Security+ Domain 3 covers infrastructure security including network design, cloud environments, secure protocols, and resilience strategies. Tests your ability to architect secure solutions across on-premises, cloud, and hybrid environments.
Questions
~16-17 questions
Concepts
35 total
Difficulty
Intermediate
Study Time
2 weeks
Objectives
4 objectives
Understanding security considerations for various deployment and architecture types.
Key Concepts
Security considerations for cloud deployments including responsibility matrix, hybrid considerations, and third-party vendor risks.
Security implications of managing infrastructure through code. Version control, automated deployment, and configuration drift.
Security considerations for serverless computing and microservices architecture. Function security, API gateways, and service mesh.
Physical isolation (air-gapped), logical segmentation, and software-defined networking (SDN) security implications.
Comparing security implications of on-premises deployments versus cloud. Centralized vs decentralized architecture considerations.
Security considerations for container technologies. Container isolation, image security, orchestration security.
Security implications of virtual machines and hypervisors. VM isolation, hypervisor hardening, and virtual network security.
Security challenges for Internet of Things devices. Limited resources, update mechanisms, and network integration.
Security for industrial control systems and SCADA. OT vs IT security, protocol security, and safety considerations.
Security considerations for real-time operating systems and embedded systems. Resource constraints and update challenges.
Evaluating architectures based on availability, resilience, cost, responsiveness, scalability, deployment ease, and recovery options.
Exam Tip
The shared responsibility model is critical—know exactly what the customer vs provider secures for IaaS, PaaS, and SaaS. IaaS = customer secures most, SaaS = provider secures most.
Implementing security across devices, networks, and infrastructure components.
Key Concepts
Device Placement and Security Zones
Strategic placement of security devices and defining security zones. DMZ, internal networks, and trust boundaries.
Failure Modes
Understanding fail-open vs fail-closed configurations. Security implications of device failure behavior.
Network Appliance Types
Security roles of jump servers, proxy servers, IPS/IDS, load balancers, and sensors. Active vs passive and inline vs tap/monitor.
Port Security
Securing network ports using 802.1X and Extensible Authentication Protocol (EAP). Network access control at the port level.
Firewall Types
Understanding different firewall technologies: WAF, UTM, NGFW, and Layer 4 vs Layer 7 firewalls.
VPN and Remote Access
Secure remote connectivity using VPNs. Tunneling protocols including TLS and IPSec.
SD-WAN and SASE
Software-defined wide area networking and Secure Access Service Edge. Modern approaches to distributed network security.
Control Selection
Choosing appropriate security controls based on risk, cost, and operational requirements. Defense in depth implementation.
Exam Tip
Know where to place security devices in a network architecture. Understand why DMZs exist, how network segmentation limits lateral movement, and when to use forward vs reverse proxies.
Ensuring data security through various methods and classifications.
Key Concepts
Data Types and Sensitivity
Categorizing data by type: regulated, trade secret, intellectual property, legal, financial, and human vs non-human readable.
Data Classification
Classification levels including sensitive, confidential, public, restricted, private, and critical. Labeling and handling requirements.
Data States
Understanding data at rest, in transit, and in use. Security considerations for each state.
Data Sovereignty and Geolocation
Legal and regulatory requirements for data based on geographic location. Cross-border data transfer considerations.
Data Protection Methods
Techniques to secure data: encryption, hashing, masking, tokenization, obfuscation, segmentation, and permission restrictions.
Exam Tip
For each data state, know the appropriate protection: at rest (encryption, access controls), in transit (TLS, VPN), in use (memory encryption, secure enclaves). Understand when to use tokenization vs encryption.
Ensuring systems can withstand attacks and recover from incidents.
Key Concepts
High Availability Concepts
Designing systems for continuous operation. Load balancing, clustering, and geographic distribution.
Redundancy and Fault Tolerance
Eliminating single points of failure. Server redundancy, network redundancy, and power redundancy.
Site Considerations
Recovery site options: hot sites (immediate), warm sites (hours), cold sites (days). Cost and recovery time trade-offs.
Platform Diversity
Using diverse technologies, vendors, and cryptographic controls to reduce single-point vulnerabilities.
Multi-Cloud Strategies
Distributing workloads across multiple cloud providers for resilience. Avoiding vendor lock-in.
Continuity of Operations
Ensuring business functions continue during disruptions. Capacity planning and testing.
Backup Strategies
Backup types (full, incremental, differential), onsite/offsite storage, and frequency planning.
Power Protection
UPS systems, generators, and dual power feeds. Managing power-related failures.
Recovery Objectives
Defining RTO (recovery time objective) and RPO (recovery point objective). Balancing cost with recovery requirements.
Testing Resilience
Tabletop exercises, failover testing, simulation testing, and parallel processing validation.
Exam Tip
Know the differences between backup types and when to use each. Understand RTO vs RPO—scenarios often ask which metric matters most for a given situation.
Performance-based questions (PBQs) for this domain typically cover:
Cloud security is heavily emphasized in SY0-701. Focus on the shared responsibility model, cloud deployment types, and cloud-specific threats. You don't need vendor-specific knowledge (AWS, Azure), but understand general cloud security principles.
IDS (Intrusion Detection System) monitors and alerts but doesn't block traffic. IPS (Intrusion Prevention System) actively blocks malicious traffic. IDS is passive, IPS is active. Many modern systems combine both (IDPS).
Know the common levels: RAID 0 (striping, no redundancy), RAID 1 (mirroring), RAID 5 (striping with parity), RAID 6 (double parity), RAID 10 (mirroring + striping). Understand their trade-offs between performance, capacity, and fault tolerance.
Hot site: fully operational duplicate, ready immediately. Warm site: has equipment but needs data restoration, ready in hours/days. Cold site: empty facility, ready in days/weeks. Cost decreases from hot to cold.
Understand both on-prem and cloud architectures. Draw network diagrams and practice placing security controls. Know when to use each approach and why.
Get personalized practice questions and track your progress.
99% of students who reach 95% concept mastery pass
Start Free AssessmentOur adaptive learning system identifies your weak spots and creates a personalized study plan.
99% of students who reach 95% concept mastery pass the exam