Chapter 2. Architecture Concepts

Before we get into the method of integrating security and compliance into a security architecture, we’re going to discuss two topics that offer some context to architectural thinking.

First we’ll discuss the integration of architectural thinking into the design, build, and operation lifecycle of a system. There seems to be a trend to focus on design thinking and go straight to building or coding a system without considering architectural thinking. This often leads to a serious gap in the design of an information system that needs to support production workloads.

Second, you need to understand the difference between enterprise architecture and solution architecture. These two types of architectural thinking can be misunderstood, and the value of having both is sometimes not recognized. We will explore the value each of these types of architecture brings to designing a secure and compliant system.

We then follow up with a deep dive into zero trust architecture, including the NIST Core Zero Trust Logical Components. We continue with a discussion on how zero trust integrates with other security practices for use in architecting security. We then provide some guidance on solutions that support the implementation of zero trust.

We will go on to discuss a technique for the development of an enterprise security architecture.

Let’s start with the first topic: understanding where architectural thinking fits into the design and development lifecycle.