About this article
This article is the first article in the “Security Architecture” category of the Architecture Crash Course for the Generative-AI Era series. It covers the big picture of security architecture.
Security is a design domain that cannot be bolted on later. This article surveys the CIA triad, the major domains (auth, authorization, encryption, network, secrets management, audit), the shift from perimeter defense to Zero Trust, and the AI-era stance: delegate security.
A full list of all articles in this category, with summaries and learning points, is available at the following page.
What is security architecture in the first place
Imagine home security. Door locks, anti-burglary window film, security cameras, fire alarms — no single measure is enough; defending in multiple layers is the foundation of security. What’s more, adding foundational security after the house is built is extremely difficult.
Security architecture is the domain of designing authentication, authorization, encryption, network defense, secrets management, and audit logging in multiple layers. It must be built in from the start of design, not bolted on later.
Without security architecture, all data leaks through a single hole, and leaked data never goes back to “private.” The damage goes beyond any apology.
Once leaked, data never goes back to “private”
Traditionally “firewalls protect the perimeter” was the central model, but the proliferation of remote work, cloud, and SaaS has blurred the perimeter, and Zero Trust (trust nothing, always verify) became the dominant philosophy.
Security is a design domain that cannot be bolted on later. Once data leaks, no apology brings it back.
Why treat it as a separate architecture
1. Impact reaches every system
Auth foundation, encryption methods, permission model — changing them later affects every application. Without deciding upstream, you face a total replacement later.
2. Compliance is mandatory
GDPR (EU’s General Data Protection Regulation), data protection laws, PCI DSS (credit card handling standard), SOC2 (cloud-provider internal control standard), etc. — depending on the data your system handles, specific regulations apply. Violations carry criminal penalties and massive damages.
3. Specialized; cannot be a side gig
Encryption, vulnerability assessment, SOC operations are specialist fields and cannot be done casually. Many orgs now have a dedicated security team (CSIRT — Computer Security Incident Response Team).
The three things to protect (CIA)
The most-used framework in security architecture is CIA. Which of the three you prioritize most shifts the design axis.
| Element | Meaning | Typical countermeasures |
|---|---|---|
| Confidentiality | Only authorized people see it | Auth, authorization, encryption |
| Integrity | Data is not tampered with | Hashes, signatures, audit logs |
| Availability | Available when needed | DDoS defense, redundancy, backups |
Finance prioritizes confidentiality; public services prioritize availability. The weight changes by business characteristic — that’s the key point.
Domain taxonomy
| Domain | What it handles |
|---|---|
| Authentication (AuthN) | Verifying who you are — ID/password, Passkey (passwordless biometric/device auth), MFA |
| Authorization (AuthZ) | Controlling what you can do — RBAC (role-based), ABAC (attribute-based), IAM |
| Encryption | Preventing eavesdropping / leaks — TLS (transport encryption), AES (symmetric encryption standard), KMS (key management service) |
| Network | Perimeter defense, isolation — FW (firewall), WAF, VPC (Virtual Private Cloud) |
| Secrets management | API keys, passwords — Vault, Secrets Manager |
| Audit & detect | Recording and detecting anomalies — SIEM, CloudTrail, WAF logs |
What you must decide — what’s your project’s answer?
For each item, articulate your project’s answer in 1-2 sentences.
AuthN / AuthZ / sessions
| Item | Examples |
|---|---|
| Authentication | Password+MFA / Passkey / SSO / SAML (XML-based federated auth standard) / OIDC |
| Auth platform | In-house / Auth0 / Clerk / Cognito / Entra ID |
| Authorization model | RBAC / ABAC / ReBAC (relationship-based) / Policy languages (OPA — Open Policy Agent, general-purpose policy engine) |
| Session method | Cookie / JWT / Refresh Token |
| MFA factor | TOTP (time-based one-time password) / WebAuthn (browser-standard biometric/device auth) / SMS |
| Password policy | Length, complexity, rotation |
Encryption / key management
| Item | Examples |
|---|---|
| Transport encryption | TLS 1.3 / mTLS (mutual TLS, two-way certificate auth) |
| At-rest encryption | AES-256 / KMS / HSM |
| Secrets management | AWS Secrets Manager / HashiCorp Vault |
| Key management | Cloud KMS / CMK (Customer Managed Key) |
| PKI | Internal CA (Certificate Authority) / Let’s Encrypt / ACM (AWS Certificate Manager) |
Network / audit / compliance
| Item | Examples |
|---|---|
| Network isolation | VPC / Subnets / Security Groups |
| Perimeter defense | WAF / IDS/IPS (Intrusion Detection / Prevention System) / DDoS protection |
| Zero Trust | BeyondCorp / Zscaler / Cloudflare Access |
| Audit logs | CloudTrail / audit-trail retention period |
| Vulnerability management | SAST / DAST (Dynamic) / dependency scanning |
| Compliance | SOC2 / ISO 27001 (international information-security standard) / PCI DSS |
The shift in security philosophy
The migration from “perimeter defense” to “Zero Trust” is the largest paradigm shift of the cloud era. Perimeter design assumed “the internal network is safe”; remote work, SaaS use, and rising insider threats broke that assumption.
Zero Trust is the philosophy that trusts neither inside nor outside the network and verifies authentication and authorization on every transaction. Google’s BeyondCorp in the 2010s was the precursor. It bypasses VPN reliance and continually verifies user, device, and context.
| Perimeter | Zero Trust |
|---|---|
| Inside = trust, outside = distrust | Distrust everything to start |
| VPN protects the perimeter | AuthN/AuthZ on every transaction |
| Network-centric design | Identity-centric |
| Heavy reliance on internal network | Same treatment regardless of location |
Phase-by-phase security adoption roadmap
“Everything at once” is unrealistic. Split required vs recommended by phase.
| Phase | Org size | Required | Next | Monthly cost |
|---|---|---|---|---|
| 1 MVP / individual | Up to 3 | HTTPS + MFA + Dependabot + IAM Roles | Secret Scanning | $0 |
| 2 Early startup | 3-30 | + WAF + CloudTrail + encryption | GuardDuty + SSO | ~$300 |
| 3 Mid-sized SaaS | 30-300 | + SIEM + vulnerability scan in CI | SOC2 + ISMS + Policy as Code | ~$3k |
| 4 Enterprise | 300+ | + 24/7 SOC + DLP + ZTNA | Annual Red Team / pentest | $30k+ |
| 5 Regulated industry | All sizes | Industry certifications (FISC / HIPAA / GovCloud) | — | Variable |
“Even at MVP, MFA + Dependabot + Secret Scanning + HTTPS are mandatory.” Postpone these and within hours of public launch you face IAM key leaks and intrusion via dependencies. The 2021 Log4Shell and 2022 Okta / LastPass incidents demonstrated the cost.
Even at MVP, install the minimum 4 on day one. “Later” does not exist in security.
Knowledge structure of this category
This category is composed of 8 articles in total. The security design domains are learned in four stages: “who?” -> “what can they do?” -> “how to protect?” -> “how to detect?”
Identity (Group 1) first designs authentication — “who are you?” — and authorization — “what can you do?”. Authentication and authorization are often confused but are completely separate design decisions.
Protection (Group 2) designs transport encryption, network perimeter, Zero Trust, and secrets management with identity confirmed as the premise. These four articles are fairly independent, so you can read whichever you need first.
Detection (Group 3) — vulnerability assessment — is about building a system that keeps hunting for holes on top of the defenses. Security is never “design once and done”; continuous detection is indispensable.
Architecture-level traps
| Forbidden move | Why |
|---|---|
| Custom auth | Delegate to Clerk / Auth0 / Firebase Auth — DIY is full of holes |
| Storing JWT in localStorage | Single XSS leaks every user; httpOnly Cookie required |
| Relying solely on SMS MFA | SIM-swap defeats it; TOTP / FIDO2 required |
| Leaving Critical patches 2+ weeks | The Equifax 2017 pattern ($700M settlement); 72-hour SLA |
| ”Inside is safe” perimeter defense | Pulse Secure 2021 incident; migrate to ZTNA |
| Persistent API keys in production | Switch to OIDC + short-lived tokens |
| Logging PII without masking | The GitHub 2018 plaintext-password pattern |
| No SBOM | Log4Shell created “unknown if we’re affected” chaos |
| Security configuration via GUI by hand | No change history; switch to IaC + Policy as Code |
| SHA-256 alone for password hashing | Argon2id required; defense against GPU brute force |
| ”Internal network is safe” — believing it | Perimeter defense premise collapsed; Zero Trust is the standard |
| ”We can build auth ourselves” — DIY implementation | Bug and vulnerability factory; delegate to standard protocols + SaaS |
Security is the three-set: “don’t write it, borrow it, watch it.” Custom implementation is the largest source of incidents.
AI decision axes
| AI-era favorable | AI-era unfavorable |
|---|---|
| Standard protocols (OIDC, OAuth, SAML) | Custom authentication / encryption |
| Dedicated SaaS (Clerk, Auth0, Entra ID) | Hand-written auth systems |
| IaC-described IAM and security configuration | GUI-set, tribal-knowledge permissions |
| Policy languages (OPA, Cedar) for authorization | If-statements scattered through code |
- Delegate to standard protocols and dedicated SaaS — don’t DIY auth, authorization, or encryption
- Design for defense in depth — stack network, auth, and encryption rather than relying on a single measure
- Start from Zero Trust — drop “inside is safe” and verify auth/authz on every transaction
- Express in IaC, keep it reviewable — avoid GUI-set tribal permissions; leave a Git audit trail
Vulnerability patterns that creep into AI-generated code
AI-generated code has a certain probability of introducing security issues. The most common ones are: SQL query string concatenation (skipping parameter binding), insufficient sanitization of user input (XSS), and missing authorization checks (API endpoints with authentication only and no authorization).
These result from AI prioritizing “code that works,” not from intentionally writing vulnerable code. The countermeasure is adding SAST (Semgrep, CodeQL) to the CI pipeline to automatically scan all pushes, including AI-generated code.
”Delegating” security settings takes them outside AI’s management scope
Delegate auth to Auth0/Clerk, delegate WAF to Cloudflare, delegate encryption to KMS — this “don’t write it, borrow it” policy carries an additional benefit in the AI era. Delegated areas have the SaaS provider constantly applying the latest security patches, so security debt doesn’t accumulate in your codebase. It minimizes the range of security configuration that AI needs to manage.
Author’s note — incidents that toppled companies via “should-have-prevented” hits
You hear repeatedly that security incidents come from neglecting basics rather than fancy attacks.
A major US credit bureau in 2017 took 2 months to apply the patch for a known Apache Struts vulnerability (CVE-2017-5638), and that delay caused 147 million records to leak. Settlements and fines from that one incident eventually reached around $700M. It’s the canonical reminder of how lethal a boring “patch delay” can be.
In 2019, a major US financial services company had a SSRF (Server-Side Request Forgery) caused by a “WAF misconfiguration”, leaking ~100M customer records from S3 buckets. The attacker, a former cloud engineer, exploited a single line of carelessness. The fine was on the order of $80M.
I’ve personally had the experience of noticing a small misconfiguration in logs only six months after the fact. Both the public cases above weren’t sophisticated zero-days — they were the result of “basic operations breaking.” Boring basics are the strongest defense.
Security incidents come from basics neglected, not fancy attacks. Patch, MFA, and config review are the strongest defenses.
Summary
This article covered the big picture of security architecture — the CIA basics, major domains, perimeter-to-Zero-Trust shift, phase-by-phase roadmap, and the AI-era delegation stance.
Delegate to standard protocols and dedicated SaaS, design for defense in depth, start from Zero Trust, keep everything IaC-described and reviewable. The realistic answer for 2026.
The next article covers authentication design (MFA, Passkey, SSO, IDaaS selection).
Back to series TOC -> ‘Architecture Crash Course for the Generative-AI Era’: How to Read This Book
I hope you’ll read the next article as well.
📚 Series: Architecture Crash Course for the Generative-AI Era (46/89)