Why Security Architects Are the Guardians of the Digital World

Recent incidents illustrate that security is mandatory

2021 – data leak of 500 million users from a major social platform.

2022 – database dump exposing tens of millions of passwords from an e‑commerce site.

2023 – ransomware crippled a hospital appointment system.

Continuous scanning, attacks, and injection attempts occur daily.

Security architect role

Position

Security architect designs system security architecture.

Identify security risks

Design security solutions

Implement security measures

Respond to security incidents

Difference from other security roles

Security architect – designs security architecture; combines architecture design and security technology.

Security operations – daily security operations; monitoring and response.

Security development – develops security features; development plus security.

Penetration testing – discovers vulnerabilities; focuses on attack techniques.

Core responsibilities of a security architect

Security architecture design

┌─────────────────────────────────────┐
│           Security Layers           │
├─────────────────────────────────────┤
│ Application Layer: Auth, Access      │
├─────────────────────────────────────┤
│ Data Layer: Encryption, Masking, Tier│
├─────────────────────────────────────┤
│ Infrastructure Layer: Firewall, IDS  │
├─────────────────────────────────────┤
│ Management Layer: Policies, Audits  │
└─────────────────────────────────────┘

Security requirements analysis

Asset identification – what needs protection.

Threat modeling – potential threats.

Risk assessment – adequacy of existing controls.

Security technology selection

Authentication scheme choice.

Encryption algorithm choice.

Security product selection.

Compliance

Network security classification.

Personal Information Protection Law.

Industry standards such as PCI‑DSS.

Typical daily schedule

09:00 – Review security design of new features
10:30 – Analyze last week’s security logs
12:00 – Lunch
14:00 – Design OAuth2.0 authentication scheme
15:30 – Discuss product selection with vendors
16:30 – Answer developers’ security questions
17:00 – Process vulnerability reports
18:00 – Write weekly security report

Core domains of security architecture

Authentication & Authorization

Authentication proves identity. Common methods:

Username & password

SMS verification code

Email verification

OAuth 2.0

SAML

Biometrics

Authorization determines permitted actions. Models:

ACL (Access Control List)

RBAC (Role‑Based Access Control)

ABAC (Attribute‑Based Access Control)

RBAC example:
User → Role → Permission
├── Zhang San → Administrator → CRUD
├── Li Si → Regular User → Read
└── Wang Wu → Auditor → Read + Audit

Data security

Encryption

Transport: HTTPS, TLS

At‑rest: AES, RSA

Key management: KMS

Data masking

Static masking at database level

Dynamic masking at application level

Original: 13812345678
Masked:   138****5678

Data classification tiers

Public

Internal

Sensitive

Confidential

Network security

Perimeter protection

Firewalls

Web Application Firewall (WAF)

IDS/IPS

Internal segmentation

VLAN segmentation

Zero‑Trust networking

Micro‑segmentation

Application security

Typical vulnerabilities and mitigations:

SQL Injection – use parameterized queries.

XSS – input validation and output encoding.

CSRF – token validation.

SSRF – URL whitelist.

File upload – file type validation.

Security operations

Logging & monitoring

Collect security logs.

Establish security alerts.

Analyze security events.

Incident response flow

Detect → Contain → Eradicate → Recover → Post‑mortem

Penetration testing activities

Regular penetration tests.

Vulnerability scanning.

Red‑Blue team exercises.

Design principles

Defense in depth

Attacker
 ↓
Network Layer (WAF, Firewall)
 ↓
Application Layer (Input validation, AuthZ)
 ↓
Data Layer (Encryption, Auditing)
 ↓
Success!

Least privilege

Grant only the permissions required for each user or system.

Zero Trust

Default deny all requests.

Verify every access.

Continuous verification and monitoring.

Security left‑shift

Place security requirements early in development.

Prioritize security design.

Integrate security testing alongside development.

Career development

Entry path

Web Development (2‑3 years)
   ↓
Security Development / SDL (1‑2 years)
   ↓
Security Architect

Advancement path

Junior Security Architect
   ↓
Senior Security Architect
   ↓
Security Expert / Security Lead
   ↓
Chief Security Officer (CSO)

Certification landscape

CISSP – international certification (★★★★★).

CISP – domestic certification (★★★★).

AWS Security – cloud security certification (★★★★).

System Architecture Designer – advanced software exam (★★★★).

Toolbox

Threat modeling

STRIDE – Microsoft method.

PASTA – attack simulation and threat analysis.

Threat Dragon – open‑source tool.

Security scanning

SonarQube – code security scanning.

Burp Suite – web security testing.

Nessus – vulnerability scanning.

SIEM platforms

Splunk – security information and event management.

ELK – open‑source log analysis.

Alibaba Cloud Log Service – cloud‑based SIEM.

Security architect profile

Core duties: design security architecture, protect system assets.

Focus areas: authentication, data security, network security, compliance.

Core capabilities: security technology, architecture design, compliance understanding.

Typical background: security development, security operations, penetration testing.

Salary: high, rises with stricter compliance requirements.

Outlook: ★★★★★ – essential in the compliance era.