Architecture Operating Model
SupportArchitecture Operating Model 2025-2035
:root{ --bg:#f6f8fb; --panel:#fff; --ink:#0f172a; --muted:#475569; --blue:#1e40af; --blue-soft:#e0e7ff; --amber:#b45309; --teal:#0f766e; --grid:#e5e7eb; --chip:#eef2ff; --ok:#16a34a; --warn:#f59e0b; --danger:#dc2626; --code-bg:#0b1020; --code-ink:#e6edf3; body{margin:0;font:15px/1.5 system-ui,Segoe UI,Roboto,Helvetica,Arial; @media (max-width:1000px){
Export PNG Export SVG
Canvas 4:3 A4 Portrait A4 Landscape
Apply JSON
Architecture Operating Model 2025-2035
Van documentatie naar een levend besturingssysteem
Drukfactoren
- AI demand
- DORA, 17 januari 2025
- NIS2
Architecture as Operating System
Policy as Code, Zero Trust, Telemetry
Uitkomsten
- License to operate
- Operational resilience
- Digital sovereignty
- Gefedereerde organisatie
- Onder COO of Transformatie
- RACI duidelijk
- Autonomie binnen guardrails
- Geautomatiseerd control plane
- Policy as Code, OPA en Kyverno
- Zero Trust, CI en CD gates
- API gateway als PEP
- Waardestroom integratie
- Capability Map gekoppeld aan OKR’s
- FinOps tagging
- Telemetrie naar business
Dagen 1-30, Baseline en Telemetrie
DF baseline SaaS discovery
Dagen 31-60, MVA en PaC
5-7 guardrails in audit API linting
Dagen 61-90, Enforce en Quick wins
Tagging enforced SaaS rationalisatie
DF
35
Deployment Frequency LT
12
Lead Time CFR
8
Change Failure Rate MTTR
45
Mean Time to Restore
OPA Rego CI, CD Kyverno YAML CD, Runtime Infracost Policy CI API Linting (Spectral) CI SBOM Checks (CycloneDX) CI, Runtime Export Rego skeleton
package terraform.azure.finops
deny[msg] { resource := input.resource_changes[_] resource.type == "azurerm_linux_virtual_machine" resource.change.after.tags.environment == "dev" denied_skus[resource.change.after.size] msg := sprintf("FinOps Policy Violation: disallow %v in dev.", [resource.change.after.size]) apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: disallow-root-user spec: validationFailureAction: Enforce rules:
- name: validate-runasnonroot
match:
any:
- resources:
kinds: [Pod]
validate:
message: "Root containers are not allowed"
pattern:
spec:
containers:
- securityContext: =(runAsNonRoot): true runAsUser: ">0" version: 0.1 policies:
- resources:
kinds: [Pod]
validate:
message: "Root containers are not allowed"
pattern:
spec:
containers:
- name: cap-dev-skus description: cap expensive instance types in dev severity: high rule: | resources.where(r, r.tags.environment == "dev" && r.monthlyCost > 200).count() == 0 extends: spectral:recommended
rules: no-http: error security-schemes-required: error require-oauth2-scopes: severity: error given: $.paths[][].security[].OAuth2[] then: function: truthy
cyclonedx-policy.toml, simple SBOM gating example
[policy] min_severity_block = "high" # block high and critical allow_licenses = ["MIT", "Apache-2.0", "BSD-3-Clause"]
[checks]
fail build if any component vulnerability severity >= high
require purl for traceability
require_purl = true
disallow components without version
no_unversioned = true
API Gateway as Policy Enforcement Point
ClientApp, Agent, Service →
API Gateway PEP
AuthN OIDC mTLS AuthZ OPA Rate limit Schema validate Threat detect
→ ServiceDomain API
Enforcement points: CI spec linting, CD policy checks, runtime gateway decisions.
Gateway Variants Vendor:
KongApigeeAzure APIMIstio
Indicatief. Integreer OPA via ext-auth waar geen native support is. Evidence logs naar SIEM via audit en decision logs.
Data residency ≠ legal sovereignty • EU-qualified provider required
SIEM Targets
Syslog OTLP gRPC OTLP HTTP Object Store Index Retention (days)
Evidence Sources
Export JSON Export YAML
// Defaults
// Apply JSON try{ if(v.metrics){ metrics = Object.assign(metrics, v.metrics); renderMetrics();
renderMetrics();
// Tabs const b = e.target.closest('button[data-tab]'); if(!b) return; const key = b.dataset.tab;
// Gateway variant matrix const v = vendorSel.value; Object.keys(support).forEach(label=>{ const ok = support[label][v]===1; el.className = 'cap'+(ok?' good':''); variants.appendChild(el); renderVariants();
// Evidence sources const sourceList = [ 'CI: SBOM scan', 'CI: Spectral OpenAPI lint', 'CD: OPA PaC gate', 'Runtime: Gateway decisions', 'Runtime: K8s Admission', 'CD: Infracost cap checks' ]; sourceList.forEach(s=>{ lab.style.display='flex'; lab.style.alignItems='center'; lab.style.gap='6px'; lab.appendChild(cb); lab.appendChild(document.createTextNode(s)); sourcesDiv.appendChild(lab);
// Export Evidence Manifest return { version:'1.0', index: pick('index') || 'aom-control-plane', retention_days: Number(pick('retention') || '365'), evidence_sources: checked const esc = v => typeof v==='string' ? v.replace(/"/g,'\"') : v; const bullets = (m.evidence_sources||[]).map(s=>' - '+s).join('\n'); targets: evidence_sources:
// Export Rego skeleton const spectralSample = String.raw`extends: spectral:recommended
rules:
no-http: error
security-schemes-required: error
require-oauth2-scopes:
severity: error
given: $.paths[][].security[].OAuth2[]
then:
function: truthy; const rego = package api.pep
deny on HTTP-only schemes
deny when OAuth2 scopes missing
derived from Spectral rules
---
`; download('gateway-pep.rego','text/plain',rego);
// Simple PNG export using print as fallback // Fallback: open print dialog for quick export to PDF/PNG via system tools. window.print();
// Paper size hint (visual) const m = e.target.value; c.style.aspectRatio = m==='screen' ? '4 / 3' : (m==='a4p' ? '210 / 297' : '297 / 210');
// Self-checks console.assert(spectralSample.startsWith('extends: spectral:recommended'),'spectralSample header ontbreekt'); console.assert(/function:\s+truthy$/.test(spectralSample.trim()), 'spectralSample sluit niet correct af');
AI & Security Intelligence
Wekelijkse nieuwsbrief met AI updates, security alerts en compliance inzichten, direct in uw inbox.
Security & AI Operating Model
Advisory met executiekracht
Van BIO2 en NIS2 tot EU AI Act, embedded in uw operating model, niet als extern project. Maandelijks opzegbaar, met assessments als bewijsvoering.