Technology Architecture and Cross-Cutting Design

Technology architecture turns the business, data, and application decisions already made into infrastructure, platform, and security choices that trace back to a real enterprise need.

TOGAF 10 Phase D, with risk and security designed in

Technology architecture is the description of the infrastructure, platforms, integration, and security that carry the business, data, and application decisions already made. It is the translation layer, turning stated needs into hosting, networks, runtime, and operational choices that someone can build and run.

It matters because this is where good intentions either hold or quietly break. A target that cannot trace itself back to an enterprise need is just an implementation preference dressed in architecture language, and it tends to collapse under the first hard question about cost, risk, or resilience.

The stage builds in order. It starts with traceability, then platform strategy and interoperability, then risk and security designed in, then the microservices question, then sustainable design, then borrowing from reference models, and finally gap analysis and the trade-offs that decide the target.

The stage builds up in this order. Read it straight through on the first pass, or jump to any concept.

  1. Translation layer
  2. Platform strategy
  3. Security by design
  4. Microservices fit
  5. Sustainable design
  6. Reference models
  7. Gaps and trade-offs

Technology architecture as a translation layer

Technology architecture is a translation layer, not a fresh start. When an airline picks a cloud region, the choice should trace to a stated capability such as recovering bookings within minutes of a failure, and from there back to the business, information, and application decisions that came before it. The job of this phase is to develop a baseline and a target that support those earlier domains, so the infrastructure exists to serve a need rather than to satisfy a preference.

The frequent mistake is to treat the target as a clean sheet where vendor capability alone justifies the choice, with no link back to anything decided upstream. A region picked because a demo looked impressive last quarter is an implementation preference with architecture language applied afterwards. The better habit is to make every important decision traceable back to business, information, and application needs, together with the constraints and principles that shaped the work, so the reasoning survives review.

Tracing decisions only helps if the people who must approve them can read the result, which is why Phase D selects viewpoints for the stakeholders whose concerns the technology architecture has to answer. A retailer drawing one dense diagram that crams hosting, data flows, and controls onto a single sheet serves no one, because the operations lead, the security reviewer, and the finance owner each squint past the parts that do not concern them. The better habit is to pick a viewpoint per concern, so each view answers a real question about operations, security, or cost and earns its keep at review.

Phase D technology traceability: from application need to platform choice to operational owner A traceability chain with three columns: Application need, Platform choice and Owner who runs it. Four rows run left to right, joined by a drives arrow in red and a runs arrow in blue. A data store need drives Postgres, ADX and S3, run by the data platform team. Messaging drives Kafka and RabbitMQ, run by the integration team. Identity drives Entra ID with OAuth, run by the identity team. Runtime drives Kubernetes and Fargate, run by platform engineering. The middle platform column is emphasised in red. A closing note states that a platform with no driving need is gold-plating and one with no named owner is an outage waiting to happen. Application needPlatform choiceOwner who runs itdrivesruns Data storeRelational, time-series, objectPostgres, ADX, S3Chosen per data shapeData platform teamBackups, performance MessagingEvent distribution, queuesKafka, RabbitMQChosen per latency needIntegration teamTopic governance, schema IdentityAuthentication, authorisationEntra ID + OAuthStandard single sign-onIdentity teamMFA, account lifecycle RuntimeCompute, schedulingKubernetes, FargateChosen per workloadPlatform engineeringCluster ops, autoscaling Trace both ways or do not adopt.A platform with no driving need is gold-plating; one with no named owner is an outage waiting to happen.
A traceability map showing how each technology choice links back to the business, information, and application decisions that justify it.
Go deeper in the module

Platform strategy and interoperability

A platform strategy decides how much standardisation the enterprise needs, where exceptions are allowed, and how interoperability is preserved across teams. Picture a bank where every team chose its own message broker on a whim: the account, payment, and fraud systems could not exchange data without costly bespoke bridges, and every change would ripple through hand-built connectors. The architecture question is not which stack has the best features, it is how much consistency the whole enterprise needs to keep moving together.

The common error is to treat platform choice as a local technical preference, so each team picks freely for itself. That swings towards one of two bad extremes, total standardisation that ignores real local need, or total freedom that destroys coherence. A platform choice is an architecture decision because it affects reuse, interoperability, operating model, risk, and the ability of many parts to change at once. A good strategy narrows the choice set intelligently and creates better defaults rather than removing judgement.

Platform interoperability: the five dimensions two platforms must agree on A handshake bridge. Two pillars, Platform A and Platform B, each chosen for its own reasons, stand left and right. Between them, in a channel headed five dimensions both sides agree on, sit five stacked layers, each joined to both platforms by an accent connector. Layer 1, Protocol: HTTP, gRPC, MQTT, AMQP. Layer 2, Schema: what the payload means, in a shared registry. Layer 3, Identity: who is calling, by federated SSO or service principal. Layer 4, Error semantics: retry, idempotency, dead-letter. Layer 5, Runtime contract: SLA, throughput, failure modes. A closing note in red warns that any one dimension left unagreed breaks the integration, so each is signed off on both sides first. One side Five dimensions both sides agree on Other side Platform A Chosen for its own reasons Platform B Chosen for its own reasons 1ProtocolHow bytes move on the wireHTTP, gRPC, MQTT, AMQP 2SchemaWhat the payload meansPublished in a shared registry 3IdentityWho is calling, and proofFederated SSO or service principal 4Error semanticsWhat a failure means and doesRetry, idempotency, dead-letter 5Runtime contractLimits both sides honourSLA, throughput, failure modes Agreement on every layer, or no exchange.Any single dimension left unagreed breaks the integration. Each one is named and signed off on both sides beforedeployment, not discovered in production.
An interoperability map marking standard platform layers, controlled exception zones, and the connections that depend on shared choices.
Go deeper in the module

Risk and security designed in

Risk and security belong in the business, data, application, and technology choices from the start, where they shape boundaries and dependencies. A hospital that separates patient records from the public booking site by design removes a whole class of breach before any control catalogue is opened, because the structure itself makes the bad outcome far harder to reach. The strongest decisions make some risks impossible or much less likely, rather than relying on controls bolted on later.

The usual assumption is that security is a later review stage, so controls can be added once the target is largely fixed. By then the structure, trust relationships, and technology choices are hard and expensive to reverse, and the review can only speak in control terms about a design it cannot change. Bringing structural risk and security thinking in while boundaries and dependencies are still cheap to alter keeps the most valuable choices on the table when they still cost little to make.

Risk and security trace: from a named threat to filed evidence A horizontal trace of five panels joined by labelled blue arrows, with a sentence-case header above each naming the owning function. Step 1 Threat, owned by Security, a named risk. An arrow labelled mitigates leads to Step 2 Control, owned by the catalogue. An arrow labelled deploys leads to Step 3 Implementation, owned by Engineering. An arrow labelled verifies leads to Step 4 Test, owned by Audit, verified by audit or penetration test. An arrow labelled files leads to Step 5 Evidence, owned by Compliance, filed for board sign-off. The first and last panels are red, marking the two anchors. A red note states a control is owned only when it traces back to a threat and forward to evidence. SecurityThreatStep 1A named risksurfaced by thesecurity team CatalogueControlStep 2A mitigatingcontrol chosenfrom the catalogue EngineeringImplementationStep 3Deployed into theaffected systems AuditTestStep 4Verified by auditor penetrationtest ComplianceEvidenceStep 5Filed in the logfor boardsign-off mitigates deploys verifies files A control is owned only when both ends exist.It must trace back to a named threat and forward to filed evidence. Miss either end and the control is unowned, so the trace forces both before it is accepted.
A cross-domain trace showing where risk and security shape decisions across the business, data, application, and technology layers.
Go deeper in the module

Microservices and when not to use them

Microservices affect boundaries, team structure, integration, observability, and resilience, so the decision belongs to the enterprise, not to a single code base. One well-known example saw a streaming company move a monitoring workload back from microservices to a single deployable component because the cost of distribution outweighed the benefit for that particular problem. The choice is about operating capability and domain fit, not the elegance of a diagram.

The fashionable assumption is that microservices are the default modernisation answer and are always right, whatever the domain boundaries look like. That usually buys complexity at enterprise expense, because the organisation pays for distribution and coordination it cannot operate well. The sounder approach is to choose microservices only when domain boundaries, deployment pressure, and team capability justify the cost, and otherwise to prefer a simpler modular design that the enterprise can actually run.

Microservice fit on two axes: independent change and independent failure A matrix of microservice fit on two blue axis rails: a vertical Independent change rail, coupled to free, and a horizontal Independent failure rail, coupled to isolated. Each quadrant pairs a green win marker with an amber cost marker. Coupled change with coupled failure is Keep the monolith: splitting wins nothing. Free change with coupled failure is Split release, shared failure: teams ship on their own cadence but one fault takes the rest down. Coupled change with isolated failure is Shared release, bulkheaded: a fault stays inside but each change ships together. Free change with isolated failure, in red, is Microservice fit: independent change and failure, paid with network and contract. Independent change: coupled to free Independent failure: coupled to isolated Change free, coupled failure Split release, shared failure Teams ship on their own cadence One fault can take the rest down Both properties hold Microservice fit Independent change and failure Network, contracts and observability Neither property holds Keep the monolith No coordination tax, easy to reason about Coupling is real, splitting wins nothing Failure free, coupled change Shared release, bulkheaded A fault stays inside its own boundary Every change still ships together What the combination winsWhat it still has to carry Only the top-right quadrant earns a split.If a part cannot change and fail on its own, the monolith is the honest answer; the partial quadrants needextra controls before they qualify.
A decision tree weighing domain boundaries, deployment pressure, and team capability against the operating cost of distribution.
Go deeper in the module

Sustainable and carbon-aware design

Sustainability becomes architecture only when it changes a real trade-off about workload, hosting, data retention, or operation. A streaming service that shifts heavy video transcoding to the hours and regions with cleaner power has made a carbon-aware design choice, because the system now behaves and consumes differently. This does not mean every decision turns into a carbon calculation, it means the enterprise is explicit about where resource use genuinely matters.

The weak version treats sustainability as a strategy-level branding paragraph that never touches a concrete lever. If a sustainability claim never changes a decision, it has not yet become architecture, it is aspiration. The better practice ties sustainability to specific platform, workload, data, retention, and operating choices, so the commitment shows up as a measurable change in how the system runs rather than as a sentence in a strategy deck.

Sustainable IS decision matrix: business value against carbon intensity on two axes A two-by-two matrix of sustainable IS choices on two blue axis rails: a vertical Business value rail, low to high, and a horizontal Carbon intensity rail, low to high. Each quadrant names the action for one combination, with a green marker for the gain and an amber marker for the carbon move it implies. High value and low carbon is Scale, the easy win. High value and high carbon is Optimise: worth keeping, so reschedule, right-size and refactor. Low value and low carbon is Leave but watch. Low value and high carbon is Retire or relocate to a greener region. A red note marks the high-value high-carbon workload as the one to optimise: too valuable to retire, too carbon-heavy to scale. Business value: low to high Carbon intensity: low to high High value, low carbon Scale The easy win Grow within the carbon budget High value, high carbon Optimise Worth keeping Reschedule, right-size, refactor Low value, low carbon Leave but watch No urgency Re-check yearly Low value, high carbon Retire or relocate Free up the budget Move to a greener region or stop What the combination gainsThe carbon move it implies High value and high carbon is the workload to optimise.It is too valuable to retire and too carbon-heavy to scale, so it earns the engineering effort toreschedule, right-size and refactor.
A decision matrix plotting the architecture levers, such as retention, hosting, and processing intensity, where sustainability changes a trade-off.
Go deeper in the module

Regulated-sector reference models

Reference models give common language, comparability, and interoperability in regulated settings, but they are not the local architecture. A government department can borrow a national service-classification model for shared vocabulary while still designing its own benefits or tax systems to fit how it actually operates. The model earns its place by reducing argument about common structure, which frees the team to spend effort on the local differences that genuinely matter.

The trap is to copy a model wholesale and treat it as the enterprise's own architecture, which produces work that looks compliant but is hollow. A model from another context cannot carry the specific operations, constraints, and risks of this one. The better habit is to borrow structure, vocabulary, or comparison value while still doing the local analysis the context demands, deciding deliberately what to adopt, what to adapt, and what to set aside.

Borrow a reference model, but still design the local architecture Three panels left to right. A national reference model offers a shared service classification. The department borrows vocabulary, structure, and comparability from it. What stays local is the department's own benefits and tax system design, which the reference model does not replace. Reference modelA shared nationalclassification What you borrowVocabulary,structure,comparability What stays localYour own benefitsand tax systems borrow still design
A side-by-side view contrasting reusable reference-model structure with the local architecture choices that still have to be made.
Go deeper in the module

Technology gap analysis and trade-offs

Gap analysis should expose missing architectural properties, the hard constraints around them, and the trade-offs any option must navigate. Saying a retailer lacks an event-streaming product is weak, because it names a tool. Saying it cannot keep processing orders during a regional outage names the real capability gap, and that framing is what lets reviewers reason about cost, risk, and the target instead of debating a shopping list.

The common failure is to treat the gap log as an inventory of products the enterprise has not yet bought. A product gap hides the reasoning, so the target architecture cannot defend itself when challenged. Naming the missing capability, constraint, or risk instead keeps the architectural argument in the open, which is the real value of the exercise. The table matters far less than the quality of thinking it forces into view before the plan is committed.

Closing a technology gap on two axes: cost and time-to-close, with the move in each quadrant A two-by-two matrix for closing a technology gap on two blue axis rails: a vertical Cost rail, low to high, and a horizontal Time-to-close rail, fast to slow, along the bottom. Each quadrant names the move one combination calls for, with a green marker for what it buys and an amber marker for what it costs. Low cost plus fast close is Do it now: a cheap win, rare so confirm it is real. Low cost plus slow close is Backburner: delivered in the usual cycle. High cost plus fast close is Throw money: the timeline compressed now at a premium price. High cost plus slow close, marked in red, is Escalate or kill: the worst of both, so question whether the gap is real. Cost: low to high Time-to-close: fast to slow High cost, fast close Throw money Timeline compressed now Premium price, parallel teams High cost, slow close Escalate or kill Forces the gap to be re-tested Worst of both, question it Low cost, fast close Do it now Cheap win, lean in at once Rare, so confirm it is real Low cost, slow close Backburner Delivered in the usual cycle No special programme, just wait What the move buysWhat it costs High cost and slow close is the trap.It buys nothing the board wants, so escalate or kill the gap rather than fund a slow, expensive closeby default.
A trade-off matrix relating baseline weaknesses, target capability needs, hard constraints, and the choices each option forces.
Go deeper in the module

Practise with the stage's tools

Printable, fillable artefacts for putting this stage to work. Each cites its source, opens in the diagram workspace, and downloads as it stands.

Phase D, Technology Architecture

Phase D, Technology Architecture

Microservice fit on two axes: independent change and independent failure

The grid encodes the two preconditions for a service boundary on the X and Y axes. Each quadrant names the outcome of one combination and what it still has to carry.

Phase D, Technology Architecture

Sustainable IS decision matrix: business value against carbon intensity on two axes

The grid pairs business value on the vertical axis against carbon intensity on the horizontal. Each quadrant names the action the combination demands, from scale to retire.

Phase D, Technology Architecture

The TOGAF Technical Reference Model: entities, interfaces, qualities

The TOGAF TRM is not a layered stack. It is three entities, application software, the application platform and the communications infrastructure, joined by two interfaces, with twelve platform service categories and a backplane of qualities.

Phase D, Technology Architecture

Phase D, Technology Architecture

OT, IT and Telecom resilience: two stacks depend on one shared foundation

Operational technology and information technology both rest on the telecom layer. Each stack names what it needs, what it serves, and how it fails when the shared dependency breaks.

Phase D, Technology Architecture

Test yourself on this stage

Check what has landed. The practice set gives instant feedback as you go; the timed assessment mirrors a real sitting, with a pass record and a breakdown by domain.