I have spent a great deal of my career staring at architecture diagrams. They share a particular characteristic: the more confident the diagram looks, the less likely it is to describe a system that the operations team can actually run under pressure. The cleanest diagrams are usually the ones that have been simplified for the executive review, and the simplification is precisely the bit where the operational reality lived.
The honest test
The honest test for any security architecture is the 3 a.m. test: imagine an analyst is woken at three in the morning by an alert relating to this system. Can they, using only the things this architecture provides them, do the following? Find the relevant telemetry. Correlate it with what they would expect to see. Determine whether containment actions are pre-authorised. Execute those actions without a code change. Roll the change back if it turns out to be a false positive.
If the answer to any of those is they would have to phone someone, file a ticket, or improvise — the architecture is not done. That is not a criticism of the architect; it is a useful diagnostic. The 3 a.m. test reliably surfaces gaps that a calmer review will not.
Identity is the new perimeter, but only because we let it be
There was a time when security architecture was largely about networks: where the firewalls were, what was in the DMZ, which segments could talk to which. That world is not gone, but it is shrinking, and the centre of architectural risk has migrated decisively to identity. The reason most modern incidents look the way they do is because someone, somewhere, gave a service or a human a permission they did not need, and that over-permission was never reviewed. The unglamorous work of identity architecture — least privilege at the resource level, time-bound access, machine identities that expire, audit logs that are actually audited — is now where the larger share of defensible-or-not is decided.
If you have a single piece of architectural debt to pay down in the next year, this is almost certainly the one. It is also, depressingly, the one that is hardest to sell internally, because the wins are invisible — the breach we did not have is a hard line item to budget for.
Architecture decision records as the deliverable
The deliverable I am increasingly inclined to defend, against the pull towards lavish diagrams, is the architecture decision record. A short document — half a page is fine — that captures we made this decision, we considered these alternatives, we accept these trade-offs, here is the reviewer who challenged us. Stored next to the code, in version control, dated and signed.
The reason this is the deliverable is durability. Diagrams date quickly and are rarely updated. The narrative behind a diagram dates more slowly, because it is articulated reasoning, and a future engineer reading it can tell whether the assumptions still hold. We chose synchronous replication because the regulator requires zero RPO is a statement that ages well; here is a network diagram from 2022 almost never does.
Security architecture and the boring middleware
An underappreciated portion of an architecture review is the boring middleware: the secrets manager, the certificate rotation pipeline, the build provenance, the dependency-update path, the audit-logging plumbing. None of it is on the cover slide. All of it is in the failure mode of every interesting recent breach. If your architecture document does not have a paragraph each on those topics, with concrete decisions and named owners, the document is incomplete.
I have lost count of the engagements where the highest-leverage piece of advice I gave was please buy and properly operate a secrets manager. Not glamorous. Decisive in practice.
When architecture says no
Like threat modelling, security architecture sometimes has to deliver an unwelcome conclusion: that what is being proposed cannot be safely built within the time and budget available. The cost of having that conversation early is low; the cost of having it late, after the team has invested heavily in a particular shape, is large. The skill is partly technical and partly social — the technical skill is being right about it, the social skill is being able to say it in language the team can hear without becoming defensive.
The cultural marker of a healthy architecture function is whether no, not yet is a thing that can be said without political consequence. If it cannot, the architecture function is decorative, regardless of how senior the architect is.
A note on cloud
Cloud has not changed the principles. It has compressed the time it takes to make a bad architectural decision and the cost of recovering from it. A misconfigured trust relationship between two cloud services can be deployed in seconds and require months of unpicking. A network mistake in a co-located rack used to take a fortnight to commit; in cloud it takes a build pipeline. The architect's leverage, in that environment, is at the guard-rail layer — the policies and patterns that make the bad decision impossible, or at least visible, before it ships.
Guard-rails are, I would argue, the most modern architectural deliverable. They are also the one most often missing from the architecture practice in organisations that have otherwise embraced cloud.
Related reading
If this piece was useful, the most directly adjacent posts on the site are:
- Threat modelling that survives contact with delivery
- Hardened Linux: the boring middleware nobody writes about
- Detection engineering: from rule writing to engineering discipline
The skills page groups all ten companion articles by area of practice, and the experience page covers the engagements that the practice was shaped by.