SYO-701 Security Architecture Study Guide for the CompTIA Security+
Page 1
General Information
This is study material for the CompTIA Security+ SYO-701 exam, which is the replacement for the old (as of July 31, 2024) CompTIA Security+ SYO-601 exam. Be very sure that you are studying for the right test.
The questions about security architecture occupy nearly one-fifth of the CompTIA Security+ exam, or about 18%. Only about one in four of them begin with a scenario. You mostly just need to be fluent in the concepts presented in this study guide.
Architecture Models
Architecture models define how a network is composed at each layer of the Open Systems Interconnection (OSI) model and the security implications that are associated with the different models. For the CompTIA Security+ exam, you must be able to compare and contrast architecture models and their related security implications.
Architecture and Infrastructure Concepts
The architecture of a network refers to how networking devices are connected to one another to provide communications within the network. The infrastructure of a network refers to the physical and logical devices that are used to support the network architecture.
Cloud
Cloud computing is the utilization of computing resources via the internet. It uses a pool of resources shared between users that allows for rapid provisioning and deprovisioning with minimal interaction. There are different cloud models from which a customer can choose. Each model has benefits and limitations.
Responsibility Matrix
A cloud service provider offers cloud services through one or more cloud service models. The cloud service provider and the customer share responsibilities, including security, in various proportions depending on the model type. This is known as the responsibility matrix.
Hybrid Considerations
An architecture that uses both on-premises resources as well as cloud resources is a hybrid architecture. With hybrid architecture, the responsibility for the security of the network is split between the offsite provider and the primary entity, placing portions of the responsibility on both parties.
Third-Party Vendors
A third-party vendor is an external provider of resources, such as a cloud provider or an external security provider. When using third-party vendors, the vendor’s security should be considered, since the network could be compromised via that third party.
Infrastructure as Code (IaC)
IaC refers to the management and establishment of infrastructure services with code that will configure virtual machines and networks. This simplifies things as, instead of manually configuring objects, configuration can be done with a script.
Serverless
Serverless architecture, also known as Function as a Service (FaaS), allows a company to build out and run applications via the cloud. Serverless architecture removes the burden of securing and maintaining the underlying hardware on which an application is developed, reducing overhead and development time.
Microservices
Microservices utilize small code snippets that perform a function. Microservices, by providing small, autonomous functions, can be integrated with one another to create applications quicker. They also allow for a single function to be changed without affecting the other functions in the application.
Network Infrastructure
Network infrastructure refers to how network components, both physical and logical, communicate with one another. Security of the network infrastructure is dependent on both physical and logical considerations.
Physical Isolation
Physical isolation is the physical separation between network components and the rest of the network. For example, a server containing highly sensitive data could be kept in a separate room and not connected to the primary network.
An air gap is a physical security measure that places a physical space between a network or network segment and other networks or segments. In an air-gapped system, to move data from the inside network to the outside network, it must be physically transported over the gap.
Logical Segmentation
Logical segmentation is the separation of a network into separate portions using software. Logical segmentation allows portions of a network to be isolated from others, similar to physical isolation, without requiring the use of separate physical components such as networking devices and wiring.
Software-Defined Networking (SDN)
SDN uses virtual technologies to route traffic instead of hardware components, such as routers and switches. SDN systems can be either on-premises or in the cloud and have the ability to control and view everything on the network. With traditional hardware, the router or switch is only able to see the devices directly connected to it rather than the entire network.
On-Premises
When using on-premises technology, a company has greater control of the architecture configurations and the security controls used. For example, they can choose their own authentication and authorization controls. By contrast, off-premises technology allows for greater return on investment (ROI), as the company doesn’t need to purchase hardware and a data center. On the downside, though, a company does not know where their data is stored.
Centralized vs. Decentralized
A centralized network infrastructure has a single primary infrastructure, while a decentralized network spreads the network infrastructure over multiple locations. Centralized architectures are common with on-premises networks and provide the ability to quickly respond to networking issues. Decentralized architectures are common in cloud and hybrid architectures, which removes the single point of failure aspect that centralized architectures are vulnerable to.
Containerization
A container is a virtualization device that allows for application-level virtualization in which an application is contained separately from the underlying system, creating portability. Containerization systems, such as Docker, provide a standardized interface for the application, which can then be used by various hardware platforms and operating systems.
Virtualization
Virtualization is the use of many guest computers that sit on top of server hardware via a hypervisor. This allows for the complete utilization of the underlying hardware and can be used to create additional OSs, servers, storage, or even network bandwidth. Virtualization can be either full, in which the created entity runs as if it is completely independent of the hypervisor, or paravirtualization, in which the created entity is modified to communicate with the hypervisor.
Internet of Things (IoT)
IoT devices are becoming increasingly prevalent in the current cyber environment and include a variety of interconnected network devices. IoT devices can be dumb devices, such as sensors that just relay data to a network, or more complex AI devices, such as wearable health monitors that adjust to varying conditions and stimuli. IoT devices often use specialized embedded devices to achieve functionality and are rarely patched, are often installed with weak default configurations, and commonly lack encryption, which makes them potential targets for threat actors.
Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA)
In industrial and manufacturing settings, ICS and SCADA are the most referenced systems and may sometimes be used interchangeably. ICS is a blanket term for any industrial automation. SCADA most commonly refers to an ICS that controls power and water distribution. ICS and SCADA systems both provide an architecture that is able to control devices, collect data, communicate, monitor, and interface with highly complex systems and networks.
Real-Time Operating System (RTOS)
An RTOS is an operating system that processes data as it comes in within a set time frame, measured in tenths of a second, and is commonly used in embedded systems. Data collected by the RTOS is prioritized above all other data so as to reduce response time. RTOSs can be used for highly precise, time-sensitive machines, such as pacemakers and industrial manufacturing equipment.
Embedded Systems
An embedded system is typically a highly specialized set of software or programs that usually run on independent OSs. For example, industrial machinery may have machine-specific software running on it that tells the machine exactly what to do. Embedded systems are also very common in IoT devices, such as an automatic vacuum or smart thermostat. Embedded systems face cybersecurity issues because they may not be patchable or may be vulnerable to penetration.
High Availability (HA)
High availability refers to the ability of a network or system to remain operational regardless of circumstances, including traffic volume or disruptions. An HA network should be able to handle not only increased volume efficiently but also have the ability to recover quickly in the case of disruption.
Considerations
When a network’s architecture and infrastructure are developed, numerous factors are considered depending on the requirements of the network and its intended use. Each factor is considered and weighed to determine its importance based on the requirements of the network.
Availability
The availability of a network is the ability of the network to be operational when needed. Network availability requirements may impact the design of a network. For example, an enterprise that provides real-time traffic data to users would require a network with a higher availability.
Resilience
Resilience is the ability of a network to detect and respond to disruptions, such as system failure or environmental changes, and remain acceptably available and operational. For example, a network that demands high resilience may employ the use of a hot site to ensure quick recovery.
Cost
Cost considerations include all costs related to a network, including physical, logical, and human costs. For example, the cost of creating and supporting an on-premises network would be significantly higher than employing the use of a cloud or hybrid network.
Responsiveness
The responsiveness of a network refers to how quickly a network is able to respond and function. For example, a network that is used to process credit card sales generally requires higher responsiveness.
Scalability
The scalability of a network refers to how quickly a network can increase or decrease resources as needed. A network that uses cloud resources would be able to increase resources more quickly than an on-premises network.
Ease of Deployment
Ease of deployment in a network refers to how a system or component can be integrated into a network and the work involved, including associated financial costs, network disruptions, and recurring costs.
Ease of Recovery
Ease of recovery refers to how quickly availability can be restored after failure. Ease of recovery includes factors such as resilience, cost, and ease of deployment.
Risk Transference
Risk transference is the process of shifting loss responsibility to another entity. For example, employing the use of an insurance company or an outside cybersecurity management company would be risk transference.
Patch Availability
Patch availability refers to how often a patch needs to be installed and how quickly a vendor supplies the patch as well as how difficult it may be to access the required patch and its potential effect on availability.
Inability to Patch
The inability to patch is another potential concern, especially with network-connected IoT devices. An inability to patch may be due to the lack of computing power to support a patch, the lack of the existence of patches, or the inability to connect the device to a network to install the patch.
Power
Embedded systems typically require much less power for operation than traditional systems. While this can be an asset, it also creates security concerns. For example, since the embedded device has reduced power supplies, it may not be able to run advanced cryptographic algorithms to protect data, or it may not be able to accommodate security software such as firewalls or anti-malware.
Compute
Embedded systems do not have the same computing processing power as a full workstation would have. This can leave the system vulnerable, as it lacks built-in security protocols and the ability to accommodate more sophisticated security software.
All Study Guides for the CompTIA Security+ are now available as downloadable PDFs