🏗️Catatan Seekor: Security Architecture

"Security architecture is the foundation upon which secure systems are built"

📚 Overview

Security Architecture adalah kerangka kerja yang mendefinisikan bagaimana keamanan diimplementasikan dalam sistem, aplikasi, atau infrastruktur. Ini mencakup desain, implementasi, dan maintenance dari security controls yang melindungi assets dan data.

🎯 Learning Objectives

Memahami prinsip-prinsip security architecture
Menerapkan defense in depth strategy
Merancang zero trust architecture
Mengamankan microservices dan cloud infrastructure

📖 Table of Contents

🏗️ Security Architecture Concepts

1. Security Design Principles

Defense in Depth: Multiple layers of security
Principle of Least Privilege: Minimal access required
Fail Secure: System fails to secure state
Separation of Concerns: Different security aspects
Security by Design: Security from the start

2. Architecture Patterns

Perimeter Security: Traditional network security
Zero Trust: Never trust, always verify
Microsegmentation: Network isolation
Identity-Centric: Security based on identity
Cloud-Native: Security for cloud environments

3. Security Controls

Preventive: Stop attacks before they happen
Detective: Identify when attacks occur
Corrective: Respond to and recover from attacks
Deterrent: Discourage potential attackers

🚀 Quick Start

Untuk Pemula

Untuk Architects

Implementasi Zero Trust Architecture
Pelajari Microservices Security
Kuasai advanced security patterns

📚 Referensi & Resources

Essential Reading

Tools & Frameworks

🎯 Best Practices

✅ Security by design principles
✅ Defense in depth strategy
✅ Identity-centric security
✅ Continuous monitoring
✅ Regular security assessments
✅ Incident response planning
✅ Security training programs

🚨 Security Checklist

📊 Implementation Examples

Zero Trust Network Architecture (Python)

import jwt
import requests
from datetime import datetime, timedelta

class ZeroTrustNetwork:
    def __init__(self):
        self.trust_score_threshold = 0.7
        self.session_timeout = 300  # 5 minutes
        
    def calculate_trust_score(self, user_context):
        """Calculate trust score based on multiple factors"""
        score = 0.0
        
        # Device trust (30%)
        if user_context.get('device_trusted'):
            score += 0.3
        
        # Location trust (25%)
        if user_context.get('location_trusted'):
            score += 0.25
        
        # Behavior trust (25%)
        if user_context.get('behavior_normal'):
            score += 0.25
        
        # Time-based trust (20%)
        if user_context.get('time_appropriate'):
            score += 0.2
            
        return score
    
    def verify_access(self, user_id, resource_id, user_context):
        """Verify access based on zero trust principles"""
        # Calculate trust score
        trust_score = self.calculate_trust_score(user_context)
        
        # Check if trust score meets threshold
        if trust_score < self.trust_score_threshold:
            return {
                'access_granted': False,
                'reason': 'Insufficient trust score',
                'trust_score': trust_score
            }
        
        # Verify user permissions
        if not self.has_permission(user_id, resource_id):
            return {
                'access_granted': False,
                'reason': 'Insufficient permissions',
                'trust_score': trust_score
            }
        
        # Generate short-lived access token
        access_token = self.generate_access_token(user_id, resource_id)
        
        return {
            'access_granted': True,
            'access_token': access_token,
            'trust_score': trust_score,
            'expires_in': self.session_timeout
        }
    
    def has_permission(self, user_id, resource_id):
        """Check if user has permission to access resource"""
        # Implement permission checking logic
        # This would typically query a permissions database
        return True  # Simplified for example
    
    def generate_access_token(self, user_id, resource_id):
        """Generate short-lived access token"""
        payload = {
            'user_id': user_id,
            'resource_id': resource_id,
            'exp': datetime.utcnow() + timedelta(seconds=self.session_timeout),
            'iat': datetime.utcnow()
        }
        
        # In production, use a secure secret key
        secret = 'your-secret-key'
        return jwt.encode(payload, secret, algorithm='HS256')

# Usage example
ztn = ZeroTrustNetwork()

user_context = {
    'device_trusted': True,
    'location_trusted': True,
    'behavior_normal': True,
    'time_appropriate': True
}

result = ztn.verify_access('user123', 'resource456', user_context)
print(f"Access granted: {result['access_granted']}")
print(f"Trust score: {result['trust_score']}")

Microservices Security Gateway (Node.js)

const express = require('express');
const jwt = require('jsonwebtoken');
const rateLimit = require('express-rate-limit');

class SecurityGateway {
    constructor() {
        this.app = express();
        this.setupMiddleware();
        this.setupRoutes();
    }
    
    setupMiddleware() {
        // Rate limiting
        const limiter = rateLimit({
            windowMs: 15 * 60 * 1000, // 15 minutes
            max: 100 // limit each IP to 100 requests per windowMs
        });
        
        this.app.use(limiter);
        
        // Security headers
        this.app.use((req, res, next) => {
            res.setHeader('X-Frame-Options', 'DENY');
            res.setHeader('X-Content-Type-Options', 'nosniff');
            res.setHeader('X-XSS-Protection', '1; mode=block');
            next();
        });
        
        // Authentication middleware
        this.app.use(this.authenticateToken);
    }
    
    setupRoutes() {
        // Health check (no auth required)
        this.app.get('/health', (req, res) => {
            res.json({ status: 'healthy', timestamp: new Date() });
        });
        
        // Protected API routes
        this.app.use('/api', this.requireAuth, this.routeToService);
    }
    
    authenticateToken(req, res, next) {
        const authHeader = req.headers['authorization'];
        const token = authHeader && authHeader.split(' ')[1];
        
        if (!token) {
            return res.status(401).json({ error: 'Access token required' });
        }
        
        jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
            if (err) {
                return res.status(403).json({ error: 'Invalid token' });
            }
            req.user = user;
            next();
        });
    }
    
    requireAuth(req, res, next) {
        if (!req.user) {
            return res.status(401).json({ error: 'Authentication required' });
        }
        next();
    }
    
    routeToService(req, res) {
        // Route request to appropriate microservice
        const service = this.determineService(req.path);
        
        if (!service) {
            return res.status(404).json({ error: 'Service not found' });
        }
        
        // Forward request to microservice
        this.forwardRequest(req, res, service);
    }
    
    determineService(path) {
        // Simple routing logic - in production, use more sophisticated routing
        if (path.startsWith('/users')) {
            return 'user-service:3001';
        } else if (path.startsWith('/products')) {
            return 'product-service:3002';
        } else if (path.startsWith('/orders')) {
            return 'order-service:3003';
        }
        return null;
    }
    
    forwardRequest(req, res, service) {
        // In production, use a proper reverse proxy like nginx or HAProxy
        // This is a simplified example
        const targetUrl = `http://${service}${req.path}`;
        
        // Forward the request
        // Implementation would depend on your reverse proxy solution
        res.json({ 
            message: 'Request forwarded', 
            target: targetUrl,
            user: req.user 
        });
    }
    
    start(port) {
        this.app.listen(port, () => {
            console.log(`Security Gateway running on port ${port}`);
        });
    }
}

// Usage
const gateway = new SecurityGateway();
gateway.start(3000);

🔍 Security Architecture Patterns

1. Defense in Depth

Internet → Firewall → IDS/IPS → Web Application Firewall → Application → Database
   ↓           ↓         ↓              ↓                    ↓           ↓
Perimeter   Network   Host-based    Application         Data        Physical
Security    Security   Security      Security          Security    Security

2. Zero Trust Architecture

User → Identity Provider → Policy Engine → Access Control → Resource
  ↓           ↓              ↓              ↓            ↓
Verify    Authenticate    Evaluate      Enforce      Monitor
Identity   & Authorize    Policies     Access       Activity

3. Microservices Security

API Gateway → Authentication → Authorization → Rate Limiting → Microservice
     ↓             ↓              ↓              ↓              ↓
   Routing      JWT/OAuth      RBAC/ABAC     DDoS Protection  Business Logic

🚀 Advanced Topics

Cloud Security Architecture

Shared Responsibility Model
Cloud Access Security Broker (CASB)
Cloud Security Posture Management (CSPM)
Serverless Security
Container Security

DevSecOps Integration

Security as Code
Infrastructure as Code (IaC) Security
Continuous Security Testing
Security Automation
Compliance as Code

Threat Modeling

STRIDE Methodology
Attack Trees
Risk Assessment
Security Requirements
Mitigation Strategies

🤝 Contributing

Kontribusi untuk memperbaiki dan menambahkan konten security architecture sangat dihargai! Silakan:

Fork repository ini
Buat branch untuk fitur baru
Commit perubahan Anda
Push ke branch
Buat Pull Request

📄 License

Konten ini tersedia di bawah MIT License.

🙏 Acknowledgments

NIST untuk cybersecurity framework
SABSA Foundation
Cloud security communities
Security architecture practitioners

⚠️ Disclaimer: Catatan ini dibuat untuk tujuan pembelajaran. Selalu konsultasikan dengan security experts untuk implementasi production.

🏗️ Remember: Good security architecture is the foundation of secure systems!

Last updated 5 months ago

import jwt import requests from datetime import datetime, timedelta class ZeroTrustNetwork: def __init__(self): self.trust_score_threshold = 0.7 self.session_timeout = 300 # 5 minutes def calculate_trust_score(self, user_context): """Calculate trust score based on multiple factors""" score = 0.0 # Device trust (30%) if user_context.get('device_trusted'): score += 0.3 # Location trust (25%) if user_context.get('location_trusted'): score += 0.25 # Behavior trust (25%) if user_context.get('behavior_normal'): score += 0.25 # Time-based trust (20%) if user_context.get('time_appropriate'): score += 0.2 return score def verify_access(self, user_id, resource_id, user_context): """Verify access based on zero trust principles""" # Calculate trust score trust_score = self.calculate_trust_score(user_context) # Check if trust score meets threshold if trust_score < self.trust_score_threshold: return { 'access_granted': False, 'reason': 'Insufficient trust score', 'trust_score': trust_score } # Verify user permissions if not self.has_permission(user_id, resource_id): return { 'access_granted': False, 'reason': 'Insufficient permissions', 'trust_score': trust_score } # Generate short-lived access token access_token = self.generate_access_token(user_id, resource_id) return { 'access_granted': True, 'access_token': access_token, 'trust_score': trust_score, 'expires_in': self.session_timeout } def has_permission(self, user_id, resource_id): """Check if user has permission to access resource""" # Implement permission checking logic # This would typically query a permissions database return True # Simplified for example def generate_access_token(self, user_id, resource_id): """Generate short-lived access token""" payload = { 'user_id': user_id, 'resource_id': resource_id, 'exp': datetime.utcnow() + timedelta(seconds=self.session_timeout), 'iat': datetime.utcnow() } # In production, use a secure secret key secret = 'your-secret-key' return jwt.encode(payload, secret, algorithm='HS256') # Usage example ztn = ZeroTrustNetwork() user_context = { 'device_trusted': True, 'location_trusted': True, 'behavior_normal': True, 'time_appropriate': True } result = ztn.verify_access('user123', 'resource456', user_context) print(f"Access granted: {result['access_granted']}") print(f"Trust score: {result['trust_score']}")

hashtag📚 Overview

hashtag🎯 Learning Objectives

hashtag📖 Table of Contents

hashtag🏗️ Security Architecture Concepts

hashtag1. Security Design Principles

hashtag2. Architecture Patterns

hashtag3. Security Controls

hashtag🚀 Quick Start

hashtagUntuk Pemula

hashtagUntuk Architects

hashtag📚 Referensi & Resources

hashtagEssential Reading

hashtagTools & Frameworks

hashtag🎯 Best Practices

hashtag🚨 Security Checklist

hashtag📊 Implementation Examples

hashtagZero Trust Network Architecture (Python)

hashtagMicroservices Security Gateway (Node.js)

hashtag🔍 Security Architecture Patterns

hashtag1. Defense in Depth

hashtag2. Zero Trust Architecture

hashtag3. Microservices Security

hashtag🚀 Advanced Topics

hashtagCloud Security Architecture

hashtagDevSecOps Integration

hashtagThreat Modeling

hashtag🤝 Contributing

hashtag📄 License

hashtag🙏 Acknowledgments