0
0
HLDsystem_design~25 mins

Why security must be designed in in HLD - Design It to Understand It

Choose your learning style9 modes available
LearnWhyDeepArchPracticeChallengeDesignRecallScale
Design: Security-First System Design
Focus on integrating security principles from the start of system design. Out of scope: detailed cryptographic algorithm design and hardware security modules.
Functional Requirements
FR1: Ensure data confidentiality, integrity, and availability
FR2: Protect user privacy and sensitive information
FR3: Prevent unauthorized access and data breaches
FR4: Comply with relevant security standards and regulations
FR5: Enable secure authentication and authorization
FR6: Detect and respond to security incidents promptly
Non-Functional Requirements
NFR1: System must handle 10,000 concurrent users securely
NFR2: API response latency p99 under 200ms including security checks
NFR3: Availability target of 99.9% uptime
NFR4: Security measures must not degrade user experience significantly
Think Before You Design
Questions to Ask
❓ Question 1
❓ Question 2
❓ Question 3
❓ Question 4
❓ Question 5
❓ Question 6
Key Components
Authentication and Authorization services
Encryption for data at rest and in transit
Secure API gateways and firewalls
Audit logging and monitoring systems
Role-based access control (RBAC)
Security incident and event management (SIEM)
Design Patterns
Defense in Depth
Least Privilege
Fail Secure
Secure by Design
Zero Trust Architecture
Threat Modeling
Reference Architecture
  +-------------------+       +---------------------+       +-------------------+
  |                   |       |                     |       |                   |
  |   Client Devices   +------>+  API Gateway (WAF)  +------>+ Authentication &  |
  |                   |       |                     |       | Authorization Svc |
  +-------------------+       +---------------------+       +---------+---------+
                                                                       |
                                                                       v
                                                             +-------------------+
                                                             |                   |
                                                             |   Application     |
                                                             |     Servers       |
                                                             |                   |
                                                             +---------+---------+
                                                                       |
                                                                       v
                                                             +-------------------+
                                                             |                   |
                                                             |   Database with   |
                                                             |  Encryption at    |
                                                             |    Rest & Audit   |
                                                             +-------------------+

Additional components:
- Monitoring & Logging System
- Security Incident Response
- Role-Based Access Control enforcement
Components
API Gateway with WAF
Nginx + ModSecurity or AWS API Gateway with WAF
Filter and block malicious requests before reaching backend
Authentication & Authorization Service
OAuth 2.0 / OpenID Connect server
Verify user identity and enforce access control
Application Servers
Stateless microservices
Business logic with embedded security checks
Encrypted Database
PostgreSQL with Transparent Data Encryption
Store data securely with encryption and audit logs
Monitoring & Logging System
ELK Stack or Splunk
Collect logs and detect suspicious activities
Role-Based Access Control (RBAC)
Implemented in Auth service and app
Limit user permissions to minimum necessary
Request Flow
1. Client sends request to API Gateway
2. API Gateway filters request using Web Application Firewall rules
3. Request forwarded to Authentication Service to verify user identity
4. Upon successful authentication, Authorization Service checks user permissions
5. Authorized request proceeds to Application Servers for processing
6. Application Servers interact with encrypted Database for data operations
7. All actions are logged and monitored for anomalies
8. Security alerts trigger incident response if suspicious activity detected
Database Schema
Entities: - User(id, username, hashed_password, roles) - Role(id, name, permissions) - Permission(id, name, description) - AuditLog(id, user_id, action, timestamp, resource) Relationships: - User to Role: Many-to-Many - Role to Permission: Many-to-Many - AuditLog linked to User for traceability
Scaling Discussion
Bottlenecks
Authentication service overload under high concurrent login attempts
API Gateway becoming a single point of failure
Database encryption overhead impacting latency
Monitoring system overwhelmed by log volume
Complexity in managing fine-grained access control at scale
Solutions
Use distributed authentication with caching tokens and rate limiting
Deploy multiple API Gateway instances with load balancing
Optimize encryption with hardware acceleration and selective encryption
Implement log sampling and scalable log storage solutions
Adopt attribute-based access control (ABAC) and automate policy management
Interview Tips
Time: Spend 10 minutes understanding security requirements and risks, 20 minutes designing the architecture with security components, 10 minutes discussing scaling and trade-offs, 5 minutes summarizing key points.
Emphasize importance of integrating security from the start to avoid costly fixes later
Discuss defense in depth and least privilege principles
Explain how each component contributes to security goals
Highlight trade-offs between security, performance, and usability
Show awareness of scaling challenges and mitigation strategies