CompTIA Security+secure-architecture-and-cloud-security

Secure Architecture and Cloud Security

Designing resilient systems and securing cloud, virtualization, and modern architectures.

Security+ (SY0-701) tests whether you can weigh the security trade-offs of an architecture choice rather than memorize a definition. You must know who owns which control in the cloud, how to keep systems available when something fails, and how to protect data in every state. Master the shared responsibility model, the resilience metrics, and data-protection controls below and this domain becomes predictable.

Core Idea

  • Architecture is a trade-off exercise. Cloud, serverless, microservices, and IaC each shift responsibility, attack surface, and cost — the "best" answer depends on availability, control, and compliance needs.
  • The shared responsibility model divides duties by service model. The cloud provider secures of the cloud; the customer secures in the cloud — and the line moves with IaaS, PaaS, and SaaS.
  • Resilience means measured recovery. RTO, RPO, MTBF, and MTTR quantify how much downtime and data loss you can tolerate and how fast you recover.

Architecture Models and Their Trade-offs

  • On-premises gives maximum control but you own all patching, physical security, and scaling.
  • Cloud (IaaS/PaaS/SaaS) offloads infrastructure but adds shared responsibility and reduced visibility. Hybrid blends both and multiplies the attack surface at the integration points.
  • Serverless removes OS and patch duties (provider handles runtime) but you cannot inspect the host and depend heavily on the provider.
  • Microservices improve fault isolation and scaling but add many APIs to secure and complicate monitoring. Containers share the host OS kernel — lighter than VMs but weaker isolation.
  • Virtualization relies on the hypervisor; a Type 1 (bare-metal) hypervisor is more secure than a Type 2 (hosted) one. Watch for VM escape (breaking out to the host) and VM sprawl.
  • Infrastructure as Code (IaC) makes builds repeatable and auditable, but a flaw in a template is replicated everywhere instantly.

The Shared Responsibility Model

  • The customer always owns their data, access management, and account credentials regardless of service model.
  • IaaS: provider secures hardware and virtualization; customer secures OS, applications, and data.
  • PaaS: provider also secures the OS and runtime; customer secures applications and data.
  • SaaS: provider secures almost everything; customer still owns data classification, user access, and configuration.

Resilience and Availability

  • High availability (HA) keeps a service running through redundancy. Load balancing distributes traffic across active nodes for performance and uptime, while clustering groups servers so a standby can take over on failure.
  • Redundancy eliminates single points of failure — power (UPS/generator), network, and disk. RAID adds disk redundancy: RAID 0 is striping (no fault tolerance), RAID 1 mirrors, RAID 5 uses striping with parity, RAID 6 adds double parity, RAID 10 mirrors and stripes.
  • Site resiliency: a hot site is fully operational and ready in minutes; a warm site has hardware but needs data and setup (hours); a cold site is just space and power (days).
  • Recovery metrics: RTO is how fast you must restore service; RPO is the maximum acceptable data loss (how far back your restore point is); MTBF measures reliability (time between failures); MTTR measures how long a repair takes.

Data Protection

  • Data classification (public, private, confidential, restricted) drives how strongly data is protected.
  • Data states: protect data at rest (full-disk/database encryption), in transit (TLS, VPN), and in use (secure enclaves, memory protection — the hardest to protect).
  • DLP inspects and blocks sensitive data from leaving the organization.
  • Obfuscation controls: encryption makes data unreadable without a key; tokenization swaps data for a non-sensitive token stored in a vault; masking hides part of a value (e.g., showing only the last four digits).

Embedded, ICS/SCADA, and IoT Design

  • ICS/SCADA systems run critical infrastructure and often cannot be patched or taken offline; protect them with network segmentation and air-gapping rather than agents.
  • IoT and embedded devices frequently ship with default credentials, weak update paths, and long lifecycles — harden defaults, segment them onto separate VLANs, and monitor traffic.
  • Snapshots capture a VM's state for fast rollback and forensics. Sound design also enforces non-repudiation through logging and digital signatures so actions cannot be denied later.

High-Yield Exam Patterns

  • If a question asks "who is responsible," anchor on the service model — and remember the customer always owns the data.
  • RPO vs RTO: RPO looks backward (data loss / backup frequency); RTO looks forward (time to restore). Do not swap them.
  • A scenario needing recovery in minutes points to a hot site; days points to a cold site.
  • Tokenization vs masking vs encryption: tokenization uses a lookup vault, masking hides characters (often irreversibly for display), encryption is reversible with a key.
  • Load balancing is about distributing active traffic; clustering is about failover — pick based on whether the goal is performance or continuity.
  • Containers share the host kernel (weaker isolation); VMs have their own OS (stronger isolation but heavier).

Common Traps to Avoid

  • Assuming SaaS means the provider secures your data and user access — you still own classification and identity.
  • Confusing RAID with backup; RAID provides availability, not recovery from deletion or ransomware.
  • Thinking serverless or PaaS removes all security duty — you still secure your code, data, and access.
  • Treating "in use" data as automatically safe; it is the hardest state to protect because it must be decrypted to be processed.
  • Choosing a warm site when the scenario demands near-instant failover.

Flashcards

Card 1 of 14

1/14

Keyboard: Space/Enter to flip • Arrow keys to navigate

Ready to Test Your Knowledge?

This quiz has 8 questions and each one has 4 options.

Quiz Details

8 Questions

Multiple choice with instant self-check

Final Review

See correct answers and explanations at the end

Build your own lesson in minutes.

Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.