Security Architecture (18%)

Domain 3: Security Architecture

Exam Weight: 18% | Third highest weighted domain

Domain Overview

Domain 3 focuses on security architecture concepts—how to design and implement secure systems, networks, and infrastructure. This domain covers cloud security, enterprise infrastructure protection, and data security strategies. Understanding architecture principles is essential because secure design prevents vulnerabilities before they occur.

Learning Objectives

After completing this domain, you should be able to:

• [ ] Compare security implications of different architecture models
• [ ] Apply security principles to secure enterprise infrastructure
• [ ] Understand data protection strategies and concepts
• [ ] Explain cloud deployment and service models
• [ ] Describe embedded systems and specialized infrastructure security

Lessons in This Domain

| Lesson | Topic | Objectives Covered |

|--------|-------|-------------------|

| 01_architecture_models.md | Architecture Models and Concepts | 3.1 |

| 02_enterprise_infrastructure.md | Enterprise Infrastructure Security | 3.2 |

| 03_data_protection.md | Data Protection Strategies | 3.3 |

Key Concepts at a Glance

Cloud Deployment Models

| Model | Description | Security Responsibility |

|-------|-------------|------------------------|

| Public | Multi-tenant, shared infrastructure | Shared with provider |

| Private | Single organization, dedicated | Organization-owned |

| Hybrid | Mix of public and private | Split responsibility |

| Community | Shared by similar organizations | Shared among members |

Cloud Service Models

| Model | Customer Manages | Provider Manages |

|-------|-----------------|------------------|

| IaaS | OS, apps, data | Hardware, virtualization |

| PaaS | Apps, data | Everything else |

| SaaS | Data, access | Everything else |

Data Classification Levels

| Level | Description | Access |

|-------|-------------|--------|

| Public | No restrictions | Anyone |

| Confidential | Internal use | Employees + trusted parties |

| Secret | Serious damage if disclosed | Need-to-know basis |

| Top Secret | Grave damage if disclosed | Highly restricted |

Infrastructure Security Components

| Component | Function |

|-----------|----------|

| Firewall | Traffic filtering, access control |

| IDS/IPS | Threat detection and prevention |

| VPN | Secure remote access |

| Load Balancer | Traffic distribution, availability |

| Proxy | Content filtering, anonymization |

| SIEM | Log aggregation, correlation |

Exam Tips for Domain 3

⚠️ High-Priority Topics:

• Cloud shared responsibility model (know what customer vs provider manages for each service model)
• Data classification levels and what they mean
• IaC (Infrastructure as Code) and its benefits
• Embedded systems security concerns (IoT, ICS/SCADA, RTOS)

⚠️ Common Exam Traps:

• Don't confuse IaaS, PaaS, and SaaS responsibilities
• Serverless doesn't mean "no servers"—it means provider manages them
• Containers are NOT full VMs—they share the host kernel
• Data sovereignty isn't just about where data is stored but where it can be processed

⚠️ Scenario Question Strategy:

When given an architecture scenario:

1. Identify the deployment model (public, private, hybrid)
2. Determine the service model (IaaS, PaaS, SaaS)
3. Apply the shared responsibility model
4. Consider data sovereignty and compliance requirements
5. Identify appropriate security controls

Study Checklist

Objective 3.1: Architecture Models

• [ ] Compare cloud deployment models (public, private, hybrid, community)
• [ ] Explain service models (IaaS, PaaS, SaaS) and shared responsibility
• [ ] Describe virtualization and container technologies
• [ ] Understand serverless and microservices architecture
• [ ] Explain embedded systems security (IoT, ICS/SCADA, RTOS)
• [ ] Describe Infrastructure as Code (IaC)

Objective 3.2: Enterprise Infrastructure

• [ ] Apply secure network design principles
• [ ] Explain device placement and security zones
• [ ] Describe secure communication methods (VPN, TLS, IPSec)
• [ ] Understand SD-WAN and SASE concepts
• [ ] Explain firewall types and configurations
• [ ] Apply network access control concepts

Objective 3.3: Data Protection

• [ ] Classify data types (regulated, PII, PHI, trade secrets)
• [ ] Apply data classification schemes
• [ ] Explain data sovereignty and geographic considerations
• [ ] Describe encryption methods for data at rest and in transit
• [ ] Understand data loss prevention (DLP) strategies
• [ ] Explain data minimization and retention policies

Quick Reference: Shared Responsibility Matrix

                    IaaS        PaaS        SaaS
                    ----        ----        ----
Data                Customer    Customer    Customer
Access Management   Customer    Customer    Customer
Applications        Customer    Customer    Provider
Runtime             Customer    Provider    Provider
Operating System    Customer    Provider    Provider
Virtualization      Provider    Provider    Provider
Network             Provider    Provider    Provider
Physical            Provider    Provider    Provider

External Resources

• NIST Cloud Computing Reference Architecture
• CSA Cloud Controls Matrix
• NIST SP 800-82 ICS Security Guide
• CIS Benchmarks

Continue to Lesson 1: Architecture Models →