This is my learning note from the book Solutions Architect’s Handbook written by Saurabh Shrivastava and Neelanjali Srivastav. All the contents are mostly distilled and copied from the book. I recommend you to buy this book to support the authors.
Another series: Fundamentals of Software Architecture: An Engineering Approach
Security is always at the center of architecture design
Designing principles for architectural security
- Implementing authentication and authorization control: The purpose of authentication is to determine if a user can access the system with the provided credentials of user ID and password. While authorization determines what a user can do once they are inside the system, you should create a centralized system to manage your user’s authentication and authorization.
- Applying security everywhere: Often, organizations have a main focus of ensuring the physical safety of their data center and protecting the outer networking layer from any attack. Instead of just focusing on a single outer layer, ensure that security is applied at every layer of the application.
- Reducing blast radius: While applying security measures at every layer, you should always keep your system isolated in a small pocket to reduce the blast radius. If attackers get access to one part of the system, you should be able to limit a security breach to the smallest possible area of the application.
- Monitoring and auditing everything all the time: Put the logging mechanism for every activity in your system and conduct a regular audit. Audit capabilities are often also required from various industry-compliance regulations.
- Automating everything: Automation is an essential way to apply quick mitigation for any security-rule violation. You can use automation to revert changes against desired configurations and alert the security team
- Protecting data: Data is at the center of your architecture, and it is essential to secure and protect it. Most of the compliance and regulation in place are there to protect customer data and identity.
- Preparing a response: Keep yourself ready for any security events. Create an incident management process as per your organizational policy requirements.
Web security mitigation
Security needs to be applied to every layer, and special attention is required for the web layer due to its exposure to the world. For web protection, important steps include keeping up with the latest security patches, following the best software development practices, and making sure proper authentication and authorization are carried out. There are several methods to protect and secure web applications; such as Web Application Firewall (WAF), DDoS mitigation
Before architecting any solution, you should define basic security practices as per the application objective, such as complying with regulatory requirements. There are several different approaches used when addressing data protection. The following section describes how to use these approaches.
At a high level, you can classify data into the following categories:
- Restricted data: This contains information that could harm the customer directly if it got compromised. Mishandling of restricted data can damage a company’s reputation and impact a business adversely. Restricted data may include customer Personally Identifiable Information (PII) data such as social security numbers, passport details, credit card numbers, and payment information.
- Private data: Data can be categorized as confidential if it contains customer-sensitive information that an attacker can use to plan to obtain their restricted data. Confidential data may include customer email IDs, phone numbers, full names, and addresses.
- Public data: This is available and accessible to everyone, and requires minimal protection—for example, customer ratings and reviews, customer location, and customer username if the user made it public.
- Symmetric-key encryption: With symmetric encryption algorithms, the same key is used to encrypt and decrypt the data. Earlier, symmetric encryption used to be applied as per the Data Encryption Standard (DES), which used a 56-bit key. Now, the Advanced Encryption Standard (AES) is heavily used for symmetric encryption, which is more reliable as it uses a 128-bit, 192-bit, or 256-bit key.
- Asymmetric-key encryption: With the help of asymmetric algorithms, two different keys can be used, one to encrypt and one to decrypt. In most cases, the encryption key is a public key and the decryption key is a private key. Asymmetric key encryption is also known as public-key encryption. Rivest–Shamir–Adleman (RSA) is one of the first and most popular public key-encryption algorithms used to secure data transmissions over the network. The private key is only available to one user, while the public key can be distributed across multiple resources. Only the user who has a private key can decrypt the data.
Data encryption at rest and in transit
Data at rest means it is stored somewhere such as a storage area network (SAN) or network-attached storage (NAS) drive, or in cloud storage. All sensitive data needs to be protected by applying symmetric or asymmetric encryption, explained in the previous section, with proper key management.
The cloud’s shared security responsibility model
Security and compliance certifications
There are many compliance certifications depending on your industry and geographical location to protect customer privacy and secure data. For any solution design, compliance requirements are among the critical criteria that need to be evaluated. The following are some of the most popular industry-standard compliances:
- Global compliance includes certifications that all organizations need to adhere to, regardless of their region. These include ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, and CSA STAR for cloud security.
- The US government requires various kinds of compliance to handle public sector workload. These include FedRAMP, DoD SRG Level-2, 4, and 5, FIPS 140, NIST SP 800, IRS 1075, ITAR, VPAT, and CJIS.
- Industry-level compliance of application apply to a particular industry. These include PCI DSS, CDSA, MPAA, FERPA, CMS MARS-E, NHS IG Toolkit (in the UK), HIPAA, FDA, FISC (in Japan), FACT (in the UK), Shared Assessment, and GLBA.
- Regional compliance certification applies to a particular country or region. These include EU GDPR, EU Model Clauses, UK G-Cloud, China DJCP, Singapore MTCS, Argentina PDPA, Australia IRAP, India MeitY, New Zealand GCIO, Japan CS Mark Gold, Spain ENS and DPA, Canada Privacy Law, and US Privacy Shield.