The Influence of Architectural Styles on Security, Using the Example of a Certification Authority

TL;DR

This paper investigates how different architectural styles impact the security of systems, using a certification authority as a case study, emphasizing early security integration during system design.

Contribution

It evaluates the effect of architectural styles on security by comparing multiple designs of a certification authority using a risk evaluation method.

Findings

Different architectural styles lead to significant variations in system security.

Early security integration through architectural choices improves overall security.

Designs aligned with security principles show fewer vulnerabilities.

Abstract

Often, security is considered in an advanced stage of the implementation of a system, rather than integrating it into the system design. This leads to less secure systems, as the security mechanisms are only applied as an afterthought and therefore do not integrate well with the rest of the design. Also, several statistics about discovered vulnerabilities in existing systems suggest, that most of the vulnerabilities of a system are not caused by errors in the cryptographic primitives, but in other parts of the implementation. So integrating security concerns early in the design process seems a promising approach for increasing the security of the resulting system. This work evaluates how the choice of the architectural style affects the security of the resulting system. The evaluation is done on the example of an existing certification authority (CA). The requirements for the system are gathered and multiple designs according to different architectural styles are drafted and evaluated using a risk evaluation method. Then the evaluated designs are compared to find out whether there are significant differences.