Infrastructure Security and Compliance Questions

Designing, implementing, and operating security and compliance controls for infrastructure and delivery pipelines at scale. Topics include identity and access management, authentication and authorization patterns, role based access control and least privilege, secrets management and rotation, encryption for data at rest and in transit, network segmentation and microsegmentation, zero trust architecture, audit logging and retention, vulnerability scanning and patch and remediation workflows, endpoint protection, threat detection and monitoring, threat modeling and risk assessment, incident detection and response planning and runbooks, software supply chain security including artifact signing and dependency scanning and provenance, policy as code and automated security gates in continuous integration and continuous delivery pipelines, automated testing and validation of controls, and the trade offs between security controls and developer velocity. Also covers embedding and operationalizing compliance requirements from common regulatory frameworks and standards such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, Service Organization Controls two, the Payment Card Industry Data Security Standard, and International Organization for Standardization two seven zero zero one, and how those requirements influence architecture, controls, automation, monitoring, and auditability as systems scale globally.

EasyTechnical

65 practiced

Define encryption at rest and encryption in transit. For a typical web service stack list where you would apply each, including databases, object stores, message queues, and service mesh. Also describe key management responsibilities for SREs and operational concerns such as certificate rotation and forward secrecy.

EasyTechnical

72 practiced

Explain the difference between authentication and authorization in the context of infrastructure systems. Provide concrete examples for three layers: human operator access, service-to-service communication, and CI/CD pipeline credentials. For each example name typical technologies or protocols you would use and describe common operational pitfalls SREs should avoid.

MediumTechnical

97 practiced

Develop detection logic for anomalous SSH login behavior in a SIEM. Explain rule conditions, thresholds, required data sources, enrichment data, and techniques to reduce false positives caused by legitimate infrastructure changes such as bastion rotation or automated scripts.

EasyTechnical

71 practiced

Provide a practical summary of how GDPR, HIPAA, PCI DSS, SOC2, and ISO 27001 differ in their expectations for infrastructure controls. For each framework give one example control SREs must implement and explain briefly how it influences architecture or operations.

EasyTechnical

57 practiced

Explain the difference between detection and prevention controls in infrastructure security. Provide examples of each within the SRE scope such as network rules, host hardening, and telemetry collection, and describe how they complement each other for a mature security posture.

Unlock Full Question Bank

Get access to hundreds of Infrastructure Security and Compliance interview questions and detailed answers.

Join thousands of developers preparing for their dream job.