Unit 12 – Security in the Agile Architecture

Open Agile Architecture Practitioner Certification

12.1 Explain the concept of Minimum Security Architecture (MSA)

It is a continually evolving security architecture that fits into the cadence of a DevOps cycle and is sufficient to guide developers toward the MVP. Security should be built into the architecture from the beginning, but must respond quickly through regular feedback loops. Enable the business to move rapidly in a world of defined and managed risk.

12.2 Describe the role of Agile Security Architects and what they do

Deliver incremental security architectures. Deliver an MSA, deferring key decisions until more is known later on. Anticipate security architecture changes during development. Divide the security architecture into subsystems, each with well-defined boundary and lifecycle.

They assess current and future states. They support developers and act as a bridge within a cross-functional team.

• Understand business requirements
• Understand appetite for risk
• Understand the overall design of the solution architect to a sufficient level
• Advise teams on security issues

12.3 Explain the Governance of an Agile Security Architecture

Security architects are scarce, so you could create a role of "Security Champion" to bring security expertise to the team. they would call in the security architect when needed.

• Help development teams understand the risk profile and consult on solutions.
• Help teams understand and use existing security policies, practices, tools, etc.
• Make sure teams do not get into the habit of deferring security
• Must be part of the technical governance of the architecture program

12.4 Describe the Desired Characteristics of Architecting Security:

Rely on Layers of Controls

Start from the system and information needing protection. Take an inside-out, defense-in-depth approach:

1. Assets - Protect applications and their data by designing in security. Protect unstructured data in file shares.
2. Security Systems - Leverage shared security systems, such as IAM, auth
3. Computing and Network Security - Rely on host and network controls
4. Physical Security - Understand the protection foundation from physical controls
5. Personnel Security - Employ personnel controls to allow access by trusted insiders

Employ Application Security Development Practices

Identify protection objectives as part of the system's business requirements. Security practices need to be embedded in the DevOps process.

12.5 Describe the Agile Security Architecture practices

• Balance upfront work with future changes
• Make changes on stable decisions, leave unstable decisions for later
• Log and monitor
• Describe a set of components that can be used as future building blocks
• Describe intermediate architectures to work toward the target state