Enterprise Security Architecture.

Zero-trust network access (ZTNA)

• Pattern. No implicit trust based on network position. Every request authenticated + authorized at the resource. VPN replaced by identity-aware proxy or per-app tunnels.
• Common failure. Legacy services bolted in via "trusted network" exception. Each exception erodes the model. Sunset list with deadlines, not allowlist with no review.
• Vendors. Cloudflare Access, Zscaler Private Access, Tailscale, Google BeyondCorp, Microsoft Entra Private Access. Pick by identity-provider fit + protocol coverage (HTTP-only vs full L4).

Identity-aware proxy

• Pattern. Single ingress point per application; proxy authenticates the user against IdP, attaches identity headers, forwards to backend. Backend trusts only the proxy.
• Common failure. Backend reachable bypassing proxy (private IP exposed, container port-forward, accidental public LB). Audit by trying to hit backend directly from peer network.
• Hardening. mTLS between proxy and backend; backend rejects any cert except proxy's. Signed identity headers (JWT) so backend can verify they came from the proxy.

Secrets-manager-backed credential flow

• Pattern. Apps never hold long-lived secrets. App identity (workload identity, IAM role, Pod SA) → secrets manager → short-lived credential.
• Vendors. HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Doppler, 1Password Connect.
• Common failure. Bootstrap problem solved by hardcoding the bootstrap token in the AMI/image. Audit by grepping images for known token formats.
• Rotation. Automated, scheduled, observable. Vault dynamic secrets are the canonical example — DB credentials valid for 1 hour, regenerated on demand.

Secure software delivery pipeline

• Pattern. Code → CI → signed artifact → registry → policy gate → deploy. Every transition signed and logged.
• Signing. Sigstore (cosign) for containers, in-toto attestations for build provenance, SLSA framework for maturity ranking.
• Policy gates. OPA/Gatekeeper or Kyverno in K8s; admission controllers reject unsigned or non-policy-compliant deployments.
• Common failure. CI runner has wide cloud permissions (deploys with admin role). Pipeline compromise → cloud compromise. Defense: per-job federated identity, scoped to the deploy target.

SOC integration patterns

• Detection-as-code. Detection rules versioned in git, tested in CI, deployed via pipeline. Sigma format → SIEM-specific compilation.
• SOAR runbooks. Each alert maps to a runbook with explicit decision points and automatable steps. Manual triage as fallback, not default.
• Threat intel ingestion. STIX/TAXII feeds → SIEM watchlists. Quality > volume; one curated paid feed beats five free firehoses.

Regulated-industry variants

• Finance. Heavy emphasis on segregation of duties; change management with multi-approver gates; tamper-evident logging (often append-only S3 + Object Lock).
• Healthcare. HIPAA-driven PHI segregation; minimum-necessary access; BAA chain with every vendor that touches PHI.
• Government. FedRAMP / IL4–IL6 deployment patterns; FIPS-validated crypto; supply-chain attestation requirements.
• Critical infrastructure. NERC CIP / NIS2 — physical security, IT/OT segmentation, mandatory incident reporting timelines.

Technology trends (current)

• Toward. Workload identity federation (kills static cloud creds in CI); eBPF-based runtime security; supply-chain SBOM + signing; SaaS SIEM with managed detections.
• Away. Long-lived static API keys in CI; perimeter-only firewalls without internal segmentation; on-prem self-built SIEM without managed detection team; Java-native serialization in new code.