Security Architecture Language
Frequently Asked Questions
What is threat modelling and how is it conducted?
Threat modelling is a structured process for identifying, classifying, and prioritising security threats to a system before it is built or changed. The most common methodology is STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). The process typically starts with a data flow diagram (DFD) to map how data moves through the system, then identifies trust boundaries, enumerates threats at each boundary, and defines mitigations. The output is a threat-mitigation pair matrix used to track remediation.
What does "zero-trust architecture" mean in security design?
Zero-trust is a security model based on the principle "never trust, always verify." It assumes that threats exist both outside and inside the traditional network perimeter, so no user, device, or network segment is trusted by default. Every access request is authenticated, authorised, and continuously validated regardless of source. Core concepts include microsegmentation (dividing networks into small isolated zones), identity as the perimeter, and least-privilege access. The BeyondCorp model pioneered by Google is a well-known zero-trust implementation.
What is "defence in depth" and how do security architects apply it?
Defence in depth is a layered security strategy where multiple independent controls protect an asset, so that if one control fails, others continue to provide protection. Controls are applied at multiple layers: perimeter (firewalls, WAFs), network (segmentation, IDS/IPS), host (endpoint protection, hardening), application (input validation, SAST), and data (encryption, DLP). The principle prevents a single point of failure. When one control is bypassed, compensating controls — additional mitigations that substitute for a primary control — maintain the security posture.
What is a trust boundary in security architecture?
A trust boundary is a line in a data flow diagram where data crosses between components operating at different trust levels — for example, between the internet and a web server, between a web application and its backend, or between different internal services. At each trust boundary, the architect must define what validation, authentication, and authorisation controls apply. Trust boundaries are the primary locations where STRIDE threats are enumerated during threat modelling.
What is attack surface and how is it reduced?
The attack surface is the sum of all points where an attacker could attempt to enter, extract data from, or disrupt a system — including exposed APIs, ports, authentication endpoints, dependencies, and user inputs. Attack surface reduction involves disabling unused services, removing unnecessary permissions, minimising exposed endpoints, enforcing least privilege, and keeping dependencies updated. External Attack Surface Management (EASM) is the ongoing discipline of discovering and monitoring an organisation's internet-facing assets.
What is STRIDE and how does each category map to security controls?
STRIDE is a threat classification framework: Spoofing (impersonating an identity — mitigated by authentication), Tampering (modifying data — mitigated by integrity controls and signing), Repudiation (denying an action — mitigated by audit logging and non-repudiation mechanisms), Information Disclosure (unauthorised data access — mitigated by encryption and access controls), Denial of Service (disrupting availability — mitigated by rate limiting and resilience design), and Elevation of Privilege (gaining unauthorised permissions — mitigated by authorisation checks and least privilege).
What is a security design review and what does it assess?
A security design review (also called an architecture security review) is a formal evaluation of a proposed system design against security requirements and standards before development begins. Reviewers assess: authentication and authorisation mechanisms, data flow and trust boundaries, cryptographic approaches, third-party dependencies, logging and monitoring coverage, and compliance with relevant standards (e.g. NIST, ISO 27001). Findings are typically scored using a risk matrix (likelihood × impact) and classified as Accept, Transfer, Mitigate, or Avoid. RAG (Red/Amber/Green) status is commonly used in review reports.
What is an attack tree and how is it used in security analysis?
An attack tree is a hierarchical diagram that models how an attacker could achieve a root goal (e.g. "Exfiltrate customer data"). The root goal is the top node; leaf nodes represent individual attack steps. AND nodes require all child conditions to be met; OR nodes require any one. The tree allows analysts to identify the most viable attack path and prioritise mitigations accordingly. Attack trees are used alongside STRIDE in structured threat modelling and are a common topic in security architecture interviews.
What is microsegmentation and how does it relate to zero-trust?
Microsegmentation is a network security technique that divides an environment into small, isolated zones with granular access controls between them. Unlike traditional perimeter-based security (where everything inside the firewall is trusted), microsegmentation enforces that even internal east-west traffic must be authenticated and authorised. This limits lateral movement if an attacker breaches one zone. Microsegmentation is a core implementation technique in zero-trust network architecture (ZTNA).
What vocabulary do security architects use when discussing security controls?
Key control vocabulary includes: preventive controls (block threats before they occur, e.g. firewalls, input validation), detective controls (identify threats in progress, e.g. SIEM, IDS), corrective controls (respond after detection, e.g. incident response, patching), and compensating controls (substitute for a primary control that cannot be implemented). Controls are further classified as technical, procedural/administrative, or physical. The risk treatment options are Mitigate (apply controls), Accept (document and accept residual risk), Transfer (e.g. cyber insurance), and Avoid (eliminate the risky activity).