Domain 3 – Full Cross-Topic Review: Security Architecture
This review integrates:
- Cloud Service and Deployment Models (IaaS, PaaS, SaaS, public, private, hybrid)
- Virtualization and Containerization Security
- IoT, ICS/SCADA, and Embedded System Security
- Infrastructure as Code (IaC) and Automation
- Secure Design Principles (defense in depth, segmentation, least privilege)
- Data Protection (classification, encryption, DLP, masking)
- High Availability and Site Resilience
- Backup Strategies and Disaster Recovery
Expect architecture decision scenarios that require balancing security, availability, and operational constraints.
Question 1
A company migrates its customer-facing web application to an IaaS cloud provider. After migration, the security team discovers that OS-level patches have not been applied for three months.
Who is responsible for OS patching in an IaaS model?
A. The customer, because IaaS customers manage operating systems and above
B. The cloud provider, because they manage all infrastructure
C. Both equally, under the shared responsibility model
D. Neither, because cloud environments are automatically patched
Answer & reasoning
Correct: A
In IaaS, the cloud provider manages the physical infrastructure, hypervisor, and network fabric. The customer is responsible for the operating system, middleware, applications, and data. OS patching is squarely the customer's responsibility. This is a foundational shared responsibility model concept.
Question 2
A development team uses containers for microservices. A vulnerability scan reveals that multiple containers share the same base image, which contains a critical vulnerability in a system library.
What is the MOST efficient remediation approach?
A. Patch each running container individually
B. Update the base image, rebuild all affected containers, and redeploy
C. Migrate from containers to virtual machines
D. Add a WAF in front of all containers to block exploitation
Answer & reasoning
Correct: B
Containers are immutable by design. The correct approach is to update the base image, rebuild container images from the patched base, and redeploy. Patching running containers breaks the immutable infrastructure model, migrating to VMs does not address the vulnerability, and a WAF is a compensating control that does not fix the root cause.
Question 3
A manufacturing plant connects its SCADA systems to the corporate network to enable remote monitoring. Shortly after, the security team detects reconnaissance scanning against SCADA devices from an internal workstation.
What architectural control should have been implemented?
A. Full-disk encryption on all SCADA devices
B. Antivirus software on all SCADA controllers
C. Network segmentation with a DMZ or firewall between IT and OT networks
D. VPN access from SCADA devices to the corporate network
Answer & reasoning
Correct: C
ICS/SCADA systems must be segmented from the corporate IT network. A demilitarized zone or firewall between operational technology (OT) and information technology (IT) networks prevents lateral movement and unauthorized scanning. SCADA devices typically cannot run traditional antivirus, and encryption does not prevent network reconnaissance.
Question 4
An organization uses Infrastructure as Code (IaC) to provision cloud resources. An auditor discovers that a Terraform template includes hardcoded database credentials in plaintext.
What is the MOST appropriate remediation?
A. Store credentials in a secrets management vault and reference them dynamically in IaC templates
B. Encrypt the entire Terraform template file
C. Move the credentials to a separate plaintext configuration file
D. Add a comment in the template warning not to share the file
Answer & reasoning
Correct: A
Secrets management vaults (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) provide secure credential storage with access controls, rotation, and audit logging. IaC templates should reference secrets dynamically, never contain hardcoded credentials. Encrypting the template complicates usage, a separate plaintext file is equally insecure, and comments provide no security.
Question 5
A company classifies data into four tiers: public, internal, confidential, and restricted. An employee emails a confidential spreadsheet to a personal email address. The DLP system does not flag the transmission.
What is the MOST likely reason the DLP failed?
A. DLP systems cannot inspect email traffic
B. The DLP policy was not configured with rules matching the confidential classification label or content patterns
C. The spreadsheet was too large for DLP to scan
D. Confidential data does not require DLP protection
Answer & reasoning
Correct: B
DLP effectiveness depends on properly configured policies that match classification labels, keywords, patterns, or file metadata. If the DLP rules do not include patterns for "confidential" labeled content, transmissions will pass undetected. DLP systems routinely inspect email traffic, file size is typically not a blocker, and all non-public classifications should have DLP enforcement.
Question 6
An architect designs a system with a hot site for disaster recovery. The CFO asks why a cold site was not chosen to reduce costs.
What is the PRIMARY trade-off between hot and cold sites?
A. Hot sites have worse security; cold sites are more secure
B. Cold sites replicate data in real time; hot sites require manual data restoration
C. There is no meaningful difference between hot and cold sites
D. Hot sites provide near-zero RTO at higher cost; cold sites have extended RTO at lower cost
Answer & reasoning
Correct: D
Hot sites maintain running systems with real-time data replication, enabling near-zero recovery time objectives (RTO) at significant cost. Cold sites provide space and power but require hardware provisioning and data restoration, resulting in extended RTO (days to weeks) at much lower cost. The choice depends on business criticality and acceptable downtime.
Question 7
A SaaS application stores customer data in a multi-tenant cloud environment. A customer asks for assurance that their data is logically isolated from other tenants.
What architectural control provides this assurance?
A. Physical server separation for each tenant
B. Network firewalls between each customer's home network and the cloud
C. Logical isolation through tenant-specific encryption keys, access controls, and database segmentation
D. Regular vulnerability scanning of the SaaS application
Answer & reasoning
Correct: C
Multi-tenant SaaS environments use logical isolation: tenant-specific encryption keys ensure one tenant cannot decrypt another's data, access controls enforce authorization boundaries, and database segmentation (schemas or row-level security) prevents data leakage. Physical separation defeats the purpose of multi-tenancy, and firewalls and scanning do not address tenant isolation.
Question 8
A security team implements defense in depth for a web application. The layers include a WAF, network segmentation, application-level input validation, database encryption, and endpoint monitoring.
An attacker bypasses the WAF using an encoding technique. What defense-in-depth layer is NEXT in line to mitigate the attack?
A. Database encryption
B. Endpoint monitoring
C. Application-level input validation
D. Network segmentation
Answer & reasoning
Correct: C
Defense in depth places controls in sequence. After the WAF (perimeter), the next layer protecting against web attacks is application-level input validation, which processes the actual request content. Network segmentation restricts lateral movement (not application-layer attacks), database encryption protects data at rest, and endpoint monitoring is detective rather than preventive at this layer.
Question 9
An IoT deployment includes 500 smart sensors across a warehouse. The sensors run a lightweight embedded OS that does not support endpoint agents or traditional patch management.
What is the MOST appropriate security strategy?
A. Install antivirus on each sensor
B. Place sensors on an isolated network segment with gateway-level monitoring and strict access controls
C. Connect sensors directly to the corporate LAN for centralized management
D. Disable all network communication for the sensors
Answer & reasoning
Correct: B
IoT devices with limited OS capabilities cannot run traditional security agents. The compensating strategy is network isolation (dedicated VLAN or segment), gateway-level traffic monitoring (to detect anomalies), and strict access controls (limiting what can communicate with sensors). Connecting to the corporate LAN exposes the entire network, and disabling communication defeats the purpose of IoT deployment.
Question 10
A company's backup strategy uses daily incremental backups and weekly full backups. A ransomware attack encrypts all production data on Wednesday. The security team discovers the attack on Thursday morning.
What is the MOST recent clean restore point?
A. Tuesday's incremental backup combined with the last full backup
B. Wednesday's incremental backup
C. The previous week's full backup only
D. Thursday morning's incremental backup
Answer & reasoning
Correct: A
Ransomware encrypted data on Wednesday, so Wednesday's incremental backup likely contains encrypted (compromised) data. Tuesday's incremental is the last clean incremental. Restoration requires the last full backup plus all clean incrementals through Tuesday. The previous week's full backup alone would lose additional days of data. Thursday's backup would contain encrypted data.
Question 11
A PaaS provider hosts an organization's application. The organization wants to implement custom firewall rules at the operating system level.
Why is this request problematic?
A. PaaS applications do not use network connections
B. Firewall rules are unnecessary in cloud environments
C. In PaaS, the provider manages the OS and infrastructure; customers control the application layer only
D. PaaS does not support any security controls
Answer & reasoning
Correct: C
The PaaS shared responsibility model places OS management with the provider. Customers deploy and manage applications but cannot configure OS-level controls like iptables or Windows Firewall. Instead, customers should use the provider's platform-level security features (security groups, application gateways, platform firewall rules).
Question 12
A virtual machine escape vulnerability is discovered in a hypervisor. An attacker on one guest VM could potentially access the host system and other guest VMs.
What is the MOST critical immediate action?
A. Migrate all VMs to a different hypervisor platform immediately
B. Apply the hypervisor vendor's security patch and review VM isolation controls
C. Shut down all guest VMs until the vulnerability is patched
D. Add network encryption between guest VMs
Answer & reasoning
Correct: B
VM escape vulnerabilities target the hypervisor layer. The immediate action is applying the vendor patch to close the vulnerability and reviewing isolation controls to ensure proper segmentation. Migrating platforms is a major undertaking that does not address urgency, shutting down all VMs impacts business operations disproportionately, and network encryption does not prevent hypervisor-level attacks.
Question 13
An organization implements data masking for its development environment. Developers report that masked production data still contains recognizable patterns in the customer name field.
What is the PRIMARY concern?
A. Data masking is unnecessary in development environments
B. Developers need access to real data for accurate testing
C. Masked data always contains recognizable patterns by design
D. Ineffective masking may expose sensitive data and violate data protection requirements
Answer & reasoning
Correct: D
Data masking must render data irreversibly unrecognizable to protect privacy and meet compliance requirements. Recognizable patterns indicate the masking algorithm is insufficient. Development environments are a common vector for data exposure because they typically have weaker access controls than production. Effective masking preserves data format for testing without exposing real values.
Question 14
A hybrid cloud architecture uses a private cloud for sensitive financial data and a public cloud for the customer-facing website. An architect proposes connecting both environments via a site-to-site VPN.
What additional architectural control is MOST important?
A. Strict firewall rules and access controls at the interconnection point to limit traffic flow between environments
B. Encryption of the VPN tunnel (already inherent in VPN)
C. Moving all data to the public cloud for simplified management
D. Using the same authentication system for both environments without additional controls
Answer & reasoning
Correct: A
Connecting private and public cloud environments creates a potential path for attackers to reach sensitive data from the public-facing environment. Strict firewall rules and access controls at the interconnection point limit what traffic can traverse between environments. VPN encryption is inherent (not an additional control), consolidating to public cloud increases risk, and shared authentication without additional controls weakens the security boundary.
Question 15
An application architect selects a serverless (FaaS) platform to reduce infrastructure management overhead. The security team raises concerns about the security implications.
What is a UNIQUE security consideration for serverless architectures?
A. Serverless functions are immune to injection attacks
B. Serverless eliminates all shared responsibility concerns
C. Serverless functions do not need input validation
D. Each function invocation creates an ephemeral environment, making persistent threats unlikely but requiring secure function code and IAM permissions per function
Answer & reasoning
Correct: D
Serverless functions run in ephemeral containers that spin up and terminate per invocation, reducing persistent compromise risk. However, the code itself must be secure (injection-resistant), and each function needs precisely scoped IAM permissions. Serverless does not eliminate shared responsibility or input validation requirements. Functions are still vulnerable to injection, broken authentication, and excessive permissions.
Question 16
A disaster recovery plan specifies an RPO of 4 hours and an RTO of 2 hours for a critical database. The current backup strategy performs daily backups at midnight.
Does the current strategy meet the stated objectives?
A. Yes, daily backups exceed the RPO requirement
B. No, daily backups could result in up to 24 hours of data loss, violating the 4-hour RPO
C. Yes, because RTO depends on backup frequency
D. No, but only the RTO is violated, not the RPO
Answer & reasoning
Correct: B
RPO (Recovery Point Objective) defines maximum acceptable data loss. With daily midnight backups, a failure at 11 PM would result in nearly 24 hours of data loss, far exceeding the 4-hour RPO. To meet a 4-hour RPO, backups (or replication) must occur at least every 4 hours. RTO (recovery time) depends on restoration speed, not backup frequency.
Question 17
An IaC pipeline uses version-controlled templates to provision infrastructure. A junior engineer modifies a template and deploys it, accidentally opening port 22 (SSH) to the internet on a production server.
What process control would have prevented this?
A. Encrypting all IaC templates at rest
B. Restricting IaC usage to only senior engineers
C. Performing manual server configuration instead of using IaC
D. Mandatory code review and automated security scanning of IaC templates before deployment
Answer & reasoning
Correct: D
IaC pipelines should include mandatory code review (peer review of template changes) and automated security scanning (tools that check for insecure configurations like open SSH ports). This catches misconfigurations before deployment. Restricting to senior engineers does not scale, manual configuration is more error-prone than IaC, and encryption does not prevent misconfigurations.
Question 18
A load balancer distributes traffic across three web servers. One server fails, and the load balancer automatically redirects traffic to the remaining two servers.
What availability concept does this demonstrate?
A. High availability through redundancy and automatic failover
B. Cold site failover
C. Disaster recovery
D. Data replication
Answer & reasoning
Correct: A
Load balancers with health checks provide high availability by detecting server failures and automatically redistributing traffic to healthy servers. This is redundancy (multiple servers) with automatic failover (no manual intervention). This is not DR (which involves site-level recovery), cold site failover (which requires manual activation), or data replication (which addresses data, not compute).
Question 19
A cloud architect designs a multi-region deployment for a critical application. Data must be encrypted at rest in all regions, and encryption keys must remain under the organization's control.
What key management approach satisfies this requirement?
A. Use the cloud provider's default managed encryption with provider-controlled keys
B. Store encryption keys in a text file on a separate server in each region
C. Implement customer-managed keys (CMK) or bring-your-own-key (BYOK) with a hardware security module
D. Disable encryption to simplify multi-region replication
Answer & reasoning
Correct: C
Customer-managed keys (CMK) or bring-your-own-key (BYOK) allow the organization to maintain control over encryption keys while leveraging cloud provider encryption services. HSMs provide tamper-resistant key storage. Provider-managed keys do not give the organization control, plaintext key files are insecure, and disabling encryption violates the stated requirement.
Question 20
An organization runs a legacy SCADA system that cannot be patched or upgraded due to vendor constraints. The system controls critical manufacturing processes.
What architectural approach BEST protects this system?
A. Connect it to the internet for remote vendor support
B. Replace the SCADA system with a cloud-based alternative immediately
C. Accept the risk since the system is too critical to change
D. Implement network isolation, application allowlisting, and continuous monitoring as compensating controls
Answer & reasoning
Correct: D
When systems cannot be patched, compensating controls are required. Network isolation prevents external access, application allowlisting prevents unauthorized executables, and continuous monitoring detects anomalous behavior. Internet exposure increases risk, immediate replacement of critical infrastructure requires careful planning, and risk acceptance without compensating controls is irresponsible for critical systems.
Domain 3 Pattern Summary
In Security+ Domain 3:
- Cloud shared responsibility shifts with the service model: IaaS = customer manages OS up; PaaS = customer manages app up; SaaS = customer manages data and access.
- Segmentation is the default answer for connecting dissimilar trust zones (IT/OT, public/private cloud, IoT/corporate).
- Containers are immutable; fix the image, not the running container.
- RPO drives backup frequency; RTO drives recovery infrastructure. If backup frequency does not match RPO, the strategy fails.
- Defense in depth means multiple independent layers; bypassing one layer should encounter the next.
- IaC requires the same security review as application code: peer review, scanning, and version control.
- Legacy and IoT systems that cannot be patched require compensating controls: isolation, allowlisting, and monitoring.
If an answer ignores the shared responsibility boundary for the stated cloud model, it is usually wrong.