7. Security Model¶

7.1 Zero-Trust Architecture¶

graph LR
  subgraph ZT["🛡️ Zero Trust Model"]
    direction LR
    IDP["🔑 Identity Provider\nKeycloak"] --> POLICY["📜 Policy Engine\nOPA / Rego"]
    POLICY --> MESH["🌐 Service Mesh\nIstio / Envoy"]
    EP["🔒 Endpoint\nmTLS"] --> MESH
    MESH --> DATA["💾 Data\nAES-256 Encrypted"]
  end

  subgraph SIEM["👁️ SIEM & SOC (24/7)"]
    direction LR
    W["Wazuh"] ~~~ ELK["Elasticsearch"] ~~~ SUR["Suricata"] ~~~ CS["CrowdSec"]
  end

  ZT -.->|monitors| SIEM

7.2 Security Technology Stack¶

Layer	Technology	Purpose
Identity & Access	Keycloak 24 + MFA (TOTP/WebAuthn)	SSO, OAuth 2.1, RBAC, ABAC
Policy Engine	Open Policy Agent (OPA)	Fine-grained access control, Rego policies
Network Security	pfSense / OPNsense firewalls	Perimeter protection
WAF	ModSecurity + OWASP CRS on Nginx	Web application firewall
DDoS Protection	On-premise DDoS mitigation appliances (Arbor/Netscout) + local rate limiting	Volumetric attack mitigation
Secrets Management	HashiCorp Vault	Encryption keys, DB credentials, tokens
Certificate Mgmt	EJBCA + Let's Encrypt (automated)	TLS certs, code signing
SIEM	Wazuh (open-source)	Security event monitoring, compliance
IDS/IPS	Suricata	Network intrusion detection
Endpoint Protection	CrowdSec + ClamAV	Host-based protection
Vulnerability Scanning	Trivy (containers) + OWASP ZAP (web)	CI/CD security gates
Data Encryption	AES-256-GCM (at rest) + TLS 1.3 (transit)	End-to-end encryption
Audit Logging	Immutable audit logs → Kafka → Elasticsearch	Compliance and forensics
Backup Encryption	Restic + age encryption	Encrypted, deduplicated backups

7.3 Security Compliance Targets¶

ISO 27001:2022 — Information Security Management
NIST Cybersecurity Framework 2.0
OWASP Top 10 — Continuous application security
SOC 2 Type II — For any cloud-hosted components
Iraqi National Cybersecurity Standards (when enacted)