SkarpSkarp

Chapter 10 of 25

Secure Enterprise and Hybrid Environment Architecture

Zoom out to the big-picture design of a modern enterprise, including hybrid environments that blend cloud, on-premises, IoT, and OT, and see where key security building blocks fit.

27 min readen

Big Picture: What Is a Secure Enterprise & Hybrid Architecture?

Hybrid Enterprise Reality

Most organizations now run hybrid enterprise environments that mix on‑prem data centers, cloud services, remote workers, and smart devices.

Key Definition

A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on‑premises resources that must be monitored and secured.

Four Big Questions

Secure architecture answers: 1) What do we have? 2) How is it connected? 3) Where are the trust boundaries? 4) Which controls protect each boundary?

Exam Angle

For Security+ you must read simple diagrams and relate them to Security Architecture concepts and the CIA triad: confidentiality, integrity, availability.

Core Models: Enterprise Zones, Layers, and the CIA Triad

Zones as Layers

Enterprises are often modeled as zones: external/untrusted, DMZ, internal user, and restricted/secure zones separated by firewalls and policies.

Onion Model

Think of an onion: the deeper the layer, the more sensitive the assets and the stricter the controls you expect to see.

CIA Triad Refresher

CIA triad components: confidentiality, integrity, availability. Different zones emphasize different components.

CIA Drives Design

Payment systems: confidentiality & integrity. Hospital OT: availability & integrity. Public web: availability. Match design to the dominant CIA need.

Hybrid Environments: On-Prem, Cloud, Mobile, IoT, and OT Together

Hybrid Definition Reminder

A hybrid environment mixes cloud, mobile, IoT, OT, and on‑prem resources that must all be monitored and secured.

Typical Components

On‑prem data centers, cloud services, remote/mobile users, IoT devices, and OT systems all coexist and interconnect.

Connectivity

Connections use VPNs, private links, APIs, wireless, and OT-specific networks to tie the pieces together.

Security Pitfall

Treating everything as one big “internal network” creates a flat network where a single compromise can spread everywhere.

Zero Trust and Trust Boundaries in Architecture

Zero Trust Definition

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

Trust Boundaries

Trust boundaries are the edges between zones: internet–DMZ, DMZ–internal, IT–OT, on‑prem–cloud, and even between internal subnets.

From Implicit to Explicit

Old model: “inside = trusted.” Zero trust: every boundary is untrusted; verify identity and device and limit access at each step.

Architecture Impact

Expect IAM, segmentation, microsegmentation, and continuous monitoring at each trust boundary for a modern secure design.

Network Segmentation, VLANs, and DMZs

What Is Segmentation?

Segmentation breaks a big network into smaller parts (VLANs, subnets) with separate security controls between them.

DMZ Purpose

A DMZ sits between the internet and the internal network, hosting public-facing services like web servers and VPN gateways.

Two Firewalls

DMZ designs typically have an external firewall (internet–DMZ) and an internal firewall (DMZ–internal network).

Flat Network Red Flag

If everything is on one VLAN with no internal filtering, that is a flat network—a common exam and real-world weakness.

Walkthrough: Simple Hybrid Architecture Diagram (In Words)

Visualizing the Layout

Imagine: internet → edge firewall → DMZ (web, WAF, VPN) → internal firewall → internal VLANs → site‑to‑site VPN → cloud VPC (public and private subnets).

Trust Boundaries

Key boundaries: internet–DMZ, DMZ–internal, internal–cloud, and inside the cloud between public and private subnets.

Zero Trust Touchpoints

MFA for remote users, IAM roles for cloud services, and strict security groups/ACLs all apply zero trust at those boundaries.

Improving the Design

Typical improvements: further isolate databases, remove public admin access, and add conditional access or microsegmentation.

On-Prem vs Cloud Trust Boundaries and Shared Responsibility

On-Prem Responsibilities

On‑prem: you control physical security, hypervisors, and most network/security devices. You patch and configure almost everything.

Cloud Shared Responsibility

Cloud: provider secures infrastructure; you secure OS, apps, data, IAM, and network controls like security groups and ACLs.

Cloud Trust Boundaries

Boundaries: internet–cloud edge, edge–VPC/VNet, VPC–on‑prem links, and tenant isolation between your account and others.

Common Exam Trap

Do not assume the provider fully secures your workloads. Misconfigured security groups or public admin ports are frequent weaknesses.

Thought Exercise: Spot the Weaknesses in a Hybrid Design

Work through this scenario mentally and jot notes if you can.

Scenario (text-only diagram):

  • All corporate devices (user PCs, servers, printers, IoT sensors) are on the same flat VLAN.
  • A single firewall connects this VLAN to the internet.
  • Public web servers are hosted inside the internal VLAN.
  • A site-to-site VPN connects the internal VLAN directly to a cloud VPC.
  • In the cloud, app servers and databases share one subnet; security groups allow “any any” between them.
  • Remote workers connect via VPN, then get full network access.

Questions for you:

  1. List at least three architectural weaknesses in this design.
  2. For each weakness, say briefly which CIA triad component is most at risk.
  3. Suggest one segmentation or zero trust improvement.

Sample answers (compare after you think first):

  • Weakness: flat internal VLAN (no segmentation). CIA impact: confidentiality and integrity (lateral movement). Fix: separate VLANs for users, servers, IoT, with firewalls/ACLs.
  • Weakness: public web servers on internal LAN. CIA impact: all three; an exploited web server exposes internal network. Fix: move to DMZ.
  • Weakness: cloud subnet with “any any” rules. CIA impact: confidentiality/integrity. Fix: least-privilege security groups.
  • Weakness: VPN users get full access. CIA impact: confidentiality/integrity. Fix: ZTNA or role-based network access.

Pause here, actually write your own version, then compare to the sample.

Quiz 1: Hybrid and Zero Trust Basics

Check your understanding of core definitions and concepts.

Which option best applies zero trust principles to a hybrid environment with on-prem and cloud resources?

  1. Allow all internal on-prem traffic to access cloud resources without additional checks because it is already inside the corporate network.
  2. Require MFA and device posture checks for users before granting access to specific cloud apps, and restrict on-prem to cloud traffic with least-privilege firewall and security group rules.
  3. Place all on-prem and cloud systems into a single flat network so that no additional routing or segmentation is needed.
  4. Rely on the cloud provider's default network settings, because the shared responsibility model means they secure all network traffic.
Show Answer

Answer: B) Require MFA and device posture checks for users before granting access to specific cloud apps, and restrict on-prem to cloud traffic with least-privilege firewall and security group rules.

Zero trust requires continuous verification and least-privilege access. Option 2 uses MFA, device posture checks, and restrictive firewall/security group rules across on-prem and cloud, which aligns with zero trust. Option 1 assumes implicit trust for internal traffic. Option 3 creates a flat network, which is insecure. Option 4 incorrectly assumes the provider secures all aspects of networking.

Quiz 2: DMZs, Segmentation, and CIA Priorities

Apply architecture and CIA triad reasoning to a scenario.

An organization hosts a public e-commerce site that processes payments and stores customer data. Which architecture change MOST improves security while supporting the CIA priorities for this system?

  1. Move the database server into the DMZ with the web server so they can communicate without passing through a firewall.
  2. Place the web server in a DMZ, keep the database on a restricted internal segment, and allow only the web server to connect to the database over a specific port.
  3. Place both web server and database on the flat internal network to avoid latency from firewalls, improving availability.
  4. Keep the current design where the web server and database share the same internal VLAN as user workstations, but enable full-disk encryption on both servers.
Show Answer

Answer: B) Place the web server in a DMZ, keep the database on a restricted internal segment, and allow only the web server to connect to the database over a specific port.

For an e-commerce system, confidentiality and integrity of customer and payment data are critical. Placing the web server in a DMZ and the database on a restricted internal segment, with tightly controlled traffic between them, provides layered defenses and segmentation. Option 1 exposes the database to the DMZ. Option 3 and 4 keep a flat internal network, which allows easy lateral movement; encryption alone does not fix poor segmentation.

Key Term Flashcards: Architecture and Hybrid Environments

Flip through these cards to reinforce core definitions and exam-ready phrases.

CompTIA Security+
CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.
SY0-701
SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.
hybrid environment
A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
zero trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
CIA triad components
The CIA triad components are: confidentiality, integrity, availability.
DMZ (demilitarized zone)
A DMZ is a network segment between an untrusted network (like the internet) and the internal network, used to host public-facing services while limiting direct access to internal systems.
Flat network
A flat network is a network with little or no internal segmentation, where many systems share the same broadcast domain or VLAN, making lateral movement easier for attackers.
Trust boundary
A trust boundary is a point in an architecture where data or control passes between zones with different trust levels, such as internet to DMZ or on-prem to cloud.
Network segmentation
Network segmentation is the practice of dividing a network into smaller segments or zones (e.g., VLANs, subnets) and controlling traffic between them to improve security and performance.
Site-to-site VPN
A site-to-site VPN is an encrypted tunnel that securely connects two networks (such as an on-premises network and a cloud VPC) over an untrusted network like the internet.

Connecting Architecture to Security Controls and the Exam Path

Control Types in Architecture

Security control types: technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.

Examples by Type

Firewalls: technical/preventive. Policies: managerial/directive. CCTV: physical/deterrent. SIEM: technical/detective. Backups/DR: support availability.

Where This Fits in SY0-701

This module sits mainly in Security Architecture, with links to General Security Concepts, Threats, and Security Operations.

Your Ongoing Practice

Use diagnostics, mock exams, and spaced review in this course to practice reading diagrams and prioritizing CIA in architecture decisions.

Key Terms

DMZ
A demilitarized zone (DMZ) is a network segment between an untrusted network and the internal network, used to host public-facing services while limiting direct access to internal systems.
SY0-701
SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.
CIA triad
The CIA triad components are: confidentiality, integrity, availability.
zero trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
trust boundary
A trust boundary is a point in an architecture where data or control passes between zones with different trust levels, such as internet to DMZ or on-prem to cloud.
site-to-site VPN
A site-to-site VPN is an encrypted tunnel that securely connects two networks, such as an on-premises network and a cloud VPC, over an untrusted network.
CompTIA Security+
CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.
hybrid environment
A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
network segmentation
Network segmentation is the practice of dividing a network into smaller segments or zones (e.g., VLANs, subnets) and controlling traffic between them to improve security and performance.
governance, risk, and compliance
Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself