Architecture Models: On-premises, Virtualization, and IoT
Not sure you’re ready?
Take the ~3-minute readiness diagnostic and see where you stand.
Architectural models dictate not just where data lives, but how it interacts with the physical world. Consider the difference between storing currency in a single, heavily fortified subterranean vault versus distributing it across thousands of armored transport vehicles continuously traversing a highway system. The vault is straightforward to monitor but catastrophic if breached; the network of vehicles is highly resilient to localized failure but demands complex, ubiquitous coordination. In modern enterprise environments, this same fundamental trade-off governs how we structure compute resources, manage specialized operational technologies, and secure the expanding perimeter of internet-connected appliances. As a security professional, your ability to defend a network depends entirely on understanding the precise structural limitations and operational realities of the environment you are tasked with protecting.
Before we can build abstraction layers or connect factories to the cloud, we must examine the physical reality of the hardware. The most foundational approach is the traditional enterprise data center.
An on-premises architecture requires an organization to own, house, and manage all physical hardware and network infrastructure locally. You are buying the $50,000 servers, paying the cooling bills, and securing the physical doors. Because you own the concrete and the silicon, on-premises environments grant organizations complete control over physical security and data sovereignty. For highly regulated industries, this level of control is not a luxury; it is a legal requirement.

Once you establish where the hardware lives, you must decide how the data flows. Network architectures generally fall into two opposing structural models:
Centralized architecture concentrates data processing and storage in a single physical or logical location. Think of a massive mainframe or a single primary data center routing all traffic through one gateway.
- The Advantage: Centralized architecture simplifies security monitoring by creating a single, distinct network perimeter. You only have to build one very tall wall and place all your firewalls and intrusion detection systems at that singular chokepoint.
- The Danger: The physics of concentration dictates that a centralized architecture creates a single point of failure for an entire organization's data infrastructure. If a backhoe severs the main fiber optic line to that facility, the entire business halts.

Conversely, a decentralized architecture distributes data processing and storage across multiple independent nodes or locations.
- The Advantage: By spreading the load, decentralized architecture increases system resilience by eliminating a single point of failure. You can lose a node, or an entire regional data center, and the broader system will intelligently route around the damage.
- The Danger: The dispersion of assets means your perimeter is everywhere. Decentralized architecture complicates security management by requiring consistent policy enforcement across multiple disparate nodes. You no longer have one gateway to defend; you have hundreds.
| Architecture Type | Primary Security Advantage | Primary Structural Weakness |
|---|---|---|
| Centralized | Unified perimeter, simplified monitoring | Catastrophic single point of failure |
| Decentralized | High fault tolerance and resilience | Complex, fragmented policy enforcement |
For decades, we adhered to a strict 1:1 ratio—one operating system installed on one physical server. But modern processors are incredibly powerful, and running a single web server on a modern CPU leaves 90% of the computing capacity idle.
Virtualization fundamentally alters system architecture by inserting a specialized layer of software—a hypervisor—that lies to operating systems. It carves up the physical hardware into isolated virtual machines (VMs), allowing multiple operating systems to share the same CPU, memory, and disk space while believing they have exclusive access to physical hardware.
The design of the hypervisor dictates its security profile:
- A Type 1 hypervisor runs directly on the host machine's physical hardware without an underlying operating system. Often called "bare-metal" hypervisors (like VMware ESXi), these are highly efficient and secure because there is no bloated host operating system expanding the attack surface.
- A Type 2 hypervisor runs as a software application within a conventional host operating system. Think of a developer running VirtualBox on top of Windows 11. The guest OS must pass instructions through the hypervisor, which then passes them through the host OS.

Critical Threat: Virtual Machine Escape The entire security model of virtualization relies on strict isolation. Virtual machine escape occurs when a guest operating system breaches isolation boundaries to interact directly with the hypervisor. If an attacker manages to break out of their virtual box and compromise the hypervisor, they instantly gain root-level dominion over every other virtual machine sharing that hardware.
Operational Hazards of the Virtual Environment
Because spinning up a new virtual server takes mere seconds, administrators often provision them carelessly. This leads to virtual machine sprawl, which occurs when an organization creates numerous virtual machines without proper lifecycle management or decommissioning. Why is this dangerous? Virtual machine sprawl introduces security blind spots by leaving unpatched or unmonitored systems active on the network. A forgotten, unpatched Windows Server 2016 VM idling in a cluster is a perfect beachhead for a ransomware actor.
Similarly, administrators love the convenience of virtual machine snapshots, which capture the exact memory state and disk data of a system at a specific point in time. If a patch fails, you simply roll back to the snapshot. However, because a snapshot captures everything in RAM—including decrypted passwords, active encryption keys, and proprietary data—virtual machine snapshots can expose sensitive data if the snapshot files are stored without proper access controls or encryption.
Microsegmentation: Securing East-West Traffic
In a traditional physical network, if Server A wants to talk to Server B, the traffic flows out of Server A, hits a physical switch, and goes to Server B. We can place a physical firewall between them.
But if Server A and Server B are virtual machines residing on the same physical host, their traffic never leaves the hypervisor. It is entirely virtual. A traditional perimeter firewall will never see this "east-west" (server-to-server) traffic. To secure this, modern network architecture utilizes microsegmentation, which applies fine-grained security policies to individual virtual workloads to restrict east-west network traffic. Microsegmentation essentially wraps a virtual firewall around every individual VM, ensuring that even if one VM is compromised, the attacker cannot easily traverse the virtual network.
We are now mass-producing microscopic computers and placing them inside objects that historically never required silicon. Internet of Things devices are internet-connected hardware appliances designed for specific consumer or enterprise functions—from smart thermostats and security cameras to networked factory sensors.

The engineering constraints of IoT create a massive security deficit. To manufacture a $15 networked thermometer, engineers must use extremely cheap, low-power microcontrollers. Because of this, many Internet of Things devices lack sufficient compute resources to support standard cryptographic protocols. When a device cannot execute complex mathematics quickly, it transmits data in plaintext.
Furthermore, these devices lack the processing power required to run endpoint detection and response (EDR) agents. You cannot install CrowdStrike or Microsoft Defender on a smart lightbulb. Compounding the issue of weak hardware is poor vendor hygiene: Internet of Things devices frequently ship with hardcoded or publicly documented default administrative credentials (such as admin/admin), and they often lack automated firmware update mechanisms, meaning a vulnerability discovered today will likely remain unpatched for the life of the appliance.
Defending the IoT Perimeter
If we cannot install security software on the device, and we cannot trust the device's cryptography, how do we secure it? We restrict its environment.
Security best practices dictate placing Internet of Things devices on an isolated Virtual Local Area Network (VLAN). By strictly controlling the routing, network isolation for Internet of Things devices prevents a compromised smart device from pivoting to core business systems. If an attacker breaches the smart thermostat in the lobby, an isolated VLAN ensures they cannot use that connection to access the Active Directory server.
While IT systems manipulate data, Operational Technology (OT) manipulates the physical world.
Industrial Control Systems (ICS) manage and monitor physical industrial equipment in sectors like manufacturing, water treatment, and energy. A critical subset of these are Supervisory Control and Data Acquisition (SCADA) systems, which are a subset of Industrial Control Systems designed to gather data from geographically dispersed sites, such as hundreds of miles of oil pipelines or a vast regional electrical grid.
The security paradigm in OT is entirely inverted compared to IT. In a corporate data network, confidentiality is often king; you would rather a system crash than leak millions of credit card numbers. In an ICS environment, confidentiality is largely irrelevant. A water pump's RPM data is not a trade secret. Instead, availability and physical safety are the primary security priorities in Industrial Control Systems. If an IT database halts, the company loses money; if a SCADA system managing a blast furnace halts, the facility explodes.
The Vulnerability of Legacy Protocols
Many of these industrial systems were engineered decades ago, long before the internet was weaponized. Because they were designed to operate on closed, trusted networks, traditional Industrial Control Systems rely on legacy protocols like Modbus or DNP3.
These legacy protocols are incredibly efficient, but they are inherently trusting. Legacy Industrial Control Systems protocols often lack native data encryption, and more dangerously, they generally lack native message authentication features. If a Modbus controller receives a command to "open valve fully," it does not verify who sent the command; it simply executes it.

Segmentation and the Air-Gap
Because the hardware and protocols are intrinsically vulnerable, the defense must be structural. The Purdue Enterprise Reference Architecture model provides a structural framework for segmenting Industrial Control Systems from corporate enterprise networks. It divides the enterprise into distinct levels (from Level 0, the physical sensors, up to Level 5, the corporate network), strictly controlling the flow of traffic between the business world and the industrial world.
For the most critical infrastructure, administrators utilize air-gapping, which physically isolates critical Industrial Control Systems networks from untrusted networks and the internet. An air-gapped system is literally disconnected; there is no cable linking it to the outside world.

Yet, physics always demands a toll. Software updates must still be delivered, and diagnostics must be run. Consequently, air-gapped systems remain vulnerable to physical attack vectors like malicious USB drives introduced by insiders or maintenance personnel. The infamous Stuxnet worm devastated Iran's air-gapped nuclear centrifuges precisely through infected removable media carried past the physical perimeter.

Operating alongside massive SCADA environments are highly localized brains known as embedded systems. An embedded system is a specialized computing system designed to perform a dedicated function within a larger mechanical or electrical system. Think of the anti-lock braking system in your vehicle or the controller inside a pacemaker.
Because space and power are severely constrained, embedded systems often use system-on-a-chip (SoC) architecture combining a CPU, memory, and input/output ports on a single integrated circuit.

These systems interact with the physical world where timing is a matter of life and death. An airbag must deploy in exactly 20 milliseconds; it cannot wait for the CPU to finish a background task. Therefore, many embedded systems utilize Real-Time Operating Systems (RTOS) to process data and execute commands without buffering delays.
The primary threat vector for these specialized devices is time itself. Embedded systems are highly vulnerable to obsolescence because manufacturers rarely provide long-term security patches. An MRI machine might run perfectly on Windows 7 for twenty years, long after Microsoft has ceased issuing security updates. Because you cannot simply swap out the operating system of an FDA-approved medical device without violating compliance, these systems become permanent fixtures of vulnerability on the network.
Smart meters and automated medical devices are common examples of network-connected embedded systems requiring strict access controls. Like IoT, because you cannot reliably patch or update the RTOS inside a smart meter or an infusion pump, network segmentation and stringent access control lists (ACLs) are the only viable ways to protect them from modern exploitation.
