Security Architecture
Covering primary Security Architecture aspects - 80% of the work
​
Primary aspects such as segregation, IDAM, API Security, Encryption and Privileged Access Management (PAM) should be commoditised, reusable and sustainable patterns to remove friction across Product, System Design and DevOps development life cycles.
Establishing these security domain areas with reusable, extensible and flexible security design patterns should represent around 80% of the security architecture practice.
Tooling, roles & responsibilities, and governance wrap need to be embedded in the ways of working to ensure that a 'Secure by Design' paradigm is truly achieved.
​
Threat Assessing designs- 20% of the security architecture
Every operational and business functional design needs to be assessed for it's compatibility to established and agreed (non-functional) security patterns.
​
The designs also need to be assessed for any functional flow weaknesses and associate threats that may drive re-design or specification of configurable detective, preventative and responsive security controls
Engagement scope
​
-
Business strategy, compliance constraints & risk appetite
-
IDAM, API Security Model, Encryption, segregation, PAM
-
Ways of working and the delivery life cycle- AGILE etc.
-
Data Security Life Cycle (DSLC)- drives security requirements
-
Product Development Life Cycle - provides MVP timescales
-
Business Analysis (BA) approach/ methodology
-
Business Requirements Management
-
Security Requirements Management
-
Design and Security Assurance
-
System Architecture- roadmap, processes, methodology
-
DevOps - environment deployment approaches & tooling
-
Architecture, SW Engineering and DevOps engagement
-
Tooling, documentation & Governance