layer Capabilities Packet Filter L3/L4 IP/port rules, stateless Stateful L4 Connection tracking Application (NGFW) L7 App identification, IPS, SSL inspection WAF L7 HTTP Web app protection (SQLi, XSS, OWASP) Cloud-native L3-L7 AWS Security Groups, Azure NSG
IDS vs IPS
Feature IDS IPS Position Out-of-band (mirror port) Inline (traffic passes through) Action Alert only Alert + Block Risk No impact on traffic Can block legitimate traffic Use case Detection, forensics Active prevention Examples Snort (IDS mode), Zeek Snort (IPS mode), Suricata
VPN vs ZTNA
Feature Traditional VPN ZTNA Access model Full network access Per-application access Trust Implicit once connected Continuous verification Lateral movement Possible Blocked Performance Backhauled through HQ Direct to app User experience Complex client Transparent Examples OpenVPN, Cisco AnyConnect Zscaler, Cloudflare Access, BeyondCorp
DNS Security Architecture
graph LR
CLIENT["Client DNS Query"]
FILTER["DNS Filtering<br/>Cisco Umbrella · Cloudflare Gateway<br/>Block malicious domains"]
DNSSEC["DNSSEC Validation<br/>Verify DNS record signatures"]
DOH["DNS over HTTPS/TLS<br/>Encrypt DNS queries"]
RESP["DNS Response"]
CLIENT --> FILTER --> DNSSEC --> DOH --> RESP
Identity Architecture
IAM Architecture
graph TD
USER["👤 User / Service / Device"]
IDP["Identity Provider<br/>Azure AD · Okta · Ping<br/>Google Workspace"]
MFA["MFA Layer<br/>TOTP · FIDO2 · Push"]
SSO["SSO / Federation<br/>SAML · OIDC · OAuth 2.0"]
AUTHZ["Authorization<br/>RBAC · ABAC · PBAC"]
PAM["PAM<br/>Privileged Access<br/>CyberArk · BeyondTrust"]
APP["Applications<br/>SaaS · On-prem · APIs"]
USER --> IDP --> MFA --> SSO --> AUTHZ --> APP
AUTHZ --> PAM --> APP
Privileged Access Management (PAM)
PAM Capability Description Vault Store privileged credentials encrypted Session recording Record all privileged sessions for audit Just-in-time access Grant privilege only when needed, auto-expire Password rotation Auto-rotate service account passwords Dual control Require approval for sensitive operations Break-glass Emergency access with full audit trail
Directory Services
Service Protocol Use Case Active Directory LDAP + Kerberos Windows enterprise Azure AD / Entra ID OIDC + SAML Cloud + hybrid LDAP (OpenLDAP) LDAP Linux/Unix environments FreeIPA LDAP + Kerberos Linux enterprise Okta SAML + OIDC Cloud-first IAM
Cloud Security Architecture
Cloud Security Reference Architecture
graph TD
subgraph CLOUD["☁️ Cloud Environment"]
CSPM["CSPM<br/>Cloud Security Posture Management<br/>Misconfig detection"]
CWPP["CWPP<br/>Cloud Workload Protection<br/>Runtime security"]
CASB["CASB<br/>Cloud Access Security Broker<br/>SaaS visibility + control"]
CIEM["CIEM<br/>Cloud Infrastructure Entitlement<br/>IAM risk management"]
end
subgraph DETECT["Detection & Response"]
SIEM["SIEM<br/>Log aggregation + correlation"]
SOAR["SOAR<br/>Automated response playbooks"]
XDR["XDR<br/>Extended Detection & Response"]
end
CLOUD --> DETECT
AWS Security Architecture
graph TD
ACCOUNT["AWS Account<br/>Root account (MFA + no daily use)"]
ORG["AWS Organizations<br/>Multi-account strategy<br/>SCPs (Service Control Policies)"]
IAM["IAM<br/>Least privilege roles<br/>No long-term access keys<br/>IAM Access Analyzer"]
VPC["VPC Architecture<br/>Public subnet (ALB, NAT)<br/>Private subnet (EC2, RDS)<br/>Security Groups + NACLs"]
DETECT["Detection<br/>GuardDuty · Security Hub<br/>CloudTrail · Config · Macie"]
PROTECT["Protection<br/>WAF · Shield · KMS<br/>Secrets Manager · Inspector"]
ACCOUNT --> ORG --> IAM & VPC & DETECT & PROTECT
Multi-Account Strategy
Account Purpose Management/Root Billing, Organizations, SCPs only Security GuardDuty master, Security Hub, CloudTrail aggregation Log Archive Immutable centralized logging Shared Services DNS, AD, CI/CD, monitoring Production Live workloads Staging Pre-production testing Development Developer sandboxes
Container Security Architecture
graph LR
CODE["Source Code<br/>SAST · Secret scanning<br/>git-secrets · Semgrep"]
BUILD["Container Build<br/>Image scanning<br/>Trivy · Snyk · Grype"]
REGISTRY["Container Registry<br/>Signed images<br/>Vulnerability scanning<br/>ECR · ACR · GCR"]
DEPLOY["Kubernetes Deploy<br/>Admission controllers<br/>OPA/Gatekeeper · Kyverno<br/>Pod Security Standards"]
RUNTIME["Runtime Protection<br/>Falco · Aqua · Sysdig<br/>Network policies"]
CODE --> BUILD --> REGISTRY --> DEPLOY --> RUNTIME
SIEM & Security Operations
SIEM Architecture
graph LR
subgraph SOURCES["Log Sources"]
FW["Firewalls"]
EP["Endpoints<br/>EDR agents"]
APP["Applications<br/>Web · DB · Auth"]
CLOUD["Cloud<br/>AWS · Azure · GCP"]
NET["Network<br/>Flow data · DNS · DHCP"]
end
COLLECT["Log Collection<br/>Syslog · Beats · Fluentd<br/>API connectors"]
PARSE["Parsing & Normalization<br/>CEF · LEEF · ECS format"]
ENRICH["Enrichment<br/>Threat intel · GeoIP<br/>Asset context"]
CORRELATE["Correlation Engine<br/>Detection rules<br/>ML anomaly detection"]
ALERT["Alerting<br/>SOC dashboard<br/>Ticketing (JIRA, ServiceNow)"]
SOURCES --> COLLECT --> PARSE --> ENRICH --> CORRELATE --> ALERT
Detection Engineering
Sigma rule example — detect suspicious PowerShell title : Suspicious PowerShell Encoded Command status : stable description : Detects PowerShell with encoded command parameter logsource : category : process_creation product : windows detection : selection : Image|endswith : '\powershell.exe' CommandLine|contains : - '-EncodedCommand' - '-enc ' - '-ec ' condition : selection falsepositives : - Legitimate admin scripts using encoded commands level : medium tags : - attack.execution - attack.t1059.001 Key Detection Use Cases
Use Case Log Source Key Indicators Brute force Auth logs Multiple 4625 events → 4624 Lateral movement Windows Security 4624 type 3, unusual source Privilege escalation Windows Security 4672, 4673, 4674 New persistence Windows Security 7045, 4698, Run key changes Data exfiltration Network/DLP Large outbound transfers C2 communication DNS/Proxy DGA domains, beaconing Credential dumping Windows Security 4656 on LSASS, 4663 Ransomware Endpoint Mass file renames, shadow copy deletion
SOAR Playbooks
graph LR
ALERT["🚨 SIEM Alert<br/>Phishing email detected"]
ENRICH["Enrich<br/>Check sender reputation<br/>Analyze URLs/attachments<br/>VT · URLScan · Hybrid Analysis"]
DECIDE{"Malicious?"}
CONTAIN["Contain<br/>Block sender domain<br/>Quarantine email<br/>Isolate endpoint if clicked"]
NOTIFY["Notify<br/>Create ticket<br/>Alert SOC analyst<br/>Notify user"]
CLOSE["Close<br/>Document findings<br/>Update blocklists<br/>Tune detection rule"]
ALERT --> ENRICH --> DECIDE
DECIDE -->|Yes| CONTAIN --> NOTIFY --> CLOSE
DECIDE -->|No| CLOSE
DevSecOps Architecture
Secure CI/CD Pipeline
graph LR
CODE["💻 Code<br/>IDE security plugins<br/>Pre-commit hooks<br/>git-secrets"]
PR["Pull Request<br/>Code review<br/>SAST scan<br/>Secret detection"]
BUILD["Build<br/>Dependency scan (SCA)<br/>Container image scan<br/>License compliance"]
TEST["Test<br/>DAST scan<br/>Pentest (scheduled)<br/>Fuzz testing"]
STAGE["Staging<br/>IAC security scan<br/>Compliance check<br/>Penetration test"]
PROD["Production<br/>Runtime protection<br/>Monitoring + alerting<br/>Patch management"]
CODE --> PR --> BUILD --> TEST --> STAGE --> PROD
Stage Tool Category Examples IDE Security plugins SonarLint, Snyk IDE, Semgrep Pre-commit Secret scanning git-secrets, truffleHog, gitleaks PR/Build SAST SonarQube, Checkmarx, Semgrep Build SCA (dependencies) Snyk, Dependabot, OWASP Dependency-Check Build Container scanning Trivy, Grype, Snyk Container Test DAST OWASP ZAP, Burp Suite Enterprise Deploy IaC scanning Checkov, tfsec, KICS Runtime RASP Sqreen, Contrast Security Runtime CWPP Falco, Aqua, Sysdig
Infrastructure as Code Security
IaC security scanning # Terraform security scanning checkov -d ./terraform/ # scan Terraform files tfsec ./terraform/ # Terraform security scanner terrascan scan -t terraform # policy-as-code scanner
# Kubernetes manifest scanning checkov -d ./k8s/ # scan K8s manifests kubesec scan deployment.yaml # K8s security risk analysis kube-score score deployment.yaml # best practice check
# Docker security hadolint Dockerfile # Dockerfile linting trivy image myapp:latest # container image CVE scan docker scout cves myapp:latest # Docker Scout scanning Compliance & Governance
Major Compliance Frameworks
Framework Scope Key Requirements ISO/IEC 27001 Global ISMS Risk assessment, 114 controls, annual audit SOC 2 Type II US SaaS/cloud Trust Service Criteria, 6-month audit PCI DSS v4 Payment cards 12 requirements, quarterly scans HIPAA US healthcare PHI protection, breach notification GDPR EU data Consent, data rights, 72hr breach notification NIST CSF US federal Identify/Protect/Detect/Respond/Recover CIS Controls v8 General 18 controls, implementation groups FedRAMP US federal cloud NIST 800-53 controls, continuous monitoring
Security Policy Hierarchy
graph TD
POL["Policy<br/>High-level management intent<br/>'All data must be encrypted'"]
STD["Standard<br/>Specific requirements<br/>'Use AES-256 for data at rest'"]
PROC["Procedure<br/>Step-by-step instructions<br/>'How to enable disk encryption'"]
GUIDE["Guideline<br/>Recommended practices<br/>'Consider using LUKS on Linux'"]
POL --> STD --> PROC --> GUIDE
More Learn
Github & Webs
Master Playlists YouTube