What it shows:
A visual representation of the concentric “Defence-in-Depth” security controls protecting the core data payload. It maps the overlapping layers of defence, moving from the outer network perimeter (e.g., isolated networks, strict port filtering) through the identity layer (e.g., SSO, RBAC), down to the application layer (e.g., TLS encryption in transit, AES-256 at rest).
Why it’s needed:
Accreditation and compliance. For highly secure or regulated environments, this is the primary tool for satisfying InfoSec and Compliance teams. It visually proves that the architecture does not rely on a single boundary firewall but engineers multiple overlapping controls to protect sovereign data even if one layer is compromised.
When to use it:
Highly recommended for SADs and HLDs on any project—whether COTS or Custom Dev—that handles PII, PCI, commercially confidential, or highly regulated data. If the system stores or transmits information that the business considers critical, this diagram is the key to unlocking security sign-off.
When NOT to use it:
Omit for public-facing, unclassified informational portals with no backend database or user authentication. It can also be skipped for identical hardware swaps (e.g., replacing a faulty network switch with the exact same model) where the overarching security posture and encryption standards remain completely untouched.
Example:
