Domain 3 of 5 · Chapter 1 of 5

Architecture Models

The responsibility boundary is the whole game

One question decides almost every item in this objective: after you pick this model, which security controls must you still implement, and which did you inherit? On-prem, IaaS, SaaS are just names for different answers to it. SY0-701 Objective 3.1 asks you to "compare and contrast security implications of different architecture models"[1]. The verb is compare, not configure.

On-premises: you own everything

In a traditional on-premises data center your organization owns and must secure the entire stack: the building and its physical access controls, the power and HVAC, the network hardware, the hypervisor, every guest operating system, the applications, and the data. Nothing is inherited. This gives maximum control and visibility (you can run any agent, capture any log, and inspect any packet) at the cost of maximum burden: every CVE is your patch to apply and every locked door is your expense. On-premises is the right answer when a scenario stresses data sovereignty, regulatory custody, full forensic visibility, or air-gapped isolation that a public cloud cannot offer.

Cloud: the shared-responsibility matrix

Moving to cloud does not delete those responsibilities. It splits them along a documented shared-responsibility model. A useful framing is "security of the cloud" (the provider's job: the physical facilities, the host hardware, and the virtualization layer) versus "security in the cloud" (the customer's job: data, identity and access management, and configuration). AWS states the customer is always responsible for "customer data" and for "identity and access management," while AWS operates and controls "the components from the host operating system and virtualization layer down to the physical security of the facilities" (AWS Shared Responsibility Model[2]). Microsoft frames the same split: in all cloud models the customer always retains responsibility for data, devices, accounts, and identities (Microsoft shared responsibility in the cloud[3]). Two facts survive every model: the provider always secures the physical layer, and you always own your data and your access management.

Where the line sits depends on the service model

The cloud service models (defined in NIST SP 800-145, The NIST Definition of Cloud Computing[4]) decide how far up the stack the provider's responsibility reaches. The layered stack below is the canonical shared-responsibility matrix that both AWS and Microsoft publish: read each column as one model and watch the boundary line climb the stack as the provider takes on more.

Service model Provider secures Customer secures
IaaS (infrastructure) Facility, host, hypervisor, network fabric Guest OS and patching, runtime, app, data, IAM, config
PaaS (platform) Everything up to and including the runtime/OS Application code, data, and access management
SaaS (software) Nearly the entire stack Data, identities/accounts, and sharing/config settings

The rule of thumb: the more the provider manages, the smaller your patchable surface, and the smaller your visibility into it. With SaaS you cannot install an endpoint agent on the provider's servers; your dominant control becomes identity and configuration hygiene. Hybrid clouds and third-party vendors add a third dimension: each interconnection between estates is a trust boundary you must secure, and outsourcing operations never outsources accountability. The data owner remains legally and contractually responsible for the data even when a vendor processes it.

Stack layer On-premises IaaS PaaS SaaS Data Customer Customer Customer Customer Identity & access mgmt Customer Customer Customer Customer Application Customer Customer Customer Provider Runtime Customer Customer Provider Provider Guest OS Customer Customer Provider Provider Virtualization layer Customer Provider Provider Provider Host Customer Provider Provider Provider Physical facility Customer Provider Provider Provider Customer secures Provider secures The provider always secures the Physical facility; the customer always owns Data and Identity & access management. The boundary climbs the stack as the provider manages more.
The shared-responsibility line across On-premises, IaaS, PaaS, and SaaS: the customer's share shrinks up the stack, but Data and identity always stay with the customer.

Model-by-model implications: virtualization to IaC

Beyond on-prem-vs-cloud, Objective 3.1 enumerates specific runtime and topology models, each with a signature trade-off. The runtime models form an isolation spectrum, from virtualization down to serverless, where stronger isolation trades off against a smaller, less visible host surface; the figure above lays out each model's isolation boundary and its signature attack surface.

Virtualization vs. containerization

Virtualization runs multiple guest VMs on one physical host via a hypervisor; each guest carries its own full OS, giving strong isolation. The new attack surface is the hypervisor itself: a VM escape (breaking out of a guest into the host or a sibling VM) can compromise every co-resident workload, and VM sprawl plus dormant/snapshotted VMs create unpatched, unmonitored assets.

Containerization isolates at the OS level: containers share the host kernel and package only the app plus its dependencies. They are far lighter and start in milliseconds, but because the kernel is shared, isolation is weaker than a VM. A kernel exploit or container escape has a larger blast radius, and pulling untrusted or unscanned images introduces supply-chain risk. The exam contrast: choose virtualization when you need stronger isolation between tenants; choose containers when you need density, portability, and fast scaling and can manage image and kernel hygiene.

Serverless

Serverless (function-as-a-service) removes the server from your view entirely: the provider patches and scales the host and runtime, and you supply only function code plus its permissions. Your patchable surface shrinks to your code and its dependencies, but you lose host-level visibility: no agent, no host logs. The dominant risks become over-permissive execution roles (a function granted far more than it needs), insecure dependencies, and event-source injection.

Microservices

Decomposing a monolith into independently deployable microservices improves fault isolation and lets teams deploy and scale services separately, which contains blast radius. The security cost is an explosion of east-west (service-to-service) traffic: many more network connections, API endpoints, and authentication boundaries to defend. Each service-to-service call must be authenticated and authorized, pushing you toward mutual TLS and zero-trust segmentation internally.

Network infrastructure, SDN, and IaC

Network infrastructure spans the physical (cabling, switches, the data center) and the software-defined (SDN), which separates the control plane from the data plane so policy is programmed centrally. SDN enables rapid, consistent, centralized policy but makes the SDN controller a single high-value target: compromise it and you reprogram the whole network. Infrastructure as Code (IaC) defines servers, networks, and policy in version-controlled templates so environments are reproducible and auditable. The flip side: a single mistake (an over-permissive rule, a hardcoded secret in a template, or unreviewed drift) propagates to every environment the template builds, so IaC must be paired with template scanning and secrets management.

Centralized vs. decentralized

A centralized architecture (one management plane, one identity provider, one chokepoint firewall) makes consistent policy, patching, and monitoring easy but concentrates risk into a single point of failure and a prize target. A decentralized architecture spreads control out, improving resilience and limiting blast radius, but makes uniform policy enforcement and complete visibility much harder. Neither is "more secure." The exam wants you to map the choice to the scenario's stated priority (consistency and simplicity vs. resilience and autonomy).

Workload-hosting models: an isolation spectrum Virtualization Full guest OS per VM Isolation: strong guest VMs on a hypervisor Attack surface: the hypervisor (VM escape) Containerization App + dependencies only Isolation: weaker shared host kernel Attack surface: shared kernel, images (container escape) Serverless Function code + permissions Isolation: no host view provider runs host + runtime Attack surface: over-permissive role, dependencies Strong isolation, heavier Lighter, less host visibility Isolation strength decreases, abstraction increases →
Workload-hosting models as an isolation spectrum: virtualization (strong isolation, hypervisor surface) to serverless (no host view, role/dependency surface).

Constrained and isolated environments: IoT, ICS/SCADA, embedded, air-gapped, HA

This cluster of models inverts the normal IT instinct to patch fast and encrypt everything, and it is heavily tested. The figure above groups the constrained or unpatchable systems (IoT/embedded/RTOS, ICS/SCADA, and air-gapped networks) that share one controlling strategy, compensating isolation rather than hardening the device, and shows high availability as a separate model addressing the availability leg instead.

IoT and embedded systems / RTOS

Internet-of-Things devices, embedded systems, and real-time operating systems (RTOS) are resource-constrained: limited CPU, memory, and power mean weak or no on-device cryptography, no room for an endpoint agent, and frequently no update mechanism at all. They commonly ship with default or hardcoded credentials, expose insecure management protocols, and run vendor-locked firmware that may never receive a patch. An RTOS additionally guarantees deterministic timing, so a security feature that adds latency can break the device's core function. Because you usually cannot harden the device itself, the controlling strategy is compensating isolation: put these devices on dedicated, segmented network segments or VLANs, restrict their reachability, and monitor their traffic from the network rather than the host.

ICS / SCADA

Industrial control systems and SCADA run physical processes: power grids, water treatment, manufacturing lines. Two facts dominate every ICS question:

  1. The CIA priority is reversed. In operational technology, availability and safety outrank confidentiality. A controller that stops a turbine or opens a valve must run reliably above all; leaking a sensor reading matters far less than an unplanned shutdown. NIST SP 800-82 Rev. 3, Guide to Operational Technology (OT) Security[5] is the authoritative reference for these differences.
  2. You often cannot patch or scan normally. ICS devices run legacy or vendor-validated firmware, may have multi-decade service lives, and taking them offline for a patch can mean halting a physical process; aggressive antivirus or active scanning can disrupt real-time control loops. The accepted approach is defense-in-depth via network segmentation: separating the OT network from corporate IT, organizing the plant into zones connected by tightly controlled conduits, and patching only after vendor validation during planned maintenance windows.

Air-gapped networks

An air gap physically isolates a network so it has no connection to untrusted networks, the strongest form of segmentation, common around the most critical ICS. Its security implication is two-edged: it removes network-borne attack surface, but it does not stop an insider, a malicious or infected removable USB drive (the classic Stuxnet vector), or a supply-chain compromise. Treat air-gapping as removing reachability, not as a complete defense.

High availability (HA)

High availability is an architectural property: redundancy, clustering, load balancing, and failover so a service survives component failure. Its security relevance is the availability leg of the CIA triad: HA design defends against denial-of-service impact and hardware failure, and it is the architectural answer when a scenario demands minimal downtime or fault tolerance. The trade-off to remember is that added redundancy also adds components and configuration that themselves must be secured and kept consistent.

Constrained and isolated environments Constrained / unpatchable Controlling strategy: compensating isolation, not device hardening IoT, embedded systems, RTOS Resource-constrained; default / hardcoded credentials; often unpatchable. Isolate on a dedicated segment / VLAN. ICS / SCADA Run physical processes; availability and safety outrank confidentiality. Segment into zones; patch after validation. Air-gapped networks Strongest segmentation: removes network reach, not insiders or removable USB media. High availability A separate model Redundancy, clustering, load balancing, failover Defends the availability leg of the CIA triad
Constrained/unpatchable systems (IoT, ICS/SCADA, air-gapped) share one strategy, compensating isolation; HA is a separate, availability-focused model.

Exam-pattern recognition for Objective 3.1

SY0-701 architecture questions are scenario-driven and reward matching a signal phrase to the right model or control. Train on the patterns below.

"Who is responsible for..." questions

If a stem asks who must patch the guest OS, encrypt the data, or secure the building, immediately identify the model:

  • "...in an IaaS deployment, who patches the operating system?"the customer. The provider's responsibility in IaaS stops at the hypervisor.
  • "...who is responsible for physical security of the data center in the cloud?"the provider, in every cloud model.
  • "...who is accountable for the confidentiality of the data stored in a SaaS app?"the customer / data owner, always. The provider operates the software, but accountability for the data never transfers. Distractors that say "the provider assumes all responsibility" are wrong.

"We cannot patch / cannot take it offline" questions

When the asset is an ICS controller, SCADA system, legacy IoT, embedded device, or medical device that cannot be patched, the right answer is almost always a compensating control of isolation: network segmentation, a dedicated VLAN, or air-gapping. Wrong answers push agent-based EDR, frequent reboots for patches, or aggressive active scanning, all of which the device cannot tolerate. If the stem emphasizes uptime, safety, or a real-time process, you are in OT: prioritize availability and integrity over confidentiality.

"Isolation vs. density" questions

A stem contrasting two workload-hosting choices is testing virtualization vs. containers: need the strongest isolation between tenants → VMs/hypervisor; need lightweight density, fast scaling, portability → containers (shared kernel = weaker isolation). Serverless is the answer when the stem stresses no servers to manage and pay-per-execution, and the matching risk is an over-permissive function role.

"Reproducible / consistent / version-controlled environment" questions

Keywords like repeatable, auditable, drift, or deploy identical environments point to Infrastructure as Code, and the associated risk the exam likes is a secret hardcoded in a template or a single bad definition propagating everywhere. Centralized control plane clues (one SDN controller, one management console) signal the single-point-of-failure / high-value-target trade-off.

The air-gap trap

If a question describes an air-gapped network being compromised, the vector is never the network: look for removable media (USB), an insider, or supply chain. Choosing "add a firewall" or "the attacker came over the internet" misreads the model. The standing reminder across all of Objective 3.1: choosing a model moves and re-divides security responsibility; it never eliminates it.

Architecture models: responsibility, surface, and key security implication

ModelWho secures whatPrimary attack surfaceDefining security implication
On-premisesCustomer owns the entire stack (physical → data)Everything: full stack is yours to patchMaximum control and visibility; maximum patching burden and physical-security cost
Cloud: IaaSProvider: facility + hypervisor; customer: OS upwardGuest OS, runtime, app, data, IAM, configInherit physical/host security; you still patch the OS and own all configuration
Cloud: PaaSProvider: up to runtime; customer: app + dataApplication code, data, access managementNo OS patching; misconfiguration and identity become your main risks
Cloud: SaaSProvider: nearly all; customer: data + identity + configAccounts, data, sharing/config settingsLeast operational work, least visibility; access management is the dominant control
Hybrid / third-party vendorSplit across owners and integration pointsConnections, data flows, and trust boundaries between estatesEach interconnection and vendor is an inherited risk; weakest link governs
VirtualizationCustomer secures guests; hypervisor is sharedHypervisor (VM escape), guest isolationStrong isolation but a hypervisor compromise affects every co-resident VM
ContainerizationCustomer secures images + orchestrator; kernel sharedContainer engine, shared kernel, imagesLighter and faster than VMs but weaker isolation: kernel/escape risk is higher
ServerlessProvider runs host/runtime; customer owns function code + configFunction code, dependencies, permissions, event triggersTiny patchable surface and no host visibility; over-permissive function roles dominate risk
MicroservicesCustomer secures each service + its linksEast-west service-to-service calls and auth boundariesGood blast-radius containment; many more authentication and network boundaries to defend
IoT / embedded / RTOSCustomer must compensate for vendor-locked firmwareUnpatchable firmware, default creds, weak protocolsResource-constrained and long-lived; segment/isolate rather than agent-harden
ICS / SCADACustomer; safety + uptime constrain all changesLegacy controllers, plant network, HMIsAvailability and integrity outrank confidentiality; air-gap/segment, patch only after validation
IaC / SDN (centralized)Customer owns templates + controller policyTemplates, controller, secrets in codeReproducible and auditable, but one bad definition or leaked secret propagates everywhere

Decision tree

Physical process, or an unpatchable ICS / SCADA / IoT / embedded device? Yes No Segment / air-gap; isolate availability > confidentiality; patch only after vendor validation Need full control + visibility, or offload host operations? Full control Offload On-premises you secure the entire stack + facility How much of the stack should the provider manage? Keep the OS Just app + data All of it IaaS you patch the guest OS upward PaaS no OS; config + identity is the risk SaaS least visibility; manage access + data Always (every cloud model): the provider secures the physical layer; you always own your data + identity & access management — accountability never transfers.

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Choosing a model re-divides responsibility, never removes it

Objective 3.1 tests the security implications of an architecture model, not how to build it. Every model fixes a boundary of responsibility: moving to cloud, SaaS, or a vendor offloads operational work but never deletes a security control. It only changes who owns each one. The exam-correct read of any model is therefore which controls shifted and which stayed with you.

Trap Treating a move to cloud or SaaS as eliminating a security requirement rather than reassigning who performs it.

2 questions test this
On-premises means you own the entire stack

On-premises puts everything on you: physical facility and HVAC, hardware, hypervisor, OS, application, and data. That buys maximum control and visibility (any agent, any log, any packet) but carries the full patching burden, physical-security cost, and capital expense. It is the baseline the cloud models are compared against on 3.1.

Trap Concluding that because on-premises gives you the most control it is automatically the most secure choice, when it also hands you the full patching and physical-security burden.

Cloud is a shared-responsibility split, not a transfer

Cloud divides security into "of the cloud" (the provider owns the physical datacenter, hosts, and virtualization layer) and "in the cloud," which the customer owns. Regardless of service model the customer always retains data, identities, and access management; those never shift to the provider. So a model only moves the lower-stack work, never accountability for who can touch the data.

Trap Assuming the provider's "of the cloud" duties cover your data and identities. Those stay with the customer in every model.

1 question tests this
The service model decides where the responsibility line sits

Service model sets how much you patch: IaaS leaves the customer the guest OS and everything above it (you patch the OS); PaaS hands you only the application and data (the provider patches the OS and runtime); SaaS leaves you essentially data, identities, and configuration. The more the provider manages, the smaller your patchable surface, and the less host-level visibility you keep. "Who patches the OS?" is the classic IaaS-vs-PaaS discriminator.

Trap Saying the customer patches the operating system in PaaS or SaaS. OS patching there belongs to the provider.

1 question tests this
Cloud offloads operations but not data accountability

Outsourcing to SaaS or a third-party vendor offloads day-to-day operations, but the data owner stays legally and contractually accountable for the data: its classification, protection, and compliance follow the owner, not the host. Any answer claiming "the provider assumes responsibility for your data confidentiality or compliance" is wrong by definition.

Trap Picking the option where signing with a cloud or SaaS provider transfers regulatory accountability for the data to that provider.

1 question tests this

Hybrid clouds and third-party vendors stitch separate estates together, and every interconnection and every vendor adds a trust boundary you didn't fully build. The combined system is only as secure as its weakest link, so the security posture is governed by the least-controlled estate, not your strongest one. This is why third-party/supply-chain risk reviews matter most in hybrid designs.

Trap Rating a hybrid design's security by your most-hardened estate when its real posture is set by the least-controlled interconnection or vendor.

Virtualization gives strong isolation but makes the hypervisor the surface

Virtualization runs full-OS guest VMs on a hypervisor (the component that manages the guests and mediates their access to hardware) giving strong tenant isolation. The new attack surface is the hypervisor itself: a VM escape lets code break out of a guest to reach the hypervisor or co-resident VMs, the worst-case virtualization flaw. VM sprawl and dormant snapshots quietly become unpatched, unmonitored assets.

Trap Assuming strong VM isolation makes the host irrelevant. A hypervisor compromise or VM escape exposes every co-resident guest.

1 question tests this
Containers are lightweight because they share the host kernel

Containers package an app with its dependencies and share the host OS kernel instead of booting a guest OS, making them far lighter and faster than VMs. The tradeoff is weaker isolation: a kernel exploit or container escape has a larger blast radius across every container on that host. Untrusted or unscanned images add supply-chain risk on top.

Trap Treating a container as equivalent isolation to a VM. The shared kernel makes a host-kernel flaw a shared-fate event.

VM vs container is an isolation-versus-density trade-off

Choose virtualization when you need the strongest isolation between tenants; choose containers when you need density, portability, and fast scaling and can manage image and kernel hygiene. The kernel-sharing that makes containers efficient is exactly what makes their isolation weaker than a VM's, so the right answer follows whether the scenario stresses isolation or speed/scale.

Trap Selecting containers for a scenario that demands the strongest tenant isolation, when the shared kernel makes a VM the stronger boundary.

Serverless shrinks the patchable surface but removes host visibility

In serverless (FaaS) the provider runs, patches, and scales the host and runtime; you supply only function code and its permissions. There is no persistent server to put an agent or host logs on, so host-level visibility is gone, and the dominant risks become an over-permissive execution role and insecure code dependencies. Least-privilege on the function's role is the control that matters most.

Trap Reaching for host-based agents or OS hardening to secure a serverless function. There is no host you control; secure the role and dependencies.

2 questions test this
Microservices contain blast radius but multiply east-west boundaries

Breaking a monolith into microservices improves fault isolation and limits blast radius, but it multiplies east-west (service-to-service) calls and authentication boundaries. Every inter-service call now needs its own authentication and authorization, which pushes designs toward mutual TLS and internal zero-trust rather than trusting the internal network. More services means more identities and connections to secure, not fewer.

Trap Assuming services inside the same network can trust each other implicitly. Each east-west call still needs authentication and authorization.

SDN centralizes policy and makes the controller a high-value target

Software-defined networking decouples the control plane from the data (forwarding) plane so policy is programmed centrally and the network becomes directly programmable. That enables fast, consistent policy, but it concentrates power in the logically centralized SDN controller: compromise it and an attacker can reprogram the whole network. Harden and tightly access-control the controller and its northbound APIs.

Trap Treating the SDN controller as just another network device. It is the single point that, if owned, reprograms the entire fabric.

1 question tests this
IaC is reproducible and auditable, but mistakes propagate at scale

Infrastructure as Code defines infrastructure in version-controlled templates, making environments reproducible, reviewable, and auditable. The flip side is scale: one bad definition, a hardcoded secret in a template, or unreviewed drift replicates to every environment the code provisions. So IaC's security depends on template/secrets scanning and peer review in the pipeline, not on the template language itself.

Trap Hardcoding a credential into an IaC template. Version control then copies the secret into every environment and its history.

12 questions test this
Centralized versus decentralized trades consistency for resilience

Centralized architecture (one management plane, one IdP, one chokepoint) makes consistent policy and monitoring easy but concentrates risk into a single point of failure and a prize target. Decentralized improves resilience and limits blast radius but makes uniform policy and full visibility harder to achieve. Neither is inherently more secure. The right answer follows whether the scenario prioritizes consistency or fault-tolerance.

Trap Declaring centralized architecture inherently more secure because of its single control point, when that same chokepoint is its single point of failure and prize target.

In ICS/SCADA, availability and safety outrank confidentiality

Operational technology (ICS/SCADA running physical processes) inverts the usual CIA priority: availability and integrity/safety come first, confidentiality last. A controller that keeps the process running safely matters more than a leaked sensor reading, because downtime or tampering can cause physical harm. NIST SP 800-82 is the authoritative reference for securing these systems.

Trap Applying the standard IT CIA ranking to OT and treating confidentiality as the top priority over keeping the process safely running.

1 question tests this
Protect ICS/SCADA by segmentation, not by patching fast

ICS devices run legacy or vendor-validated firmware with lifespans that can exceed 20 years, and many cannot run anti-malware; taking them offline or actively scanning them can disrupt real-time control. Per NIST SP 800-82, the accepted defense is segmentation (isolating OT from corporate IT into zones joined by controlled conduits) plus compensating controls, patching only after vendor validation in planned maintenance windows.

Trap Prescribing an immediate patch-now or active vulnerability scan against a live ICS device. Either can disrupt the real-time process.

1 question tests this
IoT, embedded, and RTOS are resource-constrained and vendor-locked

IoT, embedded systems, and RTOS run on limited CPU, memory, and power, so they often ship with weak or no crypto, no endpoint agent, and default or hardcoded credentials on vendor-locked firmware that may never be patched. Because you can't harden the device itself, the control is to isolate it on a dedicated segment/VLAN and monitor it from the network.

Trap Planning to install an endpoint agent or push regular patches to a constrained IoT/RTOS device that has no capacity or vendor path for either.

13 questions test this
An air gap removes network reach, not insiders or USB malware

An air gap physically isolates a network (the strongest segmentation, common around critical ICS) and removes the network-borne attack surface. It does not stop an insider, infected removable media/USB (the vector Stuxnet used to cross into air-gapped centrifuge controllers), or a supply-chain compromise. Treat an air gap as removing reachability, not as complete protection.

Trap Calling an air-gapped network immune to malware. Removable media and insiders still bridge the gap, as Stuxnet demonstrated.

Also tested in

References

  1. CompTIA Security+ (SY0-701) certification
  2. AWS Shared Responsibility Model (Overview of Security and Compliance) Whitepaper
  3. Shared responsibility in the cloud (Azure security fundamentals)
  4. The NIST Definition of Cloud Computing (SP 800-145) Whitepaper
  5. Guide to Operational Technology (OT) Security (SP 800-82 Rev. 3) Whitepaper