PerspectivesAdvisor

Security Is Not a Blocker

Jannik Frisch/5 min read/April 2026
Security Is Not a Blocker

"This takes longer because of security." I hear this statement often in enterprise projects.
In most cases, the root cause lies in the architecture, not in security itself.

The Misconception

The assumption: Enterprise security costs time. Compliance checks, security reviews, penetration tests, audit trails. All of that takes weeks. So you plan for weeks. At the end of the project. When the code is done.

The result: The security review finds issues. The issues require changes. The changes delay go-live. The timeline breaks. And everyone says: "Security slowed us down."

The real cause: Security treated as an afterthought instead of as part of the architecture.

Security by Design

Security by design reverses the order. Security isn't a phase at the end. Security is an architecture decision at the beginning.

In practice:

Least privilege from day one. Every service, every Lambda function, every container receives only the permissions it needs. No more. IAM roles are defined before the first feature. Not after.

Infrastructure as Code. Every security configuration is versioned, reviewable, and reproducible. No manual clicking in the AWS Console. No ad-hoc changes to security groups. Everything is in code. Everything is in Git.

Encryption by default. Data at rest, data in transit. No exceptions. No "we can do that later." KMS keys are created during project setup, not during the security review.

Network isolation. VPCs, security groups, NACLs. Every service lives in its own network segment. Communication only through defined paths. Anyone who wants to access something must explicitly justify it.

Why Cloud-Native Solves the Problem

On-premise security was genuinely slow. Firewall changes required tickets. Network restructuring required maintenance windows. Certificates required manual installation.

Cloud-native is different. Security configurations are API calls. Changes are deployed in seconds. Rollbacks are a Git revert. The infrastructure is as flexible as the code.

AWS gives us the tools: GuardDuty for anomaly detection. SecurityHub for compliance checks. Config Rules for automated audits. CloudTrail for comprehensive logging.

At the HR Data Hub at Siemens Energy, the system processes HR data from over 150 countries with varying data protection requirements. Security approval for the production environment came within weeks. Not because we took shortcuts, but because encryption by default, least privilege, and network isolation were baked into the architecture from the first line of code.

All of this automated. No manual reviews. No waiting times. Security runs at the same speed as development.

Example: 1,500 AWS Accounts at Siemens

The SE AI Platform at Siemens Energy runs in an enterprise security zone with over 1,500 AWS accounts. Each with its own security requirements. Cross-account access for AI agents. Multi-region deployments. Compliance requirements across different jurisdictions.

The architecture: Central security policies distributed via AWS Organizations.
Service Control Policies that make certain actions impossible in certain accounts, regardless of individual permissions. Cross-account roles with session policies and minimal validity periods.

Result: 120,000 users work with 50 AI models. Hundreds of thousands of messages per day. No security incidents. Not a single go-live was delayed by security.

Not because we ignored security. But because security was part of the architecture from the start.

Self-Healing Security

At Siemens Energy, the security architecture goes one step further: An AI agent monitors the entire infrastructure. It analyzes CloudWatch logs, detects anomalies, and automatically performs root cause analyses.

When a Lambda function produces unexpected errors, the agent analyzes the error,
checks the security configuration, and posts the analysis to Slack. Before a human opens their laptop in the morning, the team already knows what happened and why.

This isn't monitoring. This is active security. A system that heals itself.

What This Means for Architecture Decisions

Three principles that have proven themselves in enterprise projects:

  1. Security is a feature, not a gate. Security requirements belong in user stories. Not in a separate security phase.

  2. Automation beats process. Every security check that can be automated gets automated. Compliance checks in the CI/CD pipeline. Not in a review meeting.

  3. Less trust, more verification. Zero trust isn't a buzzword. It's an architecture decision. Every service must authenticate. Every access is logged. No exceptions.

Conclusion

Enterprise security and speed are not contradictory. They only become contradictory when security is treated as an afterthought rather than as part of the architecture.

Delivering fast. And delivering secure. Not in spite of it. Because of it.

Discover

case-studyHR Data HubSelf-healing in production.serviceCloud InfrastructureSecurity by design.personJannik FrischThe author.
Jannik Frisch
Written by

Jannik Frisch

Profil ansehen →
// Discover more
Case StudyHR Data HubSelf-healing in production.ServiceCloud InfrastructureSecurity by design.PersonJannik FrischThe author.