4.5. Reflection Checkpoint

Key Takeaways

Before proceeding to Phase 5, ensure you can:

• Explain the shared responsibility model across IaaS, PaaS, and SaaS
• Design a segmented network with DMZ, internal zones, and proper firewall placement
• Identify security challenges for IoT, ICS/SCADA, and embedded systems
• Distinguish firewall types (packet filtering, stateful, NGFW, WAF) and their appropriate use
• Classify data types and apply appropriate protection for each data state
• Calculate which backup strategy meets given RTO and RPO requirements
• Select the appropriate site type (hot/warm/cold) for a given recovery scenario

Connecting Forward

Phase 5 is the largest domain (28%) and covers the day-to-day operational activities that keep these architectures secure: hardening systems, managing assets, identifying and remediating vulnerabilities, monitoring for threats, controlling identity and access, automating security processes, and responding to incidents. Architecture tells you what to build; operations tells you how to run it securely.

Self-Check Questions

1. Your organization uses IaaS VMs in Azure. A vulnerability is discovered in the guest operating system. Who is responsible for patching it — your team or the cloud provider? What would change if you were using PaaS instead?

2. A company has an RTO of 4 hours and an RPO of 15 minutes for their e-commerce platform. Which site type is appropriate? What backup strategy meets the RPO?

3. A hospital network has medical devices that can't run antivirus and can't be patched. The devices need to communicate with a central monitoring system. How do you secure these devices using architectural controls?