Domain 3

3.1 Architecture Models

Compare and contrast security implications of different architecture models.

0% Complete

1

3.1.1 Cloud Architecture

Responsibility matrix, hybrid, third-party.

Cloud architecture defines how computing components and services are structured across various environments to meet specific organizational, security, and performance requirements.

Shared Responsibility Matrix The Shared Responsibility Model identifies which security tasks are handled by the Cloud Service Provider (CSP) and which remain the customer's duty. The division of labor shifts depending on the service model: - Infrastructure as a Service (IaaS): The CSP secures the physical hardware, networking, and virtualization layer. The customer is responsible for the OS, apps, and data. - Platform as a Service (PaaS): Responsibility shifts more toward the CSP; the customer primarily handles application code and data. - Software as a Service (SaaS): The CSP manages everything except for the customer's data and user access permissions. - Critical Caveat: Data security, identity management, and endpoint protection almost always remain the customer’s responsibility, regardless of the model.

Hybrid Cloud and Connectivity Hybrid architecture combines private infrastructure (on-premises or private cloud) with public cloud resources. - Cloud Bursting: Using public cloud capacity during spikes in demand while keeping baseline operations on private servers. - System Integration: Linking third-party vendors to internal networks (e.g., AD forest trusts) requires strict access controls to prevent unauthorized lateral movement. - Hybrid Cryptography: A common security approach where an asymmetric public key encrypts a symmetric session key. This combines the speed of symmetric encryption with the secure key distribution of asymmetric methods.

Third-Party Risk Management Engaging with vendors, B2B partners, or contractors introduces significant supply chain risk. - Data Privacy Agreements: Contracts must specify how PII, PHI, and financial data are handled, transmitted, and stored. Do not rely solely on regulatory governance; use custom agreements to meet specific organizational standards. - Interoperability Risks: Integrating third-party apps (e.g., Facebook API examples) can lead to data leaks if the third party has weaker security controls than the host. - Vendor Assessment: Regular audits and clear Service Level Agreements (SLAs) ensure the third party maintains anti-malware, patching, and password policies consistent with your internal requirements.

Quick Recall - Shared Responsibility: Always remember—you (the customer) own the data, no matter who hosts it. - Session Key: The symmetric key used in hybrid cryptography for fast, secure data transmission. - Third-Party Breach: Examples like Home Depot or Facebook highlight that a breach often occurs via a partner with lower security standards. - Trust Relationships: Must be carefully configured during system integration to follow the principle of least privilege.

2

3.1.2 IaC, Serverless & Microservices

3

3.1.3 Network Infrastructure

Air-gapped, segmentation, SDN.

4

3.1.4 Containerization & Virtualization

5

3.1.5 IoT, ICS/SCADA & Embedded Systems

6

3.1.6 Architecture Considerations

Availability, resilience, cost, scalability.