Foundational Security Patterns
Authenticated Edge Pattern Authenticated edge uses identity-aware proxies and gateways to enforce authentication and authorization at system boundary. Edge enforcement provides first line of defense. Authentication should occur at edge before requests reach internal services. Edge authentication centralizes authentication logic. Authorization policies should be enforced at edge. Edge authorization prevents unauthorized requests from entering system. Rate limiting at edge prevents abuse. Rate limiting should be per-client and global. Schema validation at edge rejects malformed requests. Validation prevents attacks from reaching services. Edge should not contain business logic. Edge focuses on cross-cutting security concerns. Policy Enforcement Sidecar Pattern Policy enforcement sidecar separates Policy Decision Point (PDP) from Policy Enforcement Point (PEP). Separation enables centralized policy management. Services consult sidecar or service mesh for authorization decisions. Consultation externalizes authorization logic. Centralized policy repository provides single source of truth. Centralization ensures consistency. Policy updates propagate to all sidecars. Propagation enables rapid policy changes. Sidecar pattern works well with service mesh. Mesh provides sidecar infrastructure. Event Sourcing and Idempotency Pattern Event sourcing stores all state changes as events. Event log is source of truth. Event sourcing enables replay-safe operations. Replay enables recovery and debugging. Event sourcing is audit-friendly. Complete event history provides audit trail. Idempotency ensures operations produce same result when executed multiple times. Idempotency enables safe retries. Idempotency mitigates partial failures and reentrancy bugs. Idempotency makes systems more robust. Idempotency keys identify duplicate requests. Keys prevent duplicate processing. Bulkheads and Circuit Breakers Pattern Bulkheads isolate failures to prevent cascading failures. Bulkheads partition resources including thread pools and connection pools. Circuit breakers prevent calling failed dependencies. Circuit breakers enable graceful degradation. Load shedding drops low-priority requests under load. Shedding prevents total failure. Failure isolation limits blast radius. Isolation contains damage. Graceful degradation maintains core functionality. Degradation is preferable to total failure. Data Access Layer Pattern Data access layer provides service-owned data with clear contracts. Service ownership enables encapsulation. Row-level security and column-level security enforce fine-grained access control. Fine-grained control limits exposure. Anti-corruption layers translate between domains. Translation prevents domain leakage. Data contracts define allowed operations and data flows. Contracts prevent unauthorized access. Database views provide abstraction. Views hide implementation details.Cloud-Native Security Patterns
Multi-Account/Project Isolation Pattern Multi-account or multi-project isolation provides strong security boundaries. Isolation limits blast radius of compromise. Per-environment isolation separates development, staging, and production. Environment isolation prevents cross-environment access. Per-tenant isolation provides tenant security boundaries. Tenant isolation prevents cross-tenant access. Organization policies and Service Control Policies (SCPs) enforce guardrails. Policies prevent non-compliant resource creation. Account/project structure should align with security boundaries. Alignment makes security boundaries clear. Immutable Infrastructure and GitOps Pattern Immutable infrastructure prevents configuration drift. Immutability ensures consistency. Infrastructure changes require new deployment. Replacement prevents incremental drift. GitOps uses Git as source of truth for infrastructure. Git provides version control and audit trail. Policy-as-code in pipelines enforces security policies. Pipeline enforcement prevents non-compliant deployments. Auditable deployments provide compliance evidence. Audit trail shows what was deployed when. Drift detection identifies unauthorized changes. Detection enables rapid response. Secret Broker Pattern Secret broker pattern uses workload identity to obtain short-lived credentials. Broker eliminates static credentials. Workload authenticates to broker using workload identity (mTLS, SPIFFE). Authentication proves workload identity. Broker issues short-lived credentials. Short-lived credentials limit exposure. Applications never store static credentials. Elimination of static credentials prevents credential leakage. Credential rotation is automatic. Automation ensures credentials are fresh. Examples include AWS IAM Roles for Service Accounts, Azure Managed Identity, GCP Workload Identity. Zero Trust Network Pattern Zero trust assumes no implicit trust based on network location. Zero trust requires explicit verification. Every request is authenticated and authorized. Verification occurs regardless of source. Mutual TLS (mTLS) authenticates both client and server. mTLS provides cryptographic identity. Least privilege access limits permissions. Least privilege reduces blast radius. Continuous verification monitors ongoing access. Continuous verification detects anomalies.Security Anti-Patterns
God Gateway Anti-Pattern God gateways contain business logic in addition to security logic. Business logic in gateway creates tight coupling. Gateways should focus on cross-cutting concerns. Business logic belongs in services. God gateways become bottlenecks. Bottlenecks limit scalability. God gateways are difficult to test. Complexity makes testing hard. Shared Admin Super-Token Anti-Pattern Shared admin tokens provide excessive privileges. Super-tokens violate least privilege. Shared tokens prevent attribution. Sharing prevents knowing who performed action. Token compromise grants full access. Compromise has catastrophic impact. Service-specific credentials with least privilege should be used. Specific credentials limit blast radius. Implicit Trust in East-West Traffic Anti-Pattern Implicit trust assumes internal traffic is safe. Assumption is dangerous. Compromised service can attack other services. Lateral movement is enabled. East-west traffic should be authenticated and authorized. Verification prevents unauthorized access. Service mesh with mTLS and authorization policies should be used. Mesh provides east-west security. Blanket Allow Egress Anti-Pattern Blanket allow egress permits all outbound traffic. Blanket allow enables data exfiltration. Egress should be restricted to required destinations. Restriction limits exfiltration. Egress proxy with allow-lists should be used. Proxy enforces egress policy. Egress monitoring detects anomalies. Monitoring enables detection.Reference Architectures
Internet-Facing API Architecture Edge layer includes WAF and Identity Provider. Edge provides first line of defense. API Gateway enforces authentication, authorization, rate limiting, and schema validation. Gateway provides API security. Services communicate via mTLS with service mesh authorization. mTLS and authorization secure east-west traffic. Data layer uses encryption at rest and row-level security. Data layer protects data. Observability includes distributed tracing and centralized logging. Observability enables detection and investigation. Data Platform Architecture Ingestion layer validates schemas and enforces rate limits. Ingestion ensures data quality. Storage layer classifies data and encrypts at rest. Storage protects data. Access layer enforces authorization and audit logging. Access controls data access. Analytics layer provides governed workbenches with data access controls. Governance ensures appropriate use. Data lineage tracks data flows. Lineage enables compliance. Microservices Security Architecture Service mesh provides mTLS, authorization, and observability. Mesh secures service communication. API gateway provides edge security. Gateway protects external interface. Secret broker provides credential management. Broker eliminates static credentials. Centralized logging and monitoring enable detection. Centralization enables analysis. Policy-as-code enforces security policies. Automation ensures compliance.Security-by-Design Principles
Least Privilege Grant minimum required permissions. Least privilege limits blast radius. Permissions should be explicit. Explicit grants prevent accidental exposure. Defense in Depth Multiple security layers provide redundancy. Redundancy ensures security even if one layer fails. Security should be enforced at multiple points. Multiple enforcement prevents bypass. Fail Secure Failures should default to secure state. Fail-secure prevents bypass during failures. Security checks should fail closed. Fail-closed denies access on error. Separation of Concerns Security logic should be separate from business logic. Separation enables security review. Cross-cutting concerns should be centralized. Centralization ensures consistency. Secure by Default Default configuration should be secure. Secure defaults prevent misconfiguration. Insecure options should require explicit opt-in. Opt-in makes insecurity visible.Conclusion
Security architecture patterns provide reusable secure design solutions that compress experience into proven approaches. Security engineers apply patterns including authenticated edge, policy enforcement sidecar, event sourcing with idempotency, bulkheads and circuit breakers, and cloud-native patterns to build secure systems. Success requires applying foundational patterns, avoiding anti-patterns including god gateways and implicit trust, using reference architectures for common scenarios, and following security-by-design principles. Organizations that invest in security architecture patterns build secure systems efficiently.References
- NIST SP 800-160 Systems Security Engineering
- CNCF Security TAG Patterns and Best Practices
- AWS Well-Architected Framework Security Pillar
- Azure Well-Architected Framework Security
- GCP Architecture Framework Security
- OWASP Application Security Verification Standard (ASVS)
- Microservices Security Patterns