By skyforbes 
Measure ability to reason about compliance, scalability, and multi-cloud design.
Present an intentionally flawed architecture diagram (eg lacking encryption, mixed zones)
1. Security Zoning and Network Segmentation
Original Issue:
The previous design lacked clear security zoning. Raw customer data, transformation jobs, and analytics dashboards were hosted within a single flat network.
This violated MAS TRM’s expectations for “segregation of environments” and created a large attack surface.
Refactored Approach:
The platform is now restructured into three logical zones, each enforcing data sensitivity-based boundaries:
Zone 1 Ingestion & Raw Data (Restricted):
- Dedicated, isolated VPC with no public endpoints.
- Stores raw and sensitive data, including PII.
- Enforces AES-256 encryption at rest and TLS 1.3+ in transit.
- Access limited to ingestion pipelines and service accounts with least privilege.
- All activity logged…
Learn more about Architecture Review MAS Compliant Data Platform (DP)