Enterprise Security Architecture

A site for Information Security Professionals

This website is a resource for practical security architecture but contains information relevant to all security professionals, no matter where they are in their careers. This site is here to educate and make your work easier, whether you’re tackling complex challenges, designing secure systems, or aligning security with business goals.

You’ll find straightforward advice, actionable examples, and ready-to-use templates to help you deliver real results. Built with security architects in mind, everything here is designed to cut through the noise and focus on what works in the real world.

Explore, apply, and take your security practice to the next level—without the fluff.

This is one of my more recognisable products

I started this Controls Matrix in about 2005 as a sort of reference to add to design documents. It grew, and I found new ways to utilise it, and I still use it all the time. I offered this up for general use a number of years ago, and I know it has been downloaded, shared and used many times all over the world.

It isn't really aligned with any of the "standards" out there because, quite frankly, we have too many, and this is a tool, not something to comply with. Use it as intended and you will go some way towards being compliant with all of them. You can find downloadable versions of this in the "Models and Other Madness" page.

Produced by OmniGraffle 7.24.1\n2024-12-12 20:25:55 +0000 Security Enterprise Architecture (ESA) Controls Matrix Controls Box Controls Box Security Controls Security Testing and Code Validation Security Testing and Code Validation Security Testing and Code Validation Application Testing Application Testing Dynamic Testing Dynamic Testing Static Testing Static Testing Composition Analysis Composition Analysis Interactive Application Security Testing Interactive Application Security Testing Web Application Assessment Web Application Assessment Web Application Testing Web Application Testing Web Vulnerability Scanning Web Vulnerability Scanning Web Application Testing Tools Web Application Testing Tools Secure Development Secure Development Code Repository Tooling Code Repository Tooling Code Control Tooling Code Control Tooling Automated Code Packaging and Deployment Tooling Automated Code Packaging and Deployment Tooling Code Signing Tooling Code Signing Tooling Managed Security Testing Managed Testing Assessment/Testing Assessment/Testing Managed We Application Firewall Managed Web Application Firewall Cloud Security Cloud Security Cloud Security Cloud Security Access Broker Cloud Security Access Broker Rectangle Secure Dev Ops Tooling Conditional Access Conditional Access Cloud Access Governance Cloud Access Governance Cloud HSM Cloud HSM Information Protection Information Protection VPN Gateway VPN Gateway Key Vault Key Vault API Gateway API Gateway DDoS Protection DDoS Protection Directory Services Directory Services Application Gateway Application Gateway Cloud Firewall Appliances Cloud Firewall Appliances Adaptive Application Controls Adaptive Application Controls Threat Detection Threat Detection Disk Encryption Disk Encryption Just in Time Access Just in Time Access Network Threat Detection Network Threat Detection Logging and Monitoring Build Configuration and Control Build Configuration and Control Cloud Hardening Cloud Hardening Authentication Authentication Data Tokenisation Data Tokenisation Encryption Encryption DLP DLP Logging Logging Single Sign On Single Sign On Access Control Access Control Enforcement Enforcement Data Security Data Security Logging and Monitoring Logging and Monitoring Database Security Database Security Data Loss Prevention Data Loss Prevention CASB - DLP CASB - DLP Access Management Access Management Encryption Encryption File/Folder File/Folder Email Encryption Email Encryption SAN/NAS Encryption SAN/NAS Encryption Application Encryption Application Encryption File Activity Monitoring File Activity Monitoring Entitlement Management Entitlement Management Storage DLP Storage DLP Database DLP Database DLP Physical Media Control Physical Media Control Network DLP Network DLP Endpoint DLP Endpoint DLP Content Discovery Content Discovery Email DLP Email DLP Web Gateway DLP Web Gateway DLP Database Encryption Database Encryption Database Assessment Database Assessment Database Activity Monitoring Database Activity Monitoring Identity and Access Management Identity and Access Management Identity And Access Management Directories Directories Recertification and Toxic Combinations Recertification and Toxic Combinations Provisioning Provisioning Federation Federation Authentication (Single and Multi Factor) Authentication (Single and Multi Factor) Privileged User Management (PIM/PAM) Privileged User Management (PIM/PAM) Logging and Monitoring Logging and Monitoring Authorisation Authorisation DMARC Email Authentication DMARC Email Authentication Web (forms, BA etc) Web (forms, BA etc) Enterprise Enterprise Certificates Certificates Remote Access authentication Remote Access authentication Biometrics Biometrics Mobile device Mobile device Network authentication (802.1x, PPAP, CHAP etc) Network authentication (802.1x, PPAP, CHAP etc) Challenge Response Challenge Response Push Notification Authentication Push Notification Authentication Tokens (u2f, FIDO 2) Tokens (u2f, FIDO 2) Browser Based Federation Browser Based Federation Web Services Web Services Joiners, Leavers and Movers Joiners, Leavers and Movers Device Identities Device Identities Authoritative Source Authoritative Source Managing Generic Accounts Managing Generic Accounts Role Based Access Role Based Access Incompatible Role definition Incompatible Role definition Toxic combination detection Toxic combination detection Access Recertification Access Recertification Directory replication Directory replication Directory Authentication and Authorisation Directory Authentication and Authorisation Security Management Operational Security Management Security Management Security Operations Tooling Security Operations Tooling Vulnerability Management Vulnerability Management Crypto Management Crypto Management System Management System Management Security Incident Management Security Incident Management Forensics Forensics Business Continuity Business Continuity Disaster Recovery Testing and Tooling Disaster Recovery Testing and Tooling Business Continuity Management Tooling Business Continuity Management Tooling Service Continuity Tooling Service Continuity Tooling Computer Forensics Computer Forensics Malware Forensics Malware Forensics Patching Patching Configuration Management Configuration Management PKI PKI Secure Shell (SSH) Secure Shell (SSH) Key Management (Non PKI) Key Management (Non PKI) Penetration Testing Toolset Penetration Testing Toolset Vulnerability Scanning Toolset Vulnerability Scanning Toolset Cyber Intelligence (Situational Awareness) Cyber Intelligence (Situational Awareness) MI, Dashboard and Compliance reporting MI, Dashboard and Compliance reporting Response and Investigation Case Tooling Response and Investigation Case Tooling Security Operations Centre TTooling Security Operations Centre Tooling Log investigation and Management Log Investigation and Management Tooling SIEM SIEM SOAR SOAR Virtualisation Virtualisation Virtualisation Access Control Access Control Segregation Control Segregation Control Shared Storage Shared Storage Resource Utilisation Management Resource Utilisation Management Virtualisation infrastructure security Virtualisation infrastructure security Virtual Networking Security Virtual Networking Security Logging and Monitoring Logging and Monitoring Application Controls Application Security Controls Application Security Controls Auditing Auditing Application Component Activity Logging Application Component Activity Logging Application - Operational Support Activity Logging Application - Operational Support Activity Logging Application - Business Activity Logging Application - Business Activity Logging Access Control - Authorisation Access Control - Authorisation Separation of Duties Separation of Duties Incompatible Role Definition and Toxic Combination Detection Incompatible Role Definition and Toxic Combination Detection Least Privilege controls Least Privilege controls Application Logic controlled access control Application Logic controlled access control ACL’s - Client (Hosts allowed to use) ACL’s - Client (Hosts allowed to use) ACL’s - Bespoke ACL’s - Bespoke Role Based Access Model Role Based Access Model ACLs - Database ACLs - Database ACLs - File system ACLs - File system User and Application Authentication User and Application Authentication Single Sign On Single Sign On Denial of Service Protection Denial of Service Protection Previous Logon Notification Previous Logon Notification Unsuccessful Login Controls Unsuccessful Login Controls Directory (LDAP,MS Entra) Directory (LDAP) Bespoke Authentication Bespoke Authentication Application Federation (Web Services) Application Federation (Web Services) Browser Based Federation (SAML, ADFS, etc Browser based Federation (SAML, ADFS) Web (Forms, BA, etc) Web (Forms, BA) Encryption within the Application Encryption within the Application Credential Encryption Credential Encryption Channel Encryption (TLS, etc) Channel Encryption (TLS, etc) Application Encryption Application Encryption Session Management Session Management Session Authenticity Session Authenticity Concurrent Session Control Concurrent Session Control Session Auditing Session Auditing Session Lock Session Lock Session Termination Session Termination Integrity Controls Integrity Controls Data at Rest integrity controls Data at Rest integrity controls Code Control Code Control Input Validation (bounds checking etc) Input Validation (bounds checking etc) Memory Protection Memory Protection Tamper Resistance and Detection Tamper Resistance and Detection Partitioning Partitioning Security Function Separation Security Function Separation Application Partitioning Application Partitioning Application Code Partitioning Application Code Partitioning Vulnerability Management Vulnerability Management Vulnerability Management Logging and Monitoring Logging and Monitoring Source Code Integrity Checking Source Code Integrity Checking Vulnerability Scanning Vulnerability Scanning Build Compliance Build Compliance Patching Patching Web Services Security Web Services Security Web Services Security Logging and Monitoring Logging and Monitoring Data Origin Authentication Data Origin Authentication Data Confidentiality Data Confidentiality Brokered Authentication Brokered Authentication Direct Authentication Direct Authentication Physical Security Physical Security Physical Security Cabinet Security Cabinet Security Physical Asset Control Physical Asset Control CCTV/Monitoring CCTV/Monitoring Security Passes - Identity Security Passes - Identity Physical Access Control Physical Access Control Endpoint Security Endpoint Security Endpoint Security Disk Encryption Disk Encryption Network Access Control Network Access Control BYOD Security Unified Endpoint Management BYOD Security - Unified Endpoint Management Remote Access/VPN Remote Access/VPN Build Compliance Checking Build Compliance Checking Secure Config Baselines Secure Config Baselines Logging and Monitoring Logging and Monitoring Process Protection Process Protection Sandboxing Sandboxing Memory Protection Memory Protection User and Endpoint Behaviour Analysis (UEBA) User and Endpoint Behaviour Analysis (UEBA) Endpoint Defense Endpoint Defense Application White listing Application White listing HIPS HIPS Host Firewall Host Firewall Anti Malware Anti Malware Network Security Network Security Network Security Micro Segmentation Micro Segmentation Application Control Application Control Perimeter Defense Perimeter Defense Deep Packet Inspection Deep Packet Inspection UTM/Next Gen UTM/Next Gen IDS/IPS IDS/IPS Firewall Firewall Data Centre Segregation Data Centre Segregation Out of Band Networking Out of Band Networking Network Access Control Network Access Control Network Encryption Network Encryption Virtual Private Networking Virtual Private Networking Transport Layer Security Transport Layer Security Layer 2 encryption Layer 2 encryption Wireless Wireless Encryption Encryption Guest Network Guest Network Pre Authentication (802.1x) Pre Authentication (802.1x) Application Control (App FW) Application Control (App FW) Content Security Content Security Web Inspection and Control Web Inspection and Control Email Inspection and Control Email Inspection and Control Managed Services Managed Services Network Monitoring Tooling Network Monitoring Tooling Network Management Tooling Network Management Tooling DDOS Protection DDOS Protection Network Monitoring Network Monitoring Network Behaviour Analysis/Network Anomaly Detection Network Behaviour Analysis/Network Anomaly Detection Network Forensics Network Forensics Logging and Monitoring Logging and Monitoring Network Time (NTP) Network Time (NTP) Geolocation Geolocation Risk Management Compliance and Governance Risk Management, Compliance and Governance Risk Management, Compliance and Governance Governance and Compliance Management Governance and Compliance Management Security Policy, Standards, Guidelines, and Patterns Management Security Policy, Standards, Guidelines, and Patterns Management Education and Awareness Education and Awareness Security Risk Management Security Risk Management Validation and Maturity Validation and Maturity Secure by Design Secure by Design Supplier Risk Management Supplier Risk Management Design Assurance Design Assurance Operational Risk Management Operational Risk Management Threat Modelling Threat Modelling C2M2 C2M2 SOX SOX PCI PCI ISO 27000 ISO 27000 GDPR/Data Protection Act GDPR/Data Protection Act COBIT COBIT NIST NIST NIS NIS ISF (SOGP) ISF (SOGP) IEC 62443 IEC 62443 Other Other IoT Internet of Things Internet of Things (IoT) Update Mechanism Update Mechanism Code Signing and Signature Validation Code Signing and Signature Validation Patching Patching Secure Update Mechanism Secure Update Mechanism Encrypted Channels Encrypted Channels Device Firewalling Device Firewalling Logging and Monitoring Logging and Monitoring Device Authentication Device Authentication Operational Security Capability Security Business Capability Security Business Capability Cloud Monitoring Cloud Monitoring Identity Management Identity Management Data Loss Prevention Data Loss Prevention Build Compliance Build Compliance Vulnerability Scanning Vulnerability Scanning Incident Management Incident Management Protective Monitoring Protective Monitoring Privileged User Management Privileged User Management Patch Management Patch Management Remote Access Management Remote Access Management Anti Malware Management Anti Malware Management Business Continuity Management Business Continuity Management Key Management Key Management Cloud Security Insight Cloud Security Insight Certificate Management Certificate Management External Certificates Management External Certificates Management Internal Certificates Management Internal Certificates Management Intelligence Intelligence Regulatory Advisories Regulatory Advisories Brand Management Brand Management Security Advisories and Notifications Security Advisories and Notifications Security Testing Security Testing Red/Purple/Blue Team Testing Red/Purple/Blue Team Testing Ad Hoc Application Penetration Tests Ad Hoc Application Penetration Tests Annual Application Penetration Tests Annual Application Penetration Tests Ad Hoc Infrastructure Penetration Tests Ad Hoc Infrastructure Penetration Tests Annual Infrastructure Penetration Tests Annual Infrastructure Penetration Tests External Vulnerability Scanning External Vulnerability Scanning Internal Vulnerability Scanning Internal Vulnerability Scanning Security Operations Centre Security Operations Centre Security Test Management Security Test Management Misuse and Abuse Case Development Misuse and Abuse Case Development Threat Hunting Threat Hunting Continuous Improvement Continuous Improvement Security Incident Management Security Incident Management Security Monitoring Security Monitoring Service Management Capability Service Management Capability Service Management offers intrinsic value to Security Architecture by ensuring that the IT services align with the strategic objectives of the organisation and adhere to established best practices. It introduces a layer of standardisation and consistency, which is crucial for the security controls to be effective across various departments and services. Effective Service Management also plays a pivotal role in risk management by identifying potential vulnerabilities and implementing measures to mitigate them, thus reinforcing the security infrastructure. Additionally, it optimises the use of resources, ensuring that the security architecture is not only resilient but also cost-efficient. Moreover, it supports compliance with legal and regulatory requirements, and facilitates governance by providing clear frameworks and procedures for managing and executing security-related tasks. This comprehensive approach to managing IT services ensures that the security architecture is robust, agile, and capable of evolving in response to new threats and changing business needs. Service Management Capability (based on ITIL descriptions) Continuous Service Improvement Aims for the continual improvement of service quality, with a focus on enhancing security measures and practices. It ensures that the security architecture evolves to address new threats and incorporates lessons learned from security incidents. Continuous Service Improvement Software Version Management Manages and safeguards all software versions within an organisation. It ensures that only authorised and authenticated software versions are used, mitigating the risk of unapproved or malicious code compromising system integrity. Software Version Management Release Management Supervises the release of new hardware and software, ensuring that each release is assessed from a security perspective to prevent any potential compromise to system integrity or availability. Release Management Release Testing Validates the functionality and security of new or updated releases before they are deployed into the production environment, ensuring that they do not introduce security risks. Release Testing Cloud Monitoring and Management Provides oversight and control of cloud services and infrastructure, ensuring that security measures are implemented and maintained effectively in the cloud, and that any threats to cloud-based resources are promptly identified and addressed. Cloud Monitoring and Management Release and Deployment Management Manages the process of moving new or changed hardware, software, documentation, processes, or any other service component to live environments. It includes security checks to ensure the secure release of components. Release and Deployment Management Deployment Compliance Ensures that all deployments are compliant with security policies and procedures, safeguarding against the introduction of vulnerabilities during the deployment phase and maintaining the integrity of live environments. Deployment Compliance Service Continuity Management Plans and prepares for service interruptions or disasters, ensuring that security services can be quickly restored and that the organisation's data remains protected during and after any event that could potentially disrupt services. Service Continuity Management Service Management Manages the performance of IT services against agreed-upon service levels, ensuring that security services meet or exceed their required performance metrics, contributing to maintaining trust and reliability in the organisation's security framework. Service Level Management Problem Management Identifies, manages, and mitigates IT service problems to prevent incidents that could compromise security. By addressing the root cause of recurring issues, it enhances the overall security posture of the organisation. Problem Management Change and Release Management Controls the lifecycle of all changes, ensuring no unauthorised or untested changes are made that could impact system security. It also ensures that changes and new releases are done in a controlled manner, preserving system integrity. Change and Release Management Licence Management Tracks and manages software licenses to prevent the use of unlicensed or pirated software that could introduce security vulnerabilities, and ensures compliance with legal and regulatory requirements related to software use. Licence Management Network Management Monitors and controls the use of network resources, securing against unauthorised access, misuse, or denial of service attacks, and maintaining the confidentiality, integrity, and availability of data transmitted across the network. Network Management Backup and Recovery Ensures that data is regularly backed up and can be recovered in the event of a loss, thus maintaining data integrity and availability, and providing resilience against data-related security threats such as ransomware. Backup and Recovery Asset and Configuration Management Maintains an accurate and comprehensive record of all IT assets and their configurations, which is essential for identifying potential security vulnerabilities, ensuring compliance, and facilitating swift response to security incidents. Asset and Configuration Management Security Drivers and Requirements Security Drivers and Requirements Various factors and conditions that influence the security policies, procedures, and measures within an organisation. These are typically derived from the organisation's internal and external contexts and are focused on ensuring the confidentiality, integrity, and availability of the organisation's assets. The drivers can be strategic, operational, technological, or regulatory in nature, and they inform the specific security requirements that the organisation needs to implement. Security Drivers and Requirements Cyber Threats Requirements identified through the assessment of potential cyber threats and the need to protect against them. Cyber Threats The need for security measures arising from the current state of the organisation’s environment and emerging trends. Situational Awareness Performance Metrics Security requirements that ensure systems meet certain performance benchmarks as part of their security profile. Performance Metrics Industry Standards and Regulations Security requirements that align with best practices and standards developed by industry groups or standard-setting bodies. Industry Standards and Regulations Education and Awareness Requirements to develop and sustain security awareness and understanding within the organisation. Education and Awareness Technology Threats Security needs arising from threats specifically related to technology and IT systems. Technology Threats Business Threats Requirements to counteract threats that could impact the business operations or assets. Business Threats Contract Definition Security obligations and needs that arise from the terms and conditions laid out in contracts with third parties. Contract Definition Enforcement Mandate Requirements derived from Security mandates that must be followed. Enforcement Mandate Compliance Audit Security requirements that come to light during compliance audits, highlighting areas that need to be addressed. Compliance Audit Procedures Step-by-step instructions that must be followed to ensure the security measures are effectively implemented and maintained. Procedures Security Patterns Reusable security designs and practices that address specific security problems within a given context. Security Patterns Policy, Standards and Guidelines Detailed security expectations and rules for the organisation, often more specific than principles. Policies, Standards and Guidelines Principles Core guidelines and rules that shape the security posture and decision-making processes within the organisation. Principles Security Testing Output Requirements generated as a result of security testing, highlighting vulnerabilities and necessary improvements. Security Testing Output Business Drivers Business Drivers and Requirements The security requirements that originate directly from the business. These encompass the principles, strategies, capabilities, and direct operational needs that inform the necessary security measures. The requirements derived from business principles ensure alignment with the organisation's core values and ethical standards, establishing a secure base for all operations. Business strategies bring into focus the long-term goals, requiring security measures that enable and protect these strategic directions. From the business requirements, specific security needs are identified, tailored to the precise operational functions of the organisation. Business capability requirements ensure that security is integrated into the very competencies that allow the business to operate and excel in its field. Finally, requirements arising from business threats focus on protecting the organisation against risks that could undermine its commercial interests, reputation, and continuity. Together, these requirements form a robust framework designed to uphold the secure operation of the business in accordance with its objectives and external obligations. Business Drivers and Requirements Data Types Security needs based on the types of data the organisation handles, such as personal, sensitive, or proprietary data. Data Types Business Principles Fundamental statements that reflect the organisation's values and guide the overall corporate direction regarding security. Business Principles Technology Architecture Technology Architecture Technology Capability The security needs associated with maintaining and developing the technological capabilities of the organisation. Technology Capability Technology Strategy Security requirements guided by the overall plan for technology and how it supports business objectives. Technology Strategy Channels Security requirements that arise from the different distribution and communication channels the business uses. Channels Regulatory Compliance Requirements derived from legal and regulatory mandates that the organisation must adhere to. Regulatory Compliance Business Opportunities Security needs identified through new business opportunities, influencing how these opportunities are pursued. Business Opportunities Business Requirements Specific security needs derived from the business strategy and operations. Business Requirements Business Strategy Long-term plans and strategic objectives that determine security priorities and investments. Business Strategy Business Capability Security requirements sourced from the capabilities that the business must maintain or achieve. Business Capability Architecture Principles Core principles that govern the approach to the enterprise architecture, ensuring that business and IT are aligned for security. Architecture Principles

I’m Rob Campbell, an Enterprise Architect who happens to work in Security. I have over 30 years of experience spanning multiple sectors, including finance, insurance, government, energy, transport and technology. My career has taken me from hands-on technical roles in network and operating system support to strategic positions developing enterprise architecture and driving organisational transformation. With so many years in security there isn't much I haven't done something in.

I created this site to share the knowledge and insights I’ve gained over the years, providing actionable advice and practical tools for fellow security professionals. My passion lies in helping organisations bridge the gap between business needs and effective security solutions. I firmly believe in aligning security strategies with business objectives to ensure meaningful, sustainable outcomes.

Throughout my career, I’ve worked with industry frameworks like SABSA and TOGAF, as well as many other industry and government regulations and standards, to build security architectures that are robust, scalable, and aligned with compliance requirements. Whether it’s designing cloud security architectures or strategies, developing Security Operations Centre frameworks, or integrating DevSecOps practices, I strive to make security an enabler, not a blocker.

This site is a reflection of my commitment to the security community. It’s a free resource designed to empower professionals with the tools, templates, and guidance they need to navigate the ever-evolving cybersecurity landscape. Whether you’re just starting out or are a seasoned architect, I hope you’ll find value here.

Feel free to explore, learn, and connect. Together, we can make security simpler and stronger.

I enjoy teaching as well and have trained and mentored many during my career. I welcome approaches for mentoring, so whether the new kid on the block or a seasoned professional in need of some advice or guidance, reach out.


“The capacity to learn is a gift; the ability to learn is a skill; the willingness to learn is a choice.”
– Brian Herbert

Contact Information:
Rob Campbell
email: esa@assuredcontrol.com
Mobile : 07989 163 138
linkedin
I am available for speaking opportunities.

The advice and information provided are given without any warranty or guarantee, and I disclaim all liability for any damages or losses arising from its use. You use and rely on this information at your own risk.

I don't capture anything or share, sell, or anything else to third parties.