Cybersecurity Architecture: Defense by Design

Users log in to networked systems every day for work and play, romping through corporate networks and across the Internet freely, slotting in a username and password from time to time but otherwise with very little consideration for the complex array of hardware, software, and logic that enables their activities. The network is a tool and a toy, one that exposes vast power yet remains relatively easy to use, driving the engines of commerce and entertainment in the modern world.

This alignment of speed and safety doesn’t simply emerge from chaos, however. Like any modern construction, it first has to be meticulously designed, and network security architects are an important part of these design teams.

Originally, the first internetworks did, in fact, emerge largely from chaos. Small groups of academics and researchers in various universities and government departments cobbled together basic systems and protocols to connect with one another. Not surprisingly, perhaps, these systems were rife with bugs and security holes.

To eliminate the inefficiencies and unreliability, the field of enterprise architecture slowly emerged to provide top-down planning for large-scale networks. And to secure the large, complicated systems that resulted from those efforts, the sub-specialty of network security architecture evolved to cast a suspicious eye across the designs, and to alter them to provide a greater level of security.

Featured Programs:

Tools At the Ready At the Drafting Tables of Network Security Architects

Today, network security architects are indispensable members of enterprise architecture teams. While other architects worry about LAN (Local Area Network) cabling runs, router installations, and data storage requirements, network security architects spend their days heading off accidental or nefarious vulnerabilities with tools and techniques that include:

  • Single Sign-On (SSO) identity management systems using PKI (Public Key Infrastructure) and Certification Authorities (CA)
  • Firewalled demilitarized zones off network routers
  • Protocol encryption including SSL (Secure Sockets Layer) and the WPA (Wifi Protected Access) family
  • Virtual Private Network (VPN) layers and connections between sites and systems

More important than the tools and techniques is the network security architect’s understanding of business and security requirements. Network security architects are responsible for meeting with other planners in the organization to translate business needs into functional, available systems that deliver services quickly and conveniently while incorporating a sufficient, but not excessive, level of security.

The nuance and skill required in this role demands a highly educated workforce. In fact, most network security architects only come into the position after obtaining either an advanced degree in cybersecurity or accumulating considerable on-the-job experience in various IT and information security positions.

Job Duties: Where Network Security Architects Fit In To the Design Process

Network Security architects are responsible for designing and overseeing the building and configuration of secure enterprise network systems.

At the most fundamental level, this involves segregating networks into the appropriate trust domains, a compartmentalization technique that involves using access controls to place only the appropriate users and data on the same system segments together. Security architects use a variety of access control mechanisms to accomplish this, including:

  • Role-based Access Control (RBAC) where pre-assigned role templates are used to determine process and data access
  • Mandatory Access Control (MAC) a rule-based system for restricting access that is often used in high-security environments
  • Discretionary Access Control (DAC) a system that allows users to set their own security levels on objects

Network security architects are responsible for analyzing network data and systems to select the most appropriate control mechanism for the security required. They may also have a hand in selecting software and hardware used to apply the control system. Windows Active Directory and Amazon Web Service’s Directory Service are two popular SSO options that are frequently adopted. Physical security of network elements, like routers and switches, can also fall into their practice domain.

Established Frameworks, Process Models, and Interactions with Users are All Part of the Job

Over time, various good and best practices for network design and configuration have been become a part of process frameworks. Network security architects are expected to be familiar with best practices and use the lessons incorporated in them appropriately to the tasks at hand. Some frameworks commonly used in enterprise architecture include:

Additionally, security architects will make use of the ITIL (Information Technology Infrastructure Library) and COBIT (Control Objectives for Information and Related Technologies) process models to ensure the IT departments responsible for managing the architecture can deliver the specified services with the appropriate level of availability and performance. They will define policies and procedures appropriate to the systems and help educate users and administrators. They might have an ongoing role in auditing and supervising security levels specific to the systems they have designed.

The role is among the most customer-facing of all cybersecurity positions, requiring regular interaction with other business divisions to help integrate their business requirements into the planning and implementation of the network security architecture. Network security architects must be able to articulate their knowledge of security considerations both verbally and in writing, and have to work within budget and operational constraints to secure systems without destroying their efficiency.

Network Security Architect Qualifications

Perhaps more than any other cybersecurity specialization, network security architects find their skillsets intersecting deeply with their non-security-specialized counterparts in enterprise architecture. Consequently, their qualifications also have extensive overlap. Network security architects are expected to be well-versed in:

  • Strategic planning
  • TCP/IP (Transmission Control Protocol/Internet Protocol) networking and the OSI (Open Systems Interconnection) 7-layer model
  • ITIL and COBIT IT practices frameworks

Additionally, candidates are usually expected to have the following security-specific qualifications:

  • Windows and Unix system security experience
  • Experience using Intrusion Detection Systems (IDS) and hardware and software firewalls
  • Implementing various network access control systems such as Active Directory


The job is not typically entry-level. Most network security architects have five years of experience or more in some area of IT, and one or two years in a cybersecurity role. A bachelor’s degree in computer science or a related field is also required and a master’s degree in cybersecurity is typically preferred.

Among the various institutions offering cybersecurity degree programs, the most sought-after are those that have been designated as Centers of Academic Excellence in Cyber Defense (CAE-CD). These colleges and universities have met or exceeded standards set by the Department of Homeland Security (DHS) and National Security Agency (NSA) for programs related to research or education in cybersecurity. Validated by top subject matter experts, degrees from these institutions are guaranteed to include the most comprehensive and up-to-date information in the field.


Although certifications of all stripes will be viewed favorably, the best information security certification for network security architects is the Information Systems Security Architecture Professional (ISSAP) certificate, offered through the International Information Systems Security Certification Consortium ((ISC)²).

The ISSAP is a part of the broader Certified Information Systems Security Professional (CISSP) certificate series, and delves into specifics of network architectural design required for secure systems.

Back to Top