Infrastructure concepts: cloud, hybrid, IaC, serverless, microservices, network infra, physical isolation/air-gapped, SDN, containerization, virtualization, IoT, ICS/SCADA, RTOS, embedded, HA

 3.1 Security implications of architecture models

📘CompTIA Security+ SY0-701

When talking about architecture models in IT, we are looking at how systems, networks, and applications are structured and how that affects security. Each infrastructure type has its benefits and security risks.

1. Cloud

  • Definition: Cloud computing delivers computing services (like servers, storage, databases, networking, software) over the internet.
  • Types:
    • Public Cloud: Services hosted by third-party providers (e.g., AWS, Azure).
    • Private Cloud: Cloud environment used by a single organization, often behind firewalls.
    • Hybrid Cloud: Combines public and private clouds.
  • Security Considerations:
    • Shared resources increase risk (multi-tenancy issues).
    • Data in transit and at rest must be encrypted.
    • Strong identity and access management (IAM) policies are critical.
  • Example: Hosting company email on Microsoft 365 (cloud-based) instead of on-premises servers.

2. Hybrid

  • Definition: Hybrid architectures use a combination of on-premises infrastructure and cloud services.
  • Security Considerations:
    • Must secure the connection between on-premises and cloud (VPNs, secure tunnels).
    • Policies must cover both environments consistently.
  • Example: An organization stores sensitive customer data on-premises but uses cloud servers for web applications.

3. Infrastructure as Code (IaC)

  • Definition: IaC is managing and provisioning IT infrastructure using code instead of manual setup.
  • Security Considerations:
    • Misconfigured code can deploy insecure servers or services.
    • Version control and code reviews are essential.
    • Secrets (passwords, API keys) must never be hardcoded; use secure vaults.
  • Example: Using Terraform scripts to deploy virtual machines with firewalls automatically.

4. Serverless

  • Definition: Serverless computing runs code without managing servers; the cloud provider handles infrastructure automatically.
  • Security Considerations:
    • Less control over the underlying OS.
    • Functions must be secure against injection and excessive permissions.
    • Logging and monitoring are critical.
  • Example: Using AWS Lambda to run backend code for a web application.

5. Microservices

  • Definition: Applications are broken into small, independent services that communicate over APIs.
  • Security Considerations:
    • API security is critical (authentication, authorization, input validation).
    • Each service needs proper monitoring and patching.
    • Container security is often involved.
  • Example: An e-commerce app separates payment processing, user accounts, and product catalog into different microservices.

6. Network Infrastructure

  • Definition: The physical and logical layout of networking devices like routers, switches, firewalls, and access points.
  • Security Considerations:
    • Proper segmentation and VLANs prevent lateral movement of threats.
    • Firewalls and IDS/IPS monitor and control traffic.
    • Secure configuration is critical to prevent exploits.
  • Example: Using VLANs to separate finance department traffic from the rest of the network.

7. Physical Isolation / Air-gapped Systems

  • Definition: Systems completely disconnected from external networks (air-gapped).
  • Security Considerations:
    • Highest level of protection from external attacks.
    • Risk comes from insiders or removable media (USBs).
    • Still needs proper patching and monitoring.
  • Example: A government lab storing classified data with no internet access.

8. Software-Defined Networking (SDN)

  • Definition: Network management is done via software rather than hardware configuration.
  • Security Considerations:
    • Centralized control allows rapid response to threats.
    • Compromise of the SDN controller can affect the entire network.
    • Needs strict access controls and monitoring.
  • Example: Using SDN to dynamically block suspicious traffic across multiple data center switches.

9. Containerization

  • Definition: Packaging applications and their dependencies into containers so they run consistently across environments (Docker, Kubernetes).
  • Security Considerations:
    • Containers share the host OS kernel, so kernel exploits are risky.
    • Use minimal images, scan for vulnerabilities, and manage container secrets securely.
  • Example: Deploying a web server and its dependencies in a Docker container on a Kubernetes cluster.

10. Virtualization

  • Definition: Running multiple virtual machines (VMs) on a single physical host using a hypervisor.
  • Security Considerations:
    • Hypervisor compromise affects all VMs.
    • VM sprawl can lead to unpatched, vulnerable machines.
    • Proper isolation and resource management are essential.
  • Example: Running separate VMs for web servers and database servers on the same physical host.

11. Internet of Things (IoT)

  • Definition: Networked devices with sensors, software, and connectivity.
  • Security Considerations:
    • Devices often have weak default credentials.
    • Limited ability to patch vulnerabilities.
    • Network segmentation and monitoring are essential.
  • Example: Smart office sensors controlling lighting and HVAC.

12. ICS/SCADA

  • Definition: Industrial Control Systems / Supervisory Control and Data Acquisition control industrial processes (factories, utilities).
  • Security Considerations:
    • Often outdated systems with weak security.
    • Must protect against both external attacks and insider threats.
    • Segmentation from corporate IT networks is crucial.
  • Example: Power plant control system monitoring electricity distribution.

13. Real-Time Operating Systems (RTOS)

  • Definition: OS designed to process data and respond in real time with predictable timing.
  • Security Considerations:
    • Often used in critical embedded systems.
    • Security patches may be difficult to apply without downtime.
    • Need strict access control and monitoring.
  • Example: An RTOS running a robotic assembly line.

14. Embedded Systems

  • Definition: Special-purpose computing systems built into devices.
  • Security Considerations:
    • Limited memory and processing power make traditional security measures hard to implement.
    • Must secure firmware updates and interfaces.
  • Example: A network printer or smart thermostat with embedded software.

15. High Availability (HA)

  • Definition: Systems designed to remain operational even when components fail.
  • Security Considerations:
    • Redundant systems must be kept synchronized securely.
    • Backups, failover mechanisms, and monitoring must be secure.
    • Protect against attacks during failover transitions.
  • Example: A web service with multiple load-balanced servers across data centers to prevent downtime.

Exam Tips

  • Focus on security risks associated with each infrastructure type.
  • Know key definitions: cloud, serverless, microservices, containers, virtualization, IoT, SCADA, RTOS, embedded, HA.
  • Understand real-life IT security controls for each model.
  • Think of why an attacker might exploit each model and what countermeasures are used

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by