Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram
1.2 Domain 1 · General Security Concepts

Fundamental Security Concepts

Summarize fundamental security concepts

Concept
2
Textbook
3
Reference
4
Real Scenario
5
Hard Choice
6
Common Traps
7
Exam Signal
The Concept

This is the broadest objective on the SY0-701 exam. It covers the CIA triad, Non-repudiation, AAA (Authentication, Authorization, Accounting), Gap analysis, Zero Trust (Control Plane vs. Data Plane), Physical security (bollards, vestibules, fencing, surveillance, sensors), and Deception technology (honeypot, honeynet, honeyfile, honeytoken).

The key insight: Zero Trust is where the exam goes deep. It splits into the Control Plane (where decisions are made: Policy Engine, Policy Administrator, adaptive identity, threat scope reduction) and the Data Plane (where decisions are enforced: Policy Enforcement Point, subjects, systems, implicit trust zones eliminated).

CIA Triad: Confidentiality (only authorized access), Integrity (data is accurate and unmodified), Availability (systems accessible when needed). Non-repudiation ensures someone cannot deny an action — typically via digital signatures or audit logs.

AAA Framework:

  • Authentication — proving identity. For people: passwords, biometrics, tokens. For systems: certificates, API keys.
  • Authorization — what you're allowed to do after proving identity. Models: RBAC (role-based), ABAC (attribute-based), DAC (discretionary — owner decides), MAC (mandatory — system/labels decide).
  • Accounting — logging what happened. Audit trails, SIEM, session logs. Without accounting, you can't prove what occurred.

Zero Trust Architecture:

  • Control Plane (decisions) — Policy Engine evaluates access requests against policy. Policy Administrator establishes/removes sessions. Adaptive identity adjusts trust based on context (location, device, behavior). Threat scope reduction minimizes blast radius by limiting access.
  • Data Plane (enforcement) — Policy Enforcement Point (PEP) is the gatekeeper that allows or blocks access. Subjects/Systems are the entities requesting access. Implicit trust zones are eliminated — no device or user is trusted by default, even inside the network.

Physical Security: Bollards (vehicle barriers), vestibules/mantraps (two-door entry), fencing (perimeter), surveillance cameras, motion/infrared/pressure sensors, security guards, badge readers, lighting.

Deception Technology:

  • Honeypot — a fake system designed to attract attackers and study their behavior
  • Honeynet — a network of honeypots simulating a full environment
  • Honeyfile — a fake document (e.g., "passwords.xlsx") that triggers an alert when opened
  • Honeytoken — a fake data element (fake credentials, fake database record) that triggers alerts when used
ConceptComponentsKey Distinction
CIA Confidentiality, Integrity, Availability Foundation of all security decisions
AAA Authentication, Authorization, Accounting Who are you? What can you do? What did you do?
Non-repudiation Digital signatures, audit logs You cannot deny you did it
Zero Trust PlaneComponentsFunction
Control Plane Policy Engine, Policy Administrator, Adaptive Identity, Threat Scope Reduction Makes access decisions based on policy and context
Data Plane Policy Enforcement Point, Subject/System, Implicit Trust Zones (eliminated) Enforces access decisions; blocks or allows traffic
Deception TechWhat It IsWhat Triggers It
Honeypot Fake system (server, service) Attacker interacts with it
Honeynet Network of honeypots Attacker moves laterally through fake network
Honeyfile Fake document (e.g., "passwords.xlsx") File is opened or accessed
Honeytoken Fake data element (credential, record) Token is used or queried
Key Takeaway

Control Plane = where decisions are made. Data Plane = where decisions are enforced. The Policy Engine decides. The Policy Enforcement Point enforces. If the exam asks "which component restricts access" — that's the PEP (Data Plane), not the Policy Engine (Control Plane).

A mid-size financial firm provides VPN access to remote employees. Once connected, users can reach almost any internal resource. The CISO is pushing for a Zero Trust overhaul.

Scenario
VPN Overhaul
Financial firm · 800 employees · Full VPN access
Network Architect"Our VPN works fine. Users authenticate with MFA and get access. What's the problem?"
CISO"The problem is implicit trust. Once they're on the VPN, they can reach the payroll database, the dev servers, HR records — everything. One compromised laptop and the attacker has the same access as the user."
Network Architect"So what, we authenticate them again for every resource?"
CISO"Essentially, yes. We implement a Policy Engine that evaluates every access request. Is the device compliant? Is the user's behavior normal? Is this resource appropriate for their role? Then a Policy Enforcement Point grants or denies access per-resource, per-session. No implicit trust zones."
Compensating Control

Migration path: Zero Trust isn't a product you buy — it's an architecture you build over time. Start with identity (strong MFA), then add device posture checking, then microsegmentation, then continuous monitoring. The exam tests the architecture, not the migration plan.

Real Talk — Career Context

Most organizations are somewhere between "VPN for everyone" and full Zero Trust. The Security+ exam tests the ideal model. In practice, you'll implement it incrementally — starting with the highest-risk resources (finance, PII, admin access) and expanding from there.

On the exam: Zero Trust questions focus on the architecture components. Know which belongs to Control Plane vs. Data Plane. The Policy Enforcement Point is always in the Data Plane.

The firm's VPN was exploited via a compromised employee laptop. Management wants immediate remediation. Two proposals are on the table:

Option A
MAC Address Filtering on VPN

Only allow known device MAC addresses to connect. Quick to implement, low cost. But MAC addresses can be spoofed, and once connected, users still have broad access.

Option B
Zero Trust Architecture

Continuous verification per resource. Policy Engine evaluates every request. Policy Enforcement Points restrict lateral movement. No implicit trust even for authenticated users.

Option B is correct — Zero Trust eliminates implicit trust

Option B: Zero Trust architecture addresses the root problem: once a user (or attacker) authenticates, they shouldn't automatically have broad access. Every access request is verified independently. MAC filtering is trivially bypassed and doesn't solve the lateral movement problem.

Option A's kernel of truth: Device identification has value as one signal in a Zero Trust model. But alone, MAC filtering provides a false sense of security. MAC addresses are spoofable in seconds with freely available tools.

On the exam: Zero Trust is the modern standard for network access. Any answer that relies on implicit trust after initial authentication is outdated thinking.

Honeypot vs. Honeytoken
A honeypot is a system (a fake server or service). A honeytoken is data (a fake credential, database record, or API key). Both are deception tech, but the exam tests whether you know the difference. If the question says "fake AWS access key planted in a code repository" — that's a honeytoken, not a honeypot.
Why it's tempting: Both are "honey-" things designed to catch attackers. But system vs. data is the key distinction.
Authentication vs. Authorization
Authentication = "Who are you?" (proving identity). Authorization = "What can you do?" (granting permissions). Logging into your laptop with a password is authentication. Being able to read the HR folder but not the Finance folder is authorization. The exam will describe a scenario and ask which AAA component is involved.
Why it's tempting: They happen close together (you authenticate then get authorized), so they feel like one step. They're not.
Control Plane vs. Data Plane in Zero Trust
The Control Plane makes decisions (Policy Engine, Policy Administrator). The Data Plane enforces decisions (Policy Enforcement Point). If a question asks "which component evaluates whether to grant access" — that's the Policy Engine (Control Plane). "Which component blocks unauthorized traffic" — that's the PEP (Data Plane). Don't swap them.
Why it's tempting: "Control" sounds like it controls access (enforcement). But in Zero Trust, "Control Plane" means decision-making, not enforcement.
Exam Signal

Zero Trust architecture questions are high-frequency on the SY0-701. Know the exact components in each plane. Control Plane: Policy Engine, Policy Administrator, Adaptive Identity, Threat Scope Reduction. Data Plane: Policy Enforcement Point, Subject/System. When you see "restricts," "blocks," or "enforces" — think Data Plane (PEP). When you see "evaluates," "decides," or "adapts" — think Control Plane.

Quick Check — End of 1.2
In a Zero Trust architecture, which component within the data plane restricts lateral movement by isolating network segments?
  • A Policy Engine
  • B Adaptive Identity
  • C Threat Scope Reduction
  • D Policy Enforcement Point

Correct: D. The Policy Enforcement Point (PEP) operates in the Data Plane and is the gatekeeper that allows or blocks access to resources. It enforces the decisions made by the Policy Engine (Control Plane). Policy Engine evaluates (A is Control Plane). Adaptive Identity and Threat Scope Reduction are also Control Plane components.

Related Topics
→ 1.1 Security Controls → 1.3 Change Management
← 1.1 Security Controls ← Domain 1 Hub Next: 1.3 Change Management →
Disclaimer: This content is provided for educational and exam preparation purposes only. It is not official CompTIA content, is not endorsed by CompTIA, and does not guarantee exam success. All practice questions are original and based on published exam objectives. Always refer to the official CompTIA Security+ Exam Objectives as your primary reference.