Compare Architecture Models for Security+ (SY0-701)
Understand on-premises, cloud, virtualization, IoT, ICS, and infrastructure-as-code models through the lens Security+ uses.
Security+ treats architecture models as security context, not as vendor marketing categories. The exam wants you to understand what risks and control priorities change when the environment shifts from on-premises to cloud, from traditional servers to virtualized workloads, or from enterprise IT to IoT and ICS systems.
IoT: Internet of Things devices such as sensors, cameras, or embedded systems that often have limited patching, visibility, or physical protection.
ICS / OT: Industrial control systems and operational technology used to run physical processes where safety and uptime matter heavily.
Shared responsibility: The split between provider-managed and customer-managed layers, especially in cloud environments.
What the exam is really testing
CompTIA is usually checking whether you can:
- identify which layer the organization still owns in each model
- recognize when safety, availability, or constrained-device realities change the “obvious” security answer
- understand that a modern deployment model changes attack surface as much as it changes operations
Architecture model comparison
| Model | Security angle that matters most |
|---|---|
| On-premises | physical security, local network segmentation, direct infrastructure ownership |
| Cloud | shared responsibility, identity-first controls, exposure through misconfiguration |
| Virtualization | hypervisor trust, tenant isolation, snapshot hygiene, east-west visibility |
| IoT | constrained devices, weak update paths, embedded defaults, physical exposure |
| ICS / OT | safety, availability, legacy protocols, fragile change windows |
| IaC | repeatable secure configuration, reviewable change history, drift reduction |
Ownership and exposure lens
| Model | Main ownership or exposure question |
|---|---|
| On-premises | How well does the organization secure the full stack, facility, and local network? |
| Cloud | Which controls stay with the customer under shared responsibility? |
| Virtualization | How strong is isolation between guests and the host layer? |
| IoT | Can the device be updated, monitored, and physically protected realistically? |
| ICS / OT | Will the control preserve safety and uptime for operational processes? |
| IaC | Is the secure state reviewable, repeatable, and protected from bad template drift? |
The exam habit to build
Do not ask only “which model is safer?” Ask:
- who owns which layer?
- where is the biggest attack surface?
- what kind of change control is realistic?
- which control would break availability or safety if applied carelessly?
Those questions make ICS and IoT especially important. Security+ likes to test environments where aggressive security moves can disrupt operations.
Shared-responsibility sketch
flowchart LR
A["Deployment model"] --> B["Provider-managed layers"]
A --> C["Customer-managed layers"]
B --> D["Service availability and platform control"]
C --> E["Identity, configuration, data, and access decisions"]
What to notice:
- cloud use does not remove the customer’s duty to configure access and protect data
- the question is often not “who owns everything,” but “which layer is still your responsibility”
- Security+ commonly uses misconfiguration examples to test this judgment
IaC is a security topic
Infrastructure as code belongs here because it changes how security is applied:
- configuration becomes reviewable and version-controlled
- secure baselines can be repeated consistently
- drift is easier to detect
- mistakes can also scale faster if templates are wrong
Model chooser
| Scenario clue | Strongest architectural concern |
|---|---|
| Legacy industrial process or facility control | safety, uptime, and cautious change management |
| Small embedded device at the edge | physical exposure, patchability, and weak defaults |
| Multi-tenant virtual environment | isolation, hypervisor trust, and visibility |
| Cloud storage exposed publicly | customer-side configuration and IAM responsibility |
| Repeated environment drift across deployments | IaC and reviewable baseline enforcement |
Common traps
- applying ordinary enterprise IT assumptions to ICS or OT
- forgetting that cloud misconfiguration is often a customer-side security problem
- treating virtualization as only a performance topic
- thinking IaC removes the need for review just because it is automated
- assuming IoT devices can always be secured with the same controls as full enterprise endpoints
What strong answers usually do
- identify which layer the organization still owns before recommending a control
- adjust the answer when safety, uptime, or patchability limits what is realistic
- treat architecture choice as a change in attack surface, not just a hosting preference
- recognize when the right answer is more about segmentation, identity, or reviewable configuration than about one appliance
Harder scenario question
A manufacturer wants to deploy a new security control that would aggressively reboot systems when suspicious behavior is detected. The same environment includes industrial controllers running physical processes where unexpected interruption could create safety risk. Which answer is strongest?
A. Apply the same aggressive control everywhere because stronger response is always better B. Evaluate the OT environment separately because safety and availability constraints may require a different control strategy and change process C. Move all controllers to guest Wi-Fi D. Disable all monitoring in the plant
Best answer: B. Security+ expects you to recognize that ICS or OT environments require more careful balancing of safety, uptime, and security response.
Quiz
Continue with 3.2 Enterprise Infrastructure Security to connect architecture choice to real network and access-control design.