Veterans Track

Introduction to Security Architectures

Security architecture from a software architect's lens — covering frameworks, Zero Trust, core security pillars, layered controls, threat modelling, governance, incident response and operational security.

Domain 01 · Foundations, Frameworks & Principles

SABSA

Sherwood Applied Business Security Architecture — a risk-driven framework for designing, delivering and operating enterprise security architectures.

Risk-drivenBusiness attributesLifecycle model

TOGAF

Open Group Architecture Framework integrating security across enterprise architecture domains through the ADM cycle.

ADM cycleArchitecture domainsEA integration

COBIT

Governance and management framework for IT with control objectives, metrics and maturity models.

Control objectivesMaturity modelsIT governance

NIST CSF & ISO 27001

Security architects should map controls to widely adopted standards such as NIST CSF, ISO 27001, CIS Controls and MITRE ATT&CK.

NIST CSFISO 27001CIS ControlsMITRE ATT&CK

Secure Design Principles

Shift-left security integrated at every SDLC stage with secure coding, testing, hardened configuration and least privilege.

Shift-leftSecure SDLCLeast privilege

Zero Trust Architecture

Never trust, always verify. Zero Trust uses continuous authentication, micro-segmentation and least privilege access.

Zero TrustMicro-segmentationContinuous auth

Domain 02 · Core Security Pillars

Confidentiality

Encryption at rest and in transit, data classification, DLP controls and information protection policies.

TLS 1.3AES-256DLP

Integrity

Hashing, digital signatures, checksums, code signing and tamper-evident audit logs.

HashingSignaturesAudit logs

Availability

High availability, DDoS mitigation, redundancy, failover and RTO/RPO-aligned disaster recovery.

HADDoSFailover

Authentication

MFA, passwordless login, FIDO2, SSO and adaptive authentication based on risk signals.

MFAFIDO2SSO

Authorisation & Least Privilege

RBAC, ABAC, PBAC, just-in-time access and IAM lifecycle management.

RBACABACJIT access

Non-Repudiation

Digital signatures and immutable audit trails ensure actions cannot be denied.

Digital signatureImmutable trailLegal proof

Privacy by Design

GDPR, CCPA and PDPA require consent, data minimisation, right-to-erasure and retention controls.

GDPRConsentData minimisation

Supply Chain Security

SBOM, dependency scanning, vendor risk assessment and SLSA compliance.

SBOMCVE scanningSLSA

Domain 03 · Security Controls by Architectural Layer

Network Security

Firewalls, WAF, IDS/IPS, segmentation, micro-segmentation and VPN/SD-WAN architecture.

FirewallWAFIDS/IPS

Application Security

OWASP Top 10, SAST/DAST, secure API design, input validation and dependency scanning.

OWASPSASTDAST

Data & Database Security

Encryption, column-level masking, database activity monitoring, backup encryption and DLP.

EncryptionDAMTokenisation

Endpoint Security

EDR/XDR, device compliance, MDM, patch management and privileged endpoint controls.

EDRXDRMDM

Certificate Management

PKI, internal CA hierarchy, certificate lifecycle automation, rotation and inventory tooling.

PKIACMERotation

Cloud & Infrastructure Security

CSPM, CWPP, IaC scanning, IAM over-permission detection and shared-responsibility mapping.

CSPMCWPPIaC scanning

Domain 04 · Risk, Threat Intelligence & Governance

Threat Landscape Analysis

Identify threats using STRIDE, PASTA, attack trees and MITRE ATT&CK mapping.

STRIDEPASTAMITRE ATT&CK

Architecture Risk Assessment

Evaluate asset criticality, vulnerability exposure and impact to produce a risk register.

Risk registerAsset criticalityResidual risk

Threat Modelling Cadence

Embed threat modelling into sprints and re-run full models on major architecture changes.

Threat DragonIriusRiskPer-sprint

Security Governance

Policies, standards and procedures aligned to business risk appetite and regulatory obligations.

Risk appetitePoliciesStandards

Regulatory Compliance

Map controls to GDPR, PCI-DSS, HIPAA, SOX and sector-specific mandates.

GDPRPCI-DSSHIPAA

Security Metrics & KRIs

MTTD, MTTR, vulnerability SLAs and security debt metrics to govern maturity.

MTTDMTTRKRIs

Domain 05 · Incident Response, Recovery & Operational Security

Incident Response

Formal IR plan covering prepare, detect, contain, eradicate, recover and lessons learned.

PICERLNIST 800-61Tabletop

SOC & SIEM Architecture

SOC design, SIEM ingestion topology, alert triage and SOAR automation.

SOCSIEMSOAR

Forensic Readiness

Log retention, chain of custody, evidence preservation and forensic tooling.

ForensicsEvidenceChain of custody

Business Continuity & DR

BCP/DRP tied to RTO and RPO targets and validated through DR drills.

BCPDRPRTO/RPO

Security Chaos Engineering

Red team, blue team and purple team simulations using MITRE ATT&CK scenarios.

Red teamPurple teamATT&CK

Secrets & Key Management

Centralised secret rotation and key custody using Vault, AWS KMS or Azure Key Vault.

VaultKMSKey rotation