Gartner Blog Network


In 2018, What Is Security Architecture?

by Anton Chuvakin  |  August 31, 2018  |  7 Comments

Summer is a less busy time here in terms of client calls [hey … you can book an analyst call for tomorrow … even with me :-)], so we get more time to think about big things.

Here is one: security architecture. Expect more interesting research from our team on modern security architecture in the near future. For now, let’s ponder the term itself.

sec-arch-book

I found this 1990s book on my shelves – it quaintly mentions “PKI” and “enterprise Java beans.” Is this what we think of security architecture today? Probably not. OK, so what DO we think of it?

First, sadly, we do see organizations that still equate “security architecture” with NETWORK security architecture. Namely, firewall zone design, NIPS placement and such. Very 1990s. But perhaps this is where their overall security is, so architecture thinking is a step up for them (as I once joked on Twitter, “What do you call people who move up to Stone Age tech? Where do they move up from?”)

Second, we do see more enlightened organizations that nevertheless have a very fragmented view of security architecture. As in: here is  our cloud security architecture, and here is how we architect application with security in mind, etc. This is great, however, this avoids the question of “what is security architecture?” by letting them pick “all of the above” as a choice. In essence, they live in the world of security architectures, not architecture.

Third, we see “the framework crowd” – organizations that like SABSA or TOGAF or some other “industry” framework for security architecture.  These may have a single and coherent view of security architecture, but one defined  by an external party for them. This means, their security architecture is modern as long as said external party modernized the models.  More on this in the upcoming post…

All this said, how do YOU define security architecture for the modern era of cloud, virtual, mobile, big data, DevOps, “AI”, etc?

Category: architecture  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on In 2018, What Is Security Architecture?


  1. Tangled Beard says:

    security architecture is defined as a title that doubles your salary when doing the same work as a security engineer

  2. Ana says:

    Well, as we speak of “architecture” i’d put on my drawing the people moving around all the “network security” including external parties, auxiliary staff etc… because that’s the point that at least in my part of the world that people don’t get. Part of a “security architecture” are also answers to questions as “how to i motivate the guy in AI team not to work against me but with me?”… I don’t have space here to detail but in general lines this is my view.

  3. Nichols says:

    Definition is hard, but I will try it :).
    I argue that security architecture is the designing of security controls in a defined scope with the goal to assure system security requirements. Maybe this sound too much “IT focused”, but the definition is broad, including systems composed by environments, people, IT, process and so on. The security architect is responsible to look this requirements (derived from risk analysis) and look how it can be achieved thinking basically on the security momentum (prevent, detect,respond,recover).

  4. Gaurav Pal says:

    Anton – thanks for this post. My definition of security architecture is how an enterprise will ensure the confidentiality, integrity and availability of their digital assets while delivering value to their customers.



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.