Security (Pillar: Security)

The Security pillar of WAF++ defines requirements, principles and measurable controls to protect cloud infrastructure against threats, systematically reduce attack surfaces, and detect and handle security incidents in a verifiable manner.

Security is not optional. It is the fundamental prerequisite of every production-ready cloud platform.

What does the Security Pillar cover?

The Security pillar of WAF++ operationalizes six core domains of cloud security:

Domain	What is controlled?	WAF-SEC Controls
Identity & Access Management	Who is allowed to do what? Roles, MFA, least privilege, service accounts.	WAF-SEC-010, WAF-SEC-020
Encryption	Are data at rest and in transit protected? CMK, TLS, KMS rotation.	WAF-SEC-030, WAF-SEC-040
Network Security	Segmentation, security groups, NACLs, VPC design.	WAF-SEC-050
Secrets Management	No hardcoded credentials. Rotation, dynamic secrets.	WAF-SEC-060
Vulnerability Management	Container scanning, patch SLAs, SBOM, dependency scanning.	WAF-SEC-070
Monitoring & Incident Response	Threat detection, security events, policy-as-code, incident readiness.	WAF-SEC-080, WAF-SEC-090, WAF-SEC-100

Domain

What is controlled?

WAF-SEC Controls

Identity & Access Management

Who is allowed to do what? Roles, MFA, least privilege, service accounts.

WAF-SEC-010, WAF-SEC-020

Encryption

Are data at rest and in transit protected? CMK, TLS, KMS rotation.

WAF-SEC-030, WAF-SEC-040

Network Security

Segmentation, security groups, NACLs, VPC design.

WAF-SEC-050

Secrets Management

No hardcoded credentials. Rotation, dynamic secrets.

WAF-SEC-060

Vulnerability Management

Container scanning, patch SLAs, SBOM, dependency scanning.

WAF-SEC-070

Monitoring & Incident Response

Threat detection, security events, policy-as-code, incident readiness.

WAF-SEC-080, WAF-SEC-090, WAF-SEC-100

Why is Security a standalone pillar?

Security is cross-cutting: it affects all other pillars. Nevertheless it is a standalone discipline because:

It requires specific technical controls that no other pillar covers completely
It must be measurable and automatically verifiable – not just documented
It has regulatory requirements (ISO 27001, BSI C5, GDPR) with concrete evidence obligations
Security vulnerabilities have immediate operational consequences – unlike purely strategic pillar topics

Security without technical enforceability is a policy, not a control. Policies in Confluence do not protect production systems.

Demarcation from other pillars

Sovereign addresses: jurisdictional control, data sovereignty, exit capability, key ownership.
Governance addresses: policies, decision processes, compliance frameworks, audit processes.
Operations addresses: change management, observability, runbooks, monitoring infrastructure.
Security addresses: attack protection, access control, encryption, vulnerability management, incident detection.

The Security pillar delivers the technical security controls on which Sovereign and Governance build.

Quick Overview: 10 WAF-SEC Controls

Control ID	Title	Severity	Category
WAF-SEC-010	Identity & Access Management Baseline	Critical	IAM
WAF-SEC-020	Least Privilege & RBAC Enforcement	Critical	IAM
WAF-SEC-030	Encryption at Rest with CMK	High	Encryption
WAF-SEC-040	Encryption in Transit – TLS Enforcement	High	Encryption
WAF-SEC-050	Network Segmentation & Security Group Hardening	High	Network Security
WAF-SEC-060	Secrets Management – No Hardcoded Credentials	Critical	Secrets
WAF-SEC-070	Vulnerability & Patch Management	Medium	Vulnerability Management
WAF-SEC-080	Security Monitoring & Threat Detection	High	Monitoring
WAF-SEC-090	Policy-as-Code & Compliance Automation	Medium	Compliance
WAF-SEC-100	Incident Response Readiness	Medium	Incident Response

Control ID

Title

Severity

Key Metrics at a Glance

Metric	Value
Total Controls	10 (WAF-SEC-010 to WAF-SEC-100)
Critical Controls	3 (WAF-SEC-010, WAF-SEC-020, WAF-SEC-060)
Best Practices	7
Maturity Levels	5 (Level 1 Ad-hoc to Level 5 Optimized)
Regulatory Mappings	ISO 27001:2022, BSI C5:2020, GDPR, SOC 2 Type II, NIST CSF
Degree of Automation	High (7 of 10 controls fully automatable)

Metric

Value

Total Controls

10 (WAF-SEC-010 to WAF-SEC-100)

Critical Controls

3 (WAF-SEC-010, WAF-SEC-020, WAF-SEC-060)

Best Practices

Maturity Levels

5 (Level 1 Ad-hoc to Level 5 Optimized)

Regulatory Mappings

ISO 27001:2022, BSI C5:2020, GDPR, SOC 2 Type II, NIST CSF

Degree of Automation

High (7 of 10 controls fully automatable)

Navigation Overview

Page	Content
Definition	What Security means in the WAF++ context; Security vs. Compliance; Security spectrum
Scope	What is in scope (IaC, CI/CD, containers); what is not (OWASP Top 10, physical security)
Security Principles	7 core principles (SP-1 to SP-7): Security by Design, Least Privilege, Zero Trust …
Design Principles	Technical architecture principles: network, IAM, encryption, secrets, logging, containers
Responsibilities	Shared Responsibility Model; Platform vs. Dev vs. Security Team; Security as Code
Design Patterns	6 proven security architecture patterns with implementation guidance
Controls Catalog	All 10 WAF-SEC controls at a glance with severity, category and links
Maturity Model	5-level maturity model with assessment checklists and organization profiles
Evidence & Audit	Which evidence for which control; audit checklist; retention periods
Glossary	20+ security terms from the WAF++ context
Best Practices	7 concrete best practices with Terraform examples and anti-patterns

Page

Content

Definition

What Security means in the WAF++ context; Security vs. Compliance; Security spectrum

Scope

What is in scope (IaC, CI/CD, containers); what is not (OWASP Top 10, physical security)

Security Principles

7 core principles (SP-1 to SP-7): Security by Design, Least Privilege, Zero Trust …

Design Principles

Technical architecture principles: network, IAM, encryption, secrets, logging, containers

Responsibilities

Shared Responsibility Model; Platform vs. Dev vs. Security Team; Security as Code

Design Patterns

6 proven security architecture patterns with implementation guidance

Controls Catalog

All 10 WAF-SEC controls at a glance with severity, category and links

Maturity Model

5-level maturity model with assessment checklists and organization profiles

Evidence & Audit

Which evidence for which control; audit checklist; retention periods

Glossary

20+ security terms from the WAF++ context

Best Practices

7 concrete best practices with Terraform examples and anti-patterns

Getting Started

New to the Security pillar? Recommended reading order:

Definition – What is Security in the WAF++ context?
Scope – What is in scope and what is not?
Security Principles – Understand the 7 core principles
WAF-SEC-010 – Implement Identity & Access Management Baseline
WAF-SEC-020 – Introduce Least Privilege & RBAC
Maturity Model – Self-assessment: Where does my organization stand?
Best Practices – Concrete implementation guides

Start with WAF-SEC-010 and WAF-SEC-020. Without a solid IAM foundation all other security controls are ineffective. An attacker with admin access can disable all other controls.

The Security pillar relies on Infrastructure-as-Code. All controls are aligned to IaC-managed infrastructure. Manually created resources are by definition non-compliant.