SkarpSkarp

Chapter 11 of 27

Secure Enterprise and Hybrid Architectures: On-Prem, Cloud, and OT

See how modern enterprises stitch together on-premises, cloud, IoT, and OT systems, and what it takes to design architectures that remain secure under constant change.

27 min readen

Big Picture: What Is a Secure Hybrid Enterprise Architecture?

Modern Enterprise Reality

Most organizations run mixed environments: data centers, multiple clouds, mobile users, IoT, and OT. Security+ expects you to reason about this whole picture, not just single servers.

Definition: Hybrid Environment

A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, IoT, OT, and on-premises resources that must be monitored and secured.

Architecture Mindset

As an architect, you identify components, map data flows, and apply consistent principles like least privilege, segmentation, zero trust, and monitoring across all parts.

Why This Matters for SY0-701

Exam questions often describe messy real-world setups and ask which control, pattern, or boundary is best. Being able to visualize simple diagrams from text is key.

Core Pieces: On-Prem, Cloud, IoT, and OT in One Picture

On-Premises Basics

On-prem includes servers, VMs, storage, and network gear you fully control. Security relies on firewalls, IDS/IPS, NAC, AD, and endpoint tools at your own sites.

Cloud Layers

Cloud spans IaaS (VMs, networks), PaaS (managed databases, functions), and SaaS (email, CRM). Security is shared: provider secures the cloud, you secure your use of it.

IoT in the Mix

IoT covers sensors, cameras, badges, and more. They are often cheap, weakly secured, and talk to cloud or on-prem gateways, becoming common attack entry points.

OT in the Mix

OT includes ICS/SCADA and building or industrial controls. Once isolated, they are now more connected to IT and cloud, exposing safety-critical systems to cyber risk.

OT vs IT: Different Priorities, Different Risks

IT vs OT Priorities

IT focuses on confidentiality, then integrity, then availability. OT flips this: safety and availability first, then integrity, and confidentiality often last.

Why OT Is Hard to Change

OT devices are legacy, proprietary, and safety-critical. You may not be able to patch or reboot them often, so traditional IT security approaches do not always fit.

OT Constraints

Constraints include long hardware lifecycles, vendor lock-in, limited maintenance windows, and strict real-time demands that limit added latency.

Security Strategy in OT

Because devices are fragile, OT security leans on segmentation, strict access control, and monitoring, using compensating controls instead of constant patching.

Shared Responsibility Model and Zero Trust in Hybrid Environments

Shared Responsibility Basics

Cloud security is shared: providers secure physical and core infrastructure; customers secure OS, apps, identities, and data. Misconfigurations are usually on the customer.

IaaS vs SaaS Responsibilities

In IaaS you manage more (OS, network configs). In SaaS, providers run the app, but you still control accounts, auth, and how data is used and shared.

Zero Trust Definition

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

Zero Trust in Hybrid

Zero trust breaks the big "trusted" internal network into many small trust zones, with strong identity, MFA, and least-privilege access between them.

Segmentation, Trust Zones, and Layered Defenses

What Is Segmentation?

Segmentation divides networks into smaller parts separated by routers, firewalls, or SDN policies, limiting lateral movement of attackers and malware.

Trust Zones

Trust zones group assets with similar risk and policy, such as internet, DMZ, internal, management, OT, and distinct cloud subnets or security groups.

Defense in Depth

Layered defenses use multiple controls: network firewalls, host hardening, strong identity, data protection, and continuous monitoring working together.

Exam Pattern

If a low-trust zone can directly reach a sensitive system, the best fix is usually adding segmentation and a trust boundary, not just host-level tools.

Reference Architecture Walkthrough: Corporate + Cloud + OT

Corporate and DMZ

Corporate HQ has user VLANs, a server VLAN with AD and ERP, and a DMZ with VPN and reverse proxy. Internet traffic should terminate in the DMZ, not inside.

Cloud Layout

In cloud, web servers sit in a public subnet, while app and database tiers stay in private subnets, reachable only via tightly scoped security groups.

OT and IoT Zones

Plant OT networks host PLCs and SCADA, separated from IT, with a controlled jump server. IoT sensors send data to a gateway that uses outbound-only connections.

Pattern Recognition

Many exam scenarios mirror this pattern. Look for violations like direct internet RDP to OT or exposing databases to public networks as red flags.

Thought Exercise: Find the Weak Spots

Imagine this scenario (no picture needed, just visualize):

  • A company runs an on-prem AD domain and file server.
  • They use a cloud-based CRM (SaaS) and host a customer portal on IaaS.
  • Remote employees connect via VPN into the internal network.
  • The company has a small OT environment controlling building HVAC and access control, connected to the same internal network.
  • Guest Wi-Fi is bridged into the internal network "for convenience".

Your tasks (mentally or in notes):

  1. List at least three security issues or missing controls in this architecture.
  2. For each issue, name one architecture-level fix (think segmentation, trust zones, zero trust, not just "install antivirus").
  3. Decide which issue is highest priority and explain why, using IT vs OT priorities.

Pause and think it through before reading the sample reasoning.

Sample reasoning (check yourself):

  • Issue 1: Guest Wi-Fi bridged to internal network.
  • Fix: Place guest Wi-Fi in its own VLAN with a firewall between guest and internal; allow only internet access.
  • Issue 2: OT (HVAC, access control) on the same flat internal network.
  • Fix: Create a dedicated OT zone with strict firewall rules and a management jump host.
  • Issue 3: VPN gives remote users broad internal access.
  • Fix: Apply zero trust principles: role-based access, per-app VPN or split-tunnel with strong endpoint posture checks.

Highest priority: separating OT from the internal/guest environment because compromise of access control or HVAC can impact safety and physical security, not just data.

Quiz 1: Hybrid and OT Basics

Answer this question to check your understanding of hybrid environments and OT priorities.

Which statement best describes a hybrid environment and a key security implication for OT systems?

  1. A hybrid environment is any network with both wired and wireless devices; OT systems in these networks mainly prioritize data confidentiality over all else.
  2. A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured; OT systems often prioritize availability and safety over confidentiality.
  3. A hybrid environment only refers to combining private and public clouds; OT systems in such environments can be patched and rebooted just like typical IT servers.
  4. A hybrid environment is a temporary setup during cloud migration; once fully migrated, OT systems no longer require segmentation.
Show Answer

Answer: B) A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured; OT systems often prioritize availability and safety over confidentiality.

Option 2 uses the canonical definition: a hybrid environment is an enterprise environment that includes a mix of cloud, mobile, IoT, OT, and on-premises resources that must be monitored and secured. It also correctly notes that OT typically prioritizes availability and safety over confidentiality. The other options either redefine hybrid incorrectly or misunderstand OT constraints.

Quiz 2: Segmentation and Zero Trust

Test your understanding of segmentation, trust zones, and zero trust.

A security architect discovers that engineers can RDP directly from their corporate laptops to OT controllers over the flat internal network. Which change BEST aligns with zero trust and secure architecture principles?

  1. Install antivirus software on all OT controllers to detect malware from engineers' laptops.
  2. Move the OT controllers into a separate network zone and require engineers to use a hardened jump server with MFA to access that zone.
  3. Disable RDP on engineers' laptops while leaving the network flat so they must use SSH instead.
  4. Configure the corporate firewall to block all outbound traffic from the internet, but leave internal routing unchanged.
Show Answer

Answer: B) Move the OT controllers into a separate network zone and require engineers to use a hardened jump server with MFA to access that zone.

Option 2 applies segmentation (separate OT zone), creates a clear trust boundary, and uses a hardened jump server with MFA, which fits zero trust and layered defense principles. Option 1 adds a host control but does not address network exposure. Option 3 changes protocol but keeps flat access. Option 4 affects internet egress, not the risky internal path.

Key Term Flashcards: Hybrid, OT, and Architecture

Use these flashcards to reinforce core definitions and concepts you will see on SY0-701.

CompTIA Security+
CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.
SY0-701
SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.
Hybrid environment
A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
Zero trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
Operational Technology (OT)
Hardware and software that monitors or controls physical devices and processes (for example, ICS, SCADA, PLCs, building management systems), where safety and availability are often the top priorities.
Segmentation
The practice of dividing a network into smaller parts (VLANs, subnets, zones) separated by controls such as routers, firewalls, or SDN policies to limit lateral movement and enforce different security policies.
Trust zone
A logical or physical grouping of systems with similar risk levels and security requirements, such as DMZ, internal corporate network, management network, or OT zone.
Defense in depth
An approach that uses multiple, independent security controls at different layers (network, host, identity, data, monitoring) so that if one fails, others still provide protection.
Shared responsibility model
A cloud security concept where the provider is responsible for securing the underlying infrastructure and services, while the customer is responsible for securing their data, identities, configurations, and usage of those services.
Governance, risk, and compliance
Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

From Diagrams to Decisions: Applying Architecture Principles

From Signals to Structure

Indicators like strange lateral movement or odd egress often point to deeper architecture issues: weak trust boundaries or missing segmentation between zones.

Ask the Right Questions

When analyzing a scenario, ask: where is the trust boundary? Which zone is too broad? Is there a shared responsibility gap causing a misconfiguration?

Architecture-Level Fixes

Common fixes include tighter segmentation, stronger zero trust access, better monitoring at choke points, and aligning architecture with governance and risk.

Preparing for SY0-701

Skarp mock exams and spaced reviews will describe hybrid setups and ask for the best control. Practice mentally drawing simple zone-and-arrow diagrams from text.

Key Terms

SY0-701
SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.
trust zone
A logical or physical grouping of systems with similar risk levels and security requirements, such as DMZ, internal corporate network, management network, or OT zone.
zero trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
segmentation
The practice of dividing a network into smaller parts (VLANs, subnets, zones) separated by controls such as routers, firewalls, or SDN policies to limit lateral movement and enforce different security policies.
defense in depth
An approach that uses multiple, independent security controls at different layers (network, host, identity, data, monitoring) so that if one fails, others still provide protection.
CompTIA Security+
CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.
hybrid environment
A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
Operational Technology (OT)
Hardware and software that monitors or controls physical devices and processes (for example, ICS, SCADA, PLCs, building management systems), where safety and availability are often the top priorities.
shared responsibility model
A cloud security concept where the provider is responsible for securing the underlying infrastructure and services, while the customer is responsible for securing their data, identities, configurations, and usage of those services.
governance, risk, and compliance
Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself