Security+ Domain 3: Security Architecture

Security considerations for cloud deployments including responsibility matrix, hybrid considerations, and third-party vendor risks.

Security implications of managing infrastructure through code. Version control, automated deployment, and configuration drift.

Security considerations for serverless computing and microservices architecture. Function security, API gateways, and service mesh.

Physical isolation (air-gapped), logical segmentation, and software-defined networking (SDN) security implications.

Comparing security implications of on-premises deployments versus cloud. Centralized vs decentralized architecture considerations.

Security considerations for container technologies. Container isolation, image security, orchestration security.

Security implications of virtual machines and hypervisors. VM isolation, hypervisor hardening, and virtual network security.

Security challenges for Internet of Things devices. Limited resources, update mechanisms, and network integration.

Security for industrial control systems and SCADA. OT vs IT security, protocol security, and safety considerations.

Security considerations for real-time operating systems and embedded systems. Resource constraints and update challenges.

Evaluating architectures based on availability, resilience, cost, responsiveness, scalability, deployment ease, and recovery options.

Strategic placement of security devices and defining security zones. DMZ, internal networks, and trust boundaries.

Understanding fail-open vs fail-closed configurations. Security implications of device failure behavior.

Security roles of jump servers, proxy servers, IPS/IDS, load balancers, and sensors. Active vs passive and inline vs tap/monitor.

Securing network ports using 802.1X and Extensible Authentication Protocol (EAP). Network access control at the port level.

Understanding different firewall technologies: WAF, UTM, NGFW, and Layer 4 vs Layer 7 firewalls.

Secure remote connectivity using VPNs. Tunneling protocols including TLS and IPSec.

Software-defined wide area networking and Secure Access Service Edge. Modern approaches to distributed network security.

Choosing appropriate security controls based on risk, cost, and operational requirements. Defense in depth implementation.

Categorizing data by type: regulated, trade secret, intellectual property, legal, financial, and human vs non-human readable.

Classification levels including sensitive, confidential, public, restricted, private, and critical. Labeling and handling requirements.

Understanding data at rest, in transit, and in use. Security considerations for each state.

Legal and regulatory requirements for data based on geographic location. Cross-border data transfer considerations.

Techniques to secure data: encryption, hashing, masking, tokenization, obfuscation, segmentation, and permission restrictions.

Designing systems for continuous operation. Load balancing, clustering, and geographic distribution.

Eliminating single points of failure. Server redundancy, network redundancy, and power redundancy.

Recovery site options: hot sites (immediate), warm sites (hours), cold sites (days). Cost and recovery time trade-offs.

Using diverse technologies, vendors, and cryptographic controls to reduce single-point vulnerabilities.

Distributing workloads across multiple cloud providers for resilience. Avoiding vendor lock-in.

Ensuring business functions continue during disruptions. Capacity planning and testing.

Backup types (full, incremental, differential), onsite/offsite storage, and frequency planning.

UPS systems, generators, and dual power feeds. Managing power-related failures.

Defining RTO (recovery time objective) and RPO (recovery point objective). Balancing cost with recovery requirements.

Tabletop exercises, failover testing, simulation testing, and parallel processing validation.