← Notebook

Modern IT Infrastructure Reference Model

Five pillars on four foundations, jointed like a timber house.

Infrastructure is how hardware, software and the cloud interact to carry a business mission — and that interaction is exactly where the mess lives. This is the logic I use to keep it sane, and to put a number and a euro on it.

hashira · the pillar  /  貫 nuki · the tie that runs through

The frame

A Japanese timber house, not a stack of boxes

A miya-daiku raises a temple with almost no nails. The strength is in the joinery: posts, penetrating tie-beams, and joints that bind tighter the harder the building is pushed. That is the honest picture of an IT estate — so it is the frame I build the model on.

Business mission 棟木 MUNAGI · THE RIDGE THE FRAME HOLDS UP Identities Compute Networking Software Data Operations Security Governance Finance RUN IT PROTECT IT PROVE IT SIZE IT 土台 DODAI — THE BASELINE EVERY POST STANDS ON 貫 NUKI — THREADED THROUGH EVERY POST
The whole model in one elevation. Five colour-coded posts (the pillars) carry the mission; four warm tie-beams (the foundations) thread through all of them; the joints — not nails — are where the strength lives. The colours carry through the rest of the page, so a blue label is always Networking and an ochre one is always Security. Where a beam crosses a post is one cell of the matrix further down.

Every element maps to something real, and the mapping is what keeps the metaphor load-bearing instead of cute:

Posts 柱 hashira
The five pillars — the resource domains you build with. Vertical, load-bearing, distinct.
Tie-beams 貫 nuki
The four foundations. Not a slab underneath — a beam that penetrates every pillar. Operations, Security, Governance and Finance run horizontally through all five.
Joints 継手 tsugite
Where the beams meet the posts and each other. A dovetail tightens under load. GRC is literally the joint where Security and Governance interlock — you can't cleanly separate them, and that's the point.
Ridge beam 棟木 munagi
The business mission the whole frame exists to hold up.
The plot 敷地 shikichi
Finance. It is a tie-beam like the others (cost runs through every pillar), but it is also the timber budget that sizes the build. You cannot frame bigger than your land and your lumber.

The posts

Five pillars — and why AI isn't the sixth

A pillar is a durable resource domain: it exists regardless of what you're building on it. There are five.

Identitieswho or what is acting. Computewhere workloads run. Networkinghow anything reaches anything else. Softwarewhat delivers the function. Datathe reason the other four exist.

The first draft had a sixth: AI. It was a category error, and the fix came from a better instinct — AI is humanised compute. An android is a body and a person. Pull AI apart the same way: the model, the weights, the inference runtime are the body — a workload on Compute. The agent that authenticates, holds privileges and acts on your behalf is the person — a non-human Identity. The governance it needs — evals, guardrails, model risk — rides through as a tie-beam, exactly like Security. Nothing floats, and nothing needs its own post.

Identities · who & what Compute · where it runs Networking · how it talks Software · what it does Data · what matters

The joinery in motion

Everything is a CI — but the drawing is not the timber

The core of how I think: every component is a configuration item, and the moment it exists it must link to at least one other. But a CI on a whiteboard and a CI in the rack are two different animals, and pretending otherwise is where CMDBs go to die.

The theoretical CI is the idealised node — clean, single-purpose, fully linked. The real CI is messy, multi-role, half-documented, and drifting. So the graph is a desired state; the estate is the observed state; the gap between them is drift — and drift is the thing you actually manage. That's not a new discipline to invent: it's the same reconciliation loop as infrastructure-as-code, pointed at the CI graph instead of the servers.

Which is why a self-maintaining CMDB is a north star you earn, not a switch you flip. You can only auto-discover CIs through the pillars — the IdP is the source of truth for identities, IPAM for addressing, the hypervisor API for compute. The CMDB isn't a system bolted on the side; it's the emergent join of each pillar reporting itself. You earn automation one authoritative source at a time.

And the links aren't just nouns touching nouns. A CI event fires procedures across pillars and foundations. Provisioning one server looks like this:

Event — provision Server A (a new application host)
Compute
Server-A CI created as a guest on the hypervisor-cluster CI. Server-A —runs-on→ Cluster
Networking
An IP is drawn from the IPAM subnet, a DNS A-record is written in the zone, a switchport / VLAN is assigned. Server-A —has-address→ IP —resolves-from→ Zone; —attached-to→ VLAN
Identities
A host identity and a service account are issued; a named owner is bound. Server-A —owned-by→ Owner; —authenticates-with→ SvcAcct
Software Data
The app stack that will run is declared; a storage volume and its backup job are linked. App —runs-on→ Server-A —stores-on→ Volume —protected-by→ Backup
Operations
The provisioning SOP executes; monitoring is onboarded; the host joins a patch group.
Security
The hardening baseline is applied; a firewall policy is written; the host enters vuln-scan scope.
Governance
A change request is approved; owner + purpose are recorded; the CMDB entry reconciles; an audit record is written.
Finance
A cost tag / budget line is assigned; the host joins the quarter's run-rate.

One trivial action — ~10 typed CI links across all five pillars, and four foundation procedures fired. The SOPs, approvals and audit entries are edges too, not paperwork stapled on after.

The model, made practical

The 5 × 4 matrix Preview

The pillars-and-foundations model is the theory — the shape in my head. The matrix is its serialization: the same colour-coded posts and beams, unrolled into a grid you can put in front of a client and fill in. Twenty cells, each shown here with one representative question — a preview of the coverage, not the full checklist. The blank or weak ones are your gaps.

Pillar ↓ / Foundation → Operations · run it Security · protect it Governance · prove it Finance · size it
Identitieswho & what Joiner/mover/leaver on time; provisioning queue clear? MFA everywhere; PAM/PIM on privileged; tiering enforced? Every identity owned + purposed; access reviews signed? Licence seats right-sized; cost per identity known?
Computewhere it runs Patch compliance; golden images; capacity headroom? Hardening baseline; isolation between tiers? Every host owned; EOL & lifecycle tracked? Right-sized; idle reclaimed; consolidation ratio?
Networkinghow it talks Change management; flow/monitoring coverage? Default-deny segmentation; no any-any; NAC? Every segment owned; rules ticketed + expiring? Circuit/egress cost visible; unused links cut?
Softwarewhat it does Release pipeline; dependency currency? SBOM; vulnerable deps; secrets handling? App owned; data-processing purpose recorded? SaaS spend mapped; shadow-SaaS surfaced?
Datawhat matters Backups tested, not just taken; restore drills? Encryption at-rest & in-flight; least-privilege access? Classification; retention; lineage? Storage tiered by value; cold data parked cheap?

Read a column and you audit one discipline across the whole estate. Read a row and you audit one pillar end-to-end. The grid is the coverage map; the next two sections put a score and a euro in each cell.

A preview, not the full checklist

Each cell here holds one representative question standing in for many. A real audit explodes every cell into a dozen-plus concrete subjects — the twenty questions above are the shape of the coverage, not its depth.

The scoring

Maturity is a sum of modules

A pillar isn't bought in one go — it's raised module by module, where a module is the smallest thing you can fund and deploy on its own. Each module carries a cost that lands in a finance quarter and an impact score that lands in a matrix cell. Maturity is just the running sum.

Take a single access switch. It doesn't arrive “mature” — it earns maturity in steps, and a second control laid over it doesn't just add, it amplifies:

ModuleDeliversMatrix cellImpactCost
Acquire + rack the switchconnectivityNet × Ops+10€6k
Base config — VLANs, ACLssegmentation + basic protectionNet × Sec+15€4k
Advanced config — stacking / MLAGredundancy, resilienceNet × Ops+10€7k
Switch subtotal35€17k
Acquire NAC, overlay on the switchidentity-aware accessId × Sec+20€12k
↳ amplifies the segmentation module ×1.4static VLANs become identity-awareNet × Sec+6
Environment maturity (switch + NAC, with overlap)61€29k

The overlap is the whole point of defence-in-depth, finally made countable: NAC over a segmented switch isn't 35 + 20 = 55. It's 35 + 20 + 6 = 61, because identity-aware segmentation is worth more than the static kind. Formally: M = Σ base(module) + Σ amp(overlap), where the amplification factor is a dial you calibrate and keep consistent — not a law of physics. Set it once, apply it the same way everywhere, and the number stays honest.

The one nugget worth stealing

Score exposure in money, not red-amber-green. A gauge that reads “€18k/year” drives a budget conversation; a gauge that reads “amber” starts an argument. That single move — risk as a euro range — is what turns the matrix from a heat-map into a plan.

The way forward

Two curves, one roadmap

Lay the modules across a multi-year timeline and each quarter carries its cost (for finance) and its impact (for maturity). Now you have two synced curves: cumulative spend, and cumulative maturity. Sum backwards and you know where you stand. Sum forwards and you can predict where a funded plan will land.

04080120 MATURITY — Σ IMPACT €46k spend TIPPING POINT · Q2 €4k retires ~€12k/yr exposure Q5 · NAC overlay amplifies earlier work (+26) 115 Q1Q2Q3Q4Q5Q6Q7Q8 EIGHT QUARTERS · MODULES SPREAD ACROSS FINANCE PERIODS
The roadmap is the by-product, not the input. Rank candidate modules by exposure-retired-per-euro, drop them into quarters your budget can carry, and the maturity curve draws itself. The Q5 step is amplification at work — the NAC overlay is worth more than its own points because of the segmented switch already underneath it.

The tipping point, worked

A flat access layer with no segmentation carries an expected loss on the order of €18k a year from lateral movement — likelihood × impact, priced in money (an expected value, really a range, and one that grows the longer the gap stays open). The base-segmentation module costs €4k once plus ~€1k/year to run, adds +15 maturity, and pulls that exposure hard toward the origin — the hit lands less often and smaller, cutting the expected loss by roughly €12k a year. What it removes dwarfs what it costs, so it crosses the line and goes into Q2. That's the tipping point: the moment risk justifies adding the cost to the budget to buy the points down.

Do that for every candidate module and the rule is simple: rank by exposure-retired ÷ cost, fund down the list until the quarter's budget runs out, repeat next quarter. The estate matures on the cheapest path available, and you can prove it.

Price the risk, don't colour it

All of it turns on one move: state exposure in money, not red-amber-green. A colour is nothing you can budget against; a euro range is — and the evidence sits on that side (Cox's 2008 proof that a typical risk matrix can unambiguously rank fewer than one pair of risks in ten, and the FAIR standard's loss-exceedance curve). Two caveats keep the numbers honest. A breach is a lumpy one-off, not an annuity, so any single figure is a first cut, best read as a range. And the risk compounds — the longer a gap stays open, the closer to certain the, by then larger, hit becomes. So a control is never a line item that "saves €X a year." It shifts your whole loss curve down and to the left: less likely, and smaller when it lands.

100%75%50%25%0% P( YEAR'S LOSS > X ) €0€50k€100k€150k€200k ANNUAL LOSS the control shifts it in Exposure now After the control
A control shifts the loss curve, it isn't a line item. Each curve reads: the probability that a single year's loss exceeds the amount on the axis. Segmentation pulls the whole curve toward the origin, so every size of loss becomes less likely; the shaded gap is the risk it retires. The fuller method — pricing each gap as a curve and ranking fixes by curve-shift per euro — gets its own page.

Why it travels

A funded trajectory is the thing regulators ask for

NIS2 and the frameworks like it don't want a snapshot that says “we're secure.” They want evidence of a plan — a current posture, a roadmap, money behind each step, and the risk each step retires. The two-curve model is exactly that, in a form a partner, a customer or an auditor can read in one page.

Where we stand

Maturity as a sum of deployed modules, per matrix cell. The gaps are visible, not asserted.

Where we're going

The forward sum predicts the maturity a funded plan reaches, quarter by quarter.

What it costs

Every step is tied to a euro in a finance period — a roadmap the CFO can carry, not a wish-list.

What it buys

Each step names the exposure it retires. Compliance becomes a trajectory, not a scramble.

Wrapping all of it is the same closed loop every framework runs: Design → Evaluate & Adopt → Operate → Audit, then feed what you learned back into the next design. Not a waterfall — a loop, and each turn is tighter than the last. The modules are how a turn of that loop gets funded and scored.

Sort every component into a pillar, thread the four foundations through all of them, joint it — don't nail it — and let every module carry a score and a euro. The maturity is the sum; the plan is the sum run forward.