Blog post

In 2018, What Is Security Architecture?

By Anton Chuvakin | August 31, 2018 | 7 Comments


Summer is a less busy time here in terms of client calls [hey … you can book an analyst call for tomorrow … even with me :-)], so we get more time to think about big things.

Here is one: security architecture. Expect more interesting research from our team on modern security architecture in the near future. For now, let’s ponder the term itself.


I found this 1990s book on my shelves – it quaintly mentions “PKI” and “enterprise Java beans.” Is this what we think of security architecture today? Probably not. OK, so what DO we think of it?

First, sadly, we do see organizations that still equate “security architecture” with NETWORK security architecture. Namely, firewall zone design, NIPS placement and such. Very 1990s. But perhaps this is where their overall security is, so architecture thinking is a step up for them (as I once joked on Twitter, “What do you call people who move up to Stone Age tech? Where do they move up from?”)

Second, we do see more enlightened organizations that nevertheless have a very fragmented view of security architecture. As in: here is  our cloud security architecture, and here is how we architect application with security in mind, etc. This is great, however, this avoids the question of “what is security architecture?” by letting them pick “all of the above” as a choice. In essence, they live in the world of security architectures, not architecture.

Third, we see “the framework crowd” – organizations that like SABSA or TOGAF or some other “industry” framework for security architecture.  These may have a single and coherent view of security architecture, but one defined  by an external party for them. This means, their security architecture is modern as long as said external party modernized the models.  More on this in the upcoming post…

All this said, how do YOU define security architecture for the modern era of cloud, virtual, mobile, big data, DevOps, “AI”, etc?

Comments are closed


  • Tangled Beard says:

    security architecture is defined as a title that doubles your salary when doing the same work as a security engineer

  • Ana says:

    Well, as we speak of “architecture” i’d put on my drawing the people moving around all the “network security” including external parties, auxiliary staff etc… because that’s the point that at least in my part of the world that people don’t get. Part of a “security architecture” are also answers to questions as “how to i motivate the guy in AI team not to work against me but with me?”… I don’t have space here to detail but in general lines this is my view.

  • Nichols says:

    Definition is hard, but I will try it :).
    I argue that security architecture is the designing of security controls in a defined scope with the goal to assure system security requirements. Maybe this sound too much “IT focused”, but the definition is broad, including systems composed by environments, people, IT, process and so on. The security architect is responsible to look this requirements (derived from risk analysis) and look how it can be achieved thinking basically on the security momentum (prevent, detect,respond,recover).

  • Gaurav Pal says:

    Anton – thanks for this post. My definition of security architecture is how an enterprise will ensure the confidentiality, integrity and availability of their digital assets while delivering value to their customers.