Reference Architectures (Web, Network, Cloud)

Standardizing Without Bureaucracy

A reference chapter only has value when teams can directly use it to plan, design, and deliver.

In Reference Architectures (Web, Network, Cloud), the goal is to document choices that teams can execute consistently and repeatably.

This keeps this chapter from being theory and makes it a usable compass for consistent execution.

Immediate measures (15 minutes)

• Use this page to prioritize measures and convert them into backlog items.
• Link each measure to an owner, deadline, and demonstrable evidence.
• Repeat periodically based on risk, changes, and incident lessons.

Why this matters

The core of Reference Architectures (Web, Network, Cloud) is risk reduction in practice. Technical context supports the choice of measures, but implementation and assurance are central.

Web Platform Reference Architecture

Goal

Secure public-facing applications with controlled access to backend and data.

Core Building Blocks

• Edge: WAF, DDoS protection, TLS termination.
• App tier: stateless services, strong input/output validation.
• Data tier: separate subnets, encrypted connections.
• Identity: centralized authN/authZ platform.
• Logging: centralized security events + tracing.

Mandatory Controls

• CSP + security headers;
• API rate limiting;
• workload identities (no shared secrets);
• mTLS or private service connectivity internally;
• database not directly reachable from internet zone.

Network/Enterprise Reference Architecture

Goal

Minimize lateral movement and isolate management channels.

Core Building Blocks

• Segmentation per function (user/server/management/OT where relevant);
• separate management zone;
• identity-aware access for admins;
• central DNS, PKI, and logging with hardening;
• controlled egress.

Mandatory Controls

• deny-by-default between segments;
• PAM/JIT for management actions;
• tiering model for directory services;
• monitoring of east-west traffic;
• backup and recovery path outside primary trust zone.

Cloud Platform Reference Architecture

Goal

Secure multi-account/subscription landing zone with policy enforcement.

Core Building Blocks

• Organization hierarchy (accounts/projects/subscriptions);
• centralized identity and SCP/policy guardrails;
• security logging account/project;
• key management with rotation;
• CI/CD with signed artifacts.

Mandatory Controls

• baseline policies enforcing, not advisory;
• private networking for internal services;
• secrets exclusively via secret manager;
• container/image scanning before deployment;
• cloud detective controls with automated response.

Cross-Cutting Design Rules

1. No implicit admin path
   Every management action must be traceable to an individual identity.
2. No unmanaged egress
   Outbound traffic is controlled, logged, and policy-driven.
3. No hidden trust dependencies
   Every trust relationship is documented in architecture documentation.
4. No blind spots in telemetry
   Critical control points provide logs with sufficient context.

Minimum documentation set per reference architecture

• Context diagram with trust boundaries.
• Dataflow with authentication and authorization points.
• Control mapping to NIS2/ISO/CIS.
• Operational runbook for incidents.
• Exceptions register (risk acceptances).

Summary

Reference architectures accelerate decision-making and increase consistency. They only become valuable when they standardize and make security controls demonstrable.