Domain 3 – Section A Review: Architecture Models

Security+ Domain 3 — Security Architecture Section A — Architecture Models Review 10 Questions

This section integrates:

Cloud and Hybrid Architecture Models
Virtualization and Container Security
IoT and Industrial Control Systems (ICS)
Infrastructure as Code (IaC)

Security+ expects you to understand how different architecture models introduce unique security considerations and how to secure each environment appropriately.

1. Cloud and Hybrid Deployment Models

Cloud architecture shifts where security responsibility lives:

IaaS — you secure everything above the hypervisor.
PaaS — you secure the application and data.
SaaS — you secure access and data classification.

Public cloud — shared infrastructure, provider-managed, multi-tenant.
Private cloud — dedicated infrastructure, organization-managed.
Hybrid cloud — combines public and private, requiring consistent policy enforcement.
Community cloud — shared by organizations with common requirements.

The shared responsibility model defines the boundary. Know what the provider manages versus what the customer owns at each service level.

2. Virtualization and Container Security

Virtualization and containers introduce isolation boundaries that must be defended:

Hypervisor security — Type 1 (bare metal) vs. Type 2 (hosted). Type 1 has a smaller attack surface.
VM sprawl — unmanaged virtual machines creating shadow IT and unpatched systems.
Container isolation — containers share the host OS kernel, making escape more impactful than VM escape.
Image security — base images must be scanned and verified before deployment.

Containers are faster to deploy but share more with the host.
VMs provide stronger isolation but consume more resources.

3. IoT and ICS Security Challenges

IoT and industrial control systems present unique security constraints:

Limited compute resources — many devices cannot run traditional security agents.
Long lifecycles — devices may operate for decades without updates.
Safety-critical operations — ICS/SCADA systems control physical processes where downtime causes real-world harm.
Default credentials — many IoT devices ship with known passwords.

Network segmentation and monitoring are the primary defenses when devices cannot be patched or hardened directly.

4. Infrastructure as Code

IaC treats infrastructure configuration as software:

Version control — infrastructure changes are tracked like code.
Consistency — eliminates configuration drift across environments.
Security scanning — templates can be scanned for misconfigurations before deployment.
Immutable infrastructure — replace rather than patch, reducing persistent vulnerabilities.

If infrastructure is code, then security review of infrastructure is code review.

Section A Decision Pattern

When unsure in Domain 3 Section A:

Identify the architecture model and its security boundaries.
Apply the shared responsibility model for cloud questions.
Consider isolation strength: VM > container for security isolation.
For IoT/ICS, default to network segmentation when device-level controls are not feasible.
Treat IaC as code — apply code review, version control, and scanning.

Section A – Practice Questions

Question 1

A company uses IaaS to host its web application. After a data breach, the cloud provider states that securing the operating system is the customer's responsibility. Is the provider correct?

A. Yes — in IaaS the customer manages the OS, applications, and data
B. No — the provider is responsible for all security in IaaS
C. No — the provider manages the OS in all cloud models
D. Yes — but only if the customer has a premium support contract

Answer & reasoning

Correct: A

In IaaS, the cloud provider manages the physical infrastructure and hypervisor. The customer is responsible for the operating system, middleware, applications, and data. OS patching and configuration are the customer's responsibility.

Question 2

A development team deploys containers using a base image downloaded from a public repository without verification. What is the PRIMARY risk?

A. Container sprawl
B. Malicious code embedded in the base image
C. Resource exhaustion on the host
D. Network latency between containers

Answer & reasoning

Correct: B

Unverified base images from public repositories may contain malware, backdoors, or vulnerable libraries. Container image security requires scanning and verifying images before deployment, ideally using a trusted internal registry.

Question 3

A manufacturing facility's SCADA system runs on Windows XP because the vendor does not support newer operating systems. What is the MOST effective security control?

A. Install antivirus software on the SCADA system
B. Upgrade to Windows 11
C. Isolate the SCADA network with strict network segmentation
D. Apply compensating encryption controls

Answer & reasoning

Correct: C

When a system cannot be patched or upgraded (common in ICS environments), network segmentation is the most effective control. Isolating the SCADA network limits the attack surface and prevents lateral movement from the corporate network.

Question 4

An organization uses Terraform templates to deploy cloud infrastructure. A security engineer proposes scanning templates before deployment. What security benefit does this provide?

A. Faster deployment times
B. Automatic patching of deployed resources
C. Elimination of the need for network monitoring
D. Detection of misconfigurations before they reach production

Answer & reasoning

Correct: D

Scanning IaC templates before deployment catches security misconfigurations (open security groups, public S3 buckets, missing encryption) before they are deployed to production. This is a shift-left security practice that prevents issues rather than detecting them after the fact.

Question 5

A hospital connects medical IoT devices to the same network as administrative workstations. A ransomware infection on a workstation spreads to infusion pumps. What architectural failure enabled this?

A. Lack of encryption on medical devices
B. Weak password policy on workstations
C. Failure to segment IoT devices from the corporate network
D. Missing antivirus on IoT devices

Answer & reasoning

Correct: C

Medical IoT devices should be on a segmented network isolated from general corporate traffic. The lack of segmentation allowed ransomware to spread from workstations to critical medical devices. IoT devices often cannot run antivirus, making network-level controls essential.

Question 6

A company runs a Type 2 hypervisor on employee laptops for development testing. What is the PRIMARY security concern compared to a Type 1 hypervisor?

A. Type 2 hypervisors do not support snapshots
B. Type 2 hypervisors run on top of a host OS, increasing the attack surface
C. Type 2 hypervisors cannot use virtual networking
D. Type 2 hypervisors require more memory

Answer & reasoning

Correct: B

Type 2 hypervisors run on top of a host operating system, which means any vulnerability in the host OS can compromise the hypervisor and all guest VMs. Type 1 hypervisors run directly on hardware with a smaller attack surface.

Question 7

An organization migrates sensitive workloads to a hybrid cloud. Corporate policy requires certain data to remain on-premises. What is the PRIMARY architectural challenge?

A. Ensuring consistent security policies across both environments
B. Reducing cloud storage costs
C. Training users on cloud interfaces
D. Selecting a single cloud provider

Answer & reasoning

Correct: A

Hybrid cloud introduces the challenge of maintaining consistent security policies, access controls, and monitoring across on-premises and cloud environments. Data residency requirements add complexity because security must be enforced uniformly regardless of where workloads run.

Question 8

A container escapes its isolation and gains access to the host operating system kernel. Why is this potentially more severe than a VM escape?

A. Containers use more memory than VMs
B. VMs do not have network access
C. Container images are always unencrypted
D. Containers share the host OS kernel, giving broader access upon escape

Answer & reasoning

Correct: D

Containers share the host OS kernel, so a container escape provides direct access to the kernel and potentially all other containers on the same host. VMs have their own OS and the hypervisor provides a stronger isolation boundary.

Question 9

An IT team discovers 47 virtual machines that were created for a project two years ago but never decommissioned. None have been patched since creation. What is this problem called?

A. Shadow IT
B. Resource exhaustion
C. VM sprawl
D. Configuration drift

Answer & reasoning

Correct: C

VM sprawl occurs when virtual machines proliferate without proper lifecycle management. Abandoned, unpatched VMs create security vulnerabilities and waste resources. Proper VM lifecycle management includes creation, maintenance, and decommissioning procedures.

Question 10

An organization adopts an immutable infrastructure approach. When a security patch is needed, instead of patching running servers, they deploy new servers from updated images and destroy the old ones. What is the PRIMARY security benefit?

A. Elimination of configuration drift and persistent threats
B. Reduced licensing costs
C. Faster boot times
D. Simplified user authentication

Answer & reasoning

Correct: A

Immutable infrastructure eliminates configuration drift because servers are never modified in place. It also eliminates persistent threats because any malware or unauthorized changes are destroyed when the old instance is terminated. Each deployment starts from a known-good state.