Navigation

How Can We Help?

CompTIA: Security Plus – Section 15: Security Architecture Study Guide

Created On
Last Updated On
byAdmin
Print
You are here:
< All Topics





SY0-701 Section 15 Security Architecture & Design (Elaborated)


SY0-701 Section 15: Security Architecture & Design

Domain 3: Secure Architecture & Design – Focus on designing resilient, secure systems and networks.

3.1 Secure Architecture Concepts

Defense-in-Depth

  • Ensure multiple, redundant layers of security so failure of one control does not expose assets.
  • In exam simulations, map each described control (e.g., IDS, firewall, DLP) to the appropriate layer.
Exam Tip: When question lists several controls, identify which is preventive vs detective vs corrective.

Zero Trust & SASE (Secure Access Service Edge)

  • Zero Trust: Continuous authentication & authorization per transaction; no implicit trust.
  • SASE: Converges SD-WAN and cloud-delivered security services (FWaaS, CASB).
Exam Focus: Distinguish SASE components (e.g., FWaaS delivers firewall as cloud service).

3.2 Network Design & Components

Segmentation & Isolation

  1. VLAN vs Subnet: VLAN is L2 segmentation; Subnet is L3.
  2. Micro-Segmentation: Software-defined segmentation down to workload/container.
  3. Air Gaps & Bastion Hosts: Highest isolation for critical systems.

Sample Exam Question

Which segmentation method provides the most granular policy enforcement within a data center?

Answer: Micro-segmentation via software-defined controls.

Perimeter Devices

  • Stateful vs Stateless firewalls: Know connection tracking vs simple packet filters.
  • NGFW (Next-Generation Firewall): Application- and user-aware firewall.
  • Proxies: Forward vs Reverse – Client-side vs Server-side intermediary.

3.3 System Hardening & Platform Security

Secure Baselines & Hardening Guides

  • CIS Benchmarks and DISA STIGs for OS/app hardening.
  • Automated Compliance: SCAP (Security Content Automation Protocol) scans systems.

Knowledge Check:

Hardening reduces attack surface by disabling unnecessary services and enforcing strong configurations.

Hardware Root of Trust

  • TPM stores cryptographic keys used by FDE (e.g., BitLocker).
  • Secure Boot (UEFI) prevents unauthorized bootloader code.
  • HSM for offloading sensitive key operations.
Tip: Recognize TPM vs HSM roles in key storage.

3.4 Virtualization & Containerization

Virtualization Security

  • Type 1 vs Type 2 hypervisors.
  • VM escape risks: ensure patches and secure isolation.
  • VM sprawl management via lifecycle controls.

Container Security

  • Image scanning, registry signing, immutable infrastructure.
  • Orchestration: Kubernetes RBAC, NetworkPolicies, Admission Controllers.

3.5 Cloud Architecture

Shared Responsibility Model

Model Provider Customer
IaaS Physical infra, hypervisor, network OS, middleware, apps, data, IAM
PaaS OS, runtime, middleware Apps, data, IAM, config
SaaS Application, data center, OS User access, data classification, IAM
Exam Focus: Identify customer vs provider in patch management questions.

Edge & Hybrid

  • Edge computing security: device tamper-resistance, secure update mechanisms.
  • Hybrid identity: Sync AD DS to Azure AD (using AD Connect).

3.6 Emerging Technologies

Software-Defined Everything

  • SDN (Software-Defined Networking): centralized control plane.
  • SD-WAN: secure WAN connectivity, dynamic path selection.

IoT & OT Security

  • IoT: PKI for device authentication, network segmentation.
  • OT: protocol whitelisting (Modbus, DNP3), air-gapping.

3.7 Testing & Continuous Monitoring

Threat Modeling

  • STRIDE vs PASTA: choose based on scope and depth.
  • DFDs (Data Flow Diagrams) for modeling trust boundaries.

Pentest & Red Teaming

  • Black/Gray/White box distinctions.
  • Use MITRE ATT&CK to map adversary behaviors.

Monitoring

  • SIEM: correlate logs for threat detection.
  • NDR: network anomaly detection.
  • EDR: endpoint monitoring for malicious behavior.
  • UEBA: detect insider threats via behavior analytics.
Tip: Match tool to detection use case (e.g., EDR for fileless threats).

Exam Answer Guidance

  • Read scenarios closely for keywords: “stateless vs stateful,” “implicit trust,” “edge compute.”
  • Underline requirements (e.g., “minimum latency” suggests edge computing).
  • Eliminate options that conflict with shared responsibility (e.g., provider patching in IaaS).
  • Map each technology to its defined objective number in the exam blueprint.

Knowledge Required

  • Understand architectural principles: defense-in-depth, least privilege.
  • Know differences between similar technologies (VLAN vs subnet, VM vs container, SAML vs OIDC).
  • Be able to calculate or select appropriate DR site based on RTO/RPO.
  • Familiarity with emerging security frameworks: Zero Trust, SASE.
  • Awareness of mitigation tools for modern threat vectors (fileless malware, IoT attacks).


Tags:
Table of Contents