Information Security Architecture in Archi: Threats, Controls, and Zones

Introduction: Why Security Architecture in Archi?

As organizations navigate increasing digital risk and regulatory obligations (GDPR, ISO 27001, NIS2, DORA), information security can no longer remain a siloed responsibility. It must be modeled, analyzed, and embedded into the enterprise architecture. Archi, as a lightweight yet powerful ArchiMate modeling tool, is an excellent platform for documenting and visualizing information security.

This guide explores how to model threats , controls , and security zones in Archi, using practical ArchiMate constructs, tagging strategies, and scripting techniques to build a governance-ready security architecture.

Core Security Concepts in Enterprise Architecture

Security architecture is more than firewalls and encryption. It spans business, application, and technology layers, covering:

  • Assets: What are we protecting? (e.g., data, services, users)
  • Threats: What could go wrong? (e.g., DDoS, breach, insider misuse)
  • Vulnerabilities: What are the weaknesses? (e.g., unpatched software)
  • Controls: What defenses are in place? (e.g., MFA, access control)
  • Zones: Where are the boundaries and trust levels?
  • Compliance: What rules apply? (e.g., ISO, GDPR, local laws)

Using ArchiMate in Archi for Security

Key ArchiMate Elements

  • Technology Node , Device – represent firewalls, servers, routers
  • Application Service , Interface – expose attack surfaces
  • Data Object , Artifact – represent protected assets
  • Access , Association – model control paths and access policies
  • Business Role , Actor – model threat actors or control owners
  • Grouping – define security zones, domains, or environments

Tagged Values for Security Modeling

Use custom tags to capture key security properties: 

- Sensitivity: High / Medium / Low
- Classification: Confidential / Internal / Public
- Owner: DPO, CISO, IT Admin
- Encryption: AES256, TLS1.3
- ControlStatus: Implemented / Planned / Missing

Defining and Modeling Threats

Types of Threat Actors

  • External: Hackers, cybercriminals, competitors
  • Internal: Rogue employees, misconfigured admins
  • Systemic: Power outage, hardware failure, software bugs

Modeling Threats in Archi

  • Create Business Actor or Assessment elements for threats
  • Tag with ThreatType , Likelihood , Impact
  • Use Flow or Access relationships to show attack vectors
  • Connect to vulnerable elements (e.g., unprotected interfaces)

Security Zones and Trust Boundaries

Why Zones Matter

Security zones define logical or physical boundaries that separate parts of the IT environment based on trust, access, and exposure.

  • DMZ: Semi-trusted public-facing systems
  • Internal Zone: Core systems and databases
  • Restricted Zone: Highly confidential systems
  • Partner Zone: Controlled access for third parties

Modeling Zones in Archi

  • Use Grouping or Location to represent zones
  • Assign elements to zones using Composition
  • Use color coding or overlays for easy visualization
  • Add tags like ZoneType , TrustLevel , AccessControl

Modeling Security Controls

Control Types

  • Preventive: Firewalls, encryption, access rules
  • Detective: Logging, intrusion detection
  • Corrective: Backup, rollback, incident response

Implementing Controls in Archi

  • Create Application Function or Requirement for each control
  • Tag with ControlID , ControlType , MappedTo
  • Link controls to threats (mitigates), assets (protects), and processes (monitors)

Security Modeling Patterns in Archi

1. Threat Mitigation Chain 

Threat → System → Control → Requirement

2. Zone-to-Zone Interface Security

  • Group elements into zones
  • Model data flow or service exposure between zones
  • Assign controls to crossing points (firewalls, proxies, API gateways)

3. Compliance and Control Mapping

  • Create packages for ISO 27001 or NIST categories
  • Link controls to compliance requirements
  • Generate traceability matrices and coverage reports

Auditing and Reporting in Archi

Using jArchi Scripts

  • List systems without security zones: 
    • 
model.find("element").filter(e => e.type == "TechnologyNode" && !e.parent).forEach(e => {
    console.log("No zone: " + e.name);
});
  • Find missing encryption: 
    • 
model.find("element").filter(e => e.get("Encryption") == null).forEach(e => {
    console.log("Missing encryption: " + e.name);
});

Exporting Data for Stakeholders

  • Export security view to HTML for awareness
  • Generate CSV for risk registers or audits
  • Create view-based snapshots for change tracking

Governance and Control Validation

Checklist for Secure Modeling

  • Are all critical systems assigned to a zone?
  • Do all services have defined controls?
  • Are risks documented and traceable?
  • Are control owners assigned?
  • Can auditors trace requirements to controls?

Conclusion: Security as an Integral Architecture Discipline

Information security architecture is not about “locking things down.” It’s about making risk visible , controls traceable , and responsibility actionable . Archi, with ArchiMate and jArchi scripting, gives you a clear, collaborative, and scalable way to model and govern your security landscape.

Whether building compliance maps, visualizing exposure, or planning risk mitigation — a structured approach in Archi delivers clarity, control, and confidence.

Keywords/Tags

  • security architecture in Archi
  • modeling threats in ArchiMate
  • Archi security zones DMZ
  • jArchi security audit script
  • ArchiMate for ISO 27001 controls
  • data flow protection Archi
  • firewall and encryption modeling
  • Archi compliance diagramming
  • risk control mapping in Archi
  • secure system design modeling