Security, Deployment, and Tradeoffs
This synthesizes themes often folded into late-stage reviews — trust, delivery safety, and recorded reasoning. It overlaps dedicated library sections intentionally; skim those for depth rather than repeating every control.
Trust Boundaries and Data Flow
Section titled “Trust Boundaries and Data Flow”Draw explicit boundaries: public Internet, DMZ/API gateway, internal mesh, CI runners, laptops, SaaS admins. Enumerate data classes crossing each boundary (PII, credentials, signing keys).
Authentication and Authorization
Section titled “Authentication and Authorization”Prefer centralized OIDC/OAuth flows compatible with SSO where possible. Authenticate callers; authorize every sensitive action via policy (RBAC, ABAC, or scoped tokens).
Pointers: Security overview, DevSecOps overview.
Secrets and Credential Hygiene
Section titled “Secrets and Credential Hygiene”Never bake long-lived secrets into images or repos. Prefer vaults / managed secret managers, short-lived workload identity, rotation playbooks. Scan repos and packages for leakage; map break-glass paths.
Evidence-oriented reading: Audit fieldwork and evidence.
Encryption
Section titled “Encryption”Encrypt in transit (TLS everywhere data leaves trust islands). Encrypt sensitive data at rest consistent with regulator and contractual baselines. Design key lifecycle: rotation, revocation, KMS ownership.
Safe Deployment and Rollback
Section titled “Safe Deployment and Rollback”Treat deploys as controlled experiments: progressive exposure, observable health checks, documented rollback. Automate rollback prerequisites (database backward compatibility, dual-write phases when needed).
Deep dive: Deployment strategies — blue/green, canary, feature flags. Pair deployment policy with pipelines in CI/CD.
If the design requires forward-only migrations, document how long rollback remains impossible and how incidents escalate.
Recording Tradeoffs and Rejected Alternatives
Section titled “Recording Tradeoffs and Rejected Alternatives”Design reviews converge too often on a diagram without the constraints spelled out. Record chosen tradeoffs, risks, and options you deliberately did not pursue (“we rejected X because latency budget Y”). Readers six months later need the reasoning chain.
Practice context: Practices overview — facilitation, disagreement, stakeholder alignment. Operational readiness gates: Service readiness checklist.
Communication and Complexity Budget
Section titled “Communication and Complexity Budget”Prefer minimal moving parts that match team skill and on-call breadth. Operational complexity tax deserves the same skepticism as raw hardware cost. Excessive optional components fail first under partial staffing.
Related: Fault tolerance, Observability for systems, design review checklist.