Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram
Domain 3 of 5 Light
COMPTIA · SECURITY+ · STUDY GUIDE · DOMAIN 3

Domain 3: Security Architecture

Where the security choices get engineered. Match architecture to constraint, place devices for visibility and control, protect data in every state, and design resilience into the system — not bolt it on after an outage.

18%
Exam Weight
4
Objectives
~35m
Read Time
SY0-701
Exam Code
Domain 3 — 18% of exam100%
All Domains
01Key Concepts at a Glance

Six Ideas That Drive Every Domain 3 Question

Architecture choices weave through 18% of the exam. Master these six and you can reason through almost any Domain 3 scenario — cloud, on-prem, hybrid, or OT.

R

Shared Responsibility

Provider secures of the cloud; customer secures in the cloud. The split moves with IaaS/PaaS/SaaS.

“IaaS — you patch the OS. PaaS — provider patches runtime, you own code. SaaS — provider runs it, you still own identity and data.”

Deep dive in 3.1 Architecture Models
I

Isolate What You Can’t Patch

IoT, embedded, and ICS/SCADA rarely get patches. Segment, monitor, and compensate.

“A 20-year-old MRI stays on a segmented VLAN with one-way monitoring. You can’t patch it — but you can make sure a compromise can’t walk sideways.”

Deep dive in 3.1 Architecture Models
P

Placement Equals Power

Where a device sits determines what it can see and what it can block. Zones before devices.

“An IPS behind the firewall sees only traffic the firewall didn’t block. Place sensors where the traffic of interest flows — and design zones before you buy appliances.”

Deep dive in 3.2 Secure Infrastructure
S

State Drives Control

At rest → disk/field encryption. In transit → TLS/IPSec. In use → enclaves, tokenization.

“Name the state of the data first — the right control set narrows immediately. Laptop stolen? at-rest. API call? in-transit. Processing PAN in memory? in-use.”

Deep dive in 3.3 Data Protection
T

Tokenize to Shrink Scope

Encryption protects data; tokenization shrinks the audit boundary. Different jobs.

“For PCI, downstream systems that only see tokens fall out of scope. The exam tests whether you know tokenization is for scope reduction, not confidentiality.”

Deep dive in 3.3 Data Protection
D

HA ≠ DR

HA survives a server crash. DR survives losing the datacenter. Different problems, different answers.

“Load-balanced cluster solves HA. Hot/warm/cold sites and tested restores solve DR. RTO and RPO are the forcing functions — the numbers pick the architecture.”

Deep dive in 3.4 Resilience & Recovery
↓ Download Domain 3 Cheat Sheet (PDF)
Shared Responsibility Matrix — Who Patches What
Layer
On-Prem
IaaS
PaaS
SaaS
Physical
Customer
Provider
Provider
Provider
OS / Patching
Customer
Customer
Provider
Provider
Runtime
Customer
Customer
Provider
Provider
Application
Customer
Customer
Customer
Provider
Identity / Data
Customer
Customer
Customer
Customer
02Diagnostic Quiz

Find Out Where to Start

4 questions across Domain 3 — see which objectives need the most work.

Focus on these objectives

    You’ve got these

      03Objective Navigator

      4 Objectives — Pick Your Path

      Each lesson teaches through real scenarios — concept, textbook, hard choice, exam signal. Start anywhere or go in order. Completed lessons show a checkmark.

      3.1
      Architecture Models Free

      Cloud (IaaS/PaaS/SaaS, hybrid, shared responsibility), IaC, serverless, microservices, physical isolation, logical segmentation, SDN, on-prem, centralized vs decentralized, containerization, virtualization, IoT, ICS/SCADA, RTOS, embedded, HA — and the considerations (availability, resilience, cost, latency, patchability, power) that drive the choice.
      3.2
      Secure Enterprise Infrastructure Free

      Device placement, security zones, attack surface, connectivity, fail-open vs fail-closed, active/passive, inline vs tap, jump servers, proxies (forward/reverse), IDS/IPS, load balancers, sensors, 802.1X + EAP, firewalls (WAF, UTM, NGFW, L4, L7), VPN (site-to-site, remote access), TLS/IPSec, SD-WAN, SASE.
      3.3
      Data Protection Free

      Data types (regulated, trade secret, IP, legal, financial), classifications (public, private, sensitive, confidential, restricted, critical), states (at rest, in transit, in use), sovereignty and geolocation, encryption, hashing, masking, tokenization, obfuscation, segmentation, permission restrictions, DLP (endpoint, network, cloud).
      3.4
      Resilience & Recovery Free

      High availability, load balancing vs clustering, active/active vs active/passive, hot/warm/cold sites, geographic dispersion, platform diversity, multi-cloud, BCP/DRP, capacity planning, testing (tabletop, simulation, failover, parallel), backups, snapshots, replication, journaling, power (UPS, generators, dual feeds), and the metrics — RTO, RPO, MTTR, MTBF.
      🔨

      Architecture drills and adaptive quizzes — Coming Soon

      TJS Platform will have placement puzzles, RTO/RPO matching, and AI-powered explanations for every Domain 3 objective.

      Coming Soon
      04Memory Aids

      Learn It, Test It, Lock It In

      Each card has 3 layers. Click to advance: mnemonicscenario challengeanswer + exam tip.

      0 / 6 mastered
      Responsibility Split
      IaaS → OS · PaaS → Code · SaaS → Config
      The deepest customer responsibility in each cloud service model.
      Scenario

      A customer uses a fully managed email service (SaaS) and gets phished. Whose responsibility was identity protection?

      Answer

      Customer. Identity, access, configuration, and data are the customer’s responsibility across every cloud service model — including SaaS. The provider runs the mail server; you own MFA, conditional access, and user training.

      Exam tip: “SaaS means no security work” is always wrong. Identity and data never shift to the provider.
      click to advance →1 of 3
      IDS vs IPS
      IDS alerts · IPS blocks
      IDS is passive by exam convention; IPS is active and inline.
      Scenario

      SCADA network where a false-positive block could halt physical processes. Which do you deploy inline?

      Answer

      IDS in monitor mode. In OT/ICS, availability and safety dominate; blocking legitimate traffic can trip a physical process. Detect + alert + engineer response; do not block inline.

      Exam tip: OT/SCADA strongly biases toward IDS or out-of-band monitoring. IPS inline is the wrong answer even if it sounds safer.
      click to advance →1 of 3
      Data States
      Rest → disk enc · Transit → TLS · Use → enclave
      Name the state of the data; the control set narrows immediately.
      Scenario

      A payment app processes the PAN in RAM during authorization. Which control protects it in that state?

      Answer

      Secure enclave / confidential computing (SGX, SEV). The data is in use. Disk encryption protects at rest, TLS protects in transit, and enclaves isolate computation for in-use.

      Exam tip: “in memory during processing” = in-use = enclave or tokenization, not disk encryption.
      click to advance →1 of 3
      Token vs Encrypt
      Encryption protects data · Tokenization shrinks scope
      Different jobs. Know which one the exam scenario is asking for.
      Scenario

      A retailer wants analytics and BI systems removed from PCI scope. Encrypt or tokenize the PAN?

      Answer

      Tokenize. Downstream systems see a token with no mathematical link to the PAN — so they fall out of PCI scope. Encryption would still leave a decryptable value in those systems.

      Exam tip: scope-reduction language → tokenization. Confidentiality-only language → encryption.
      click to advance →1 of 3
      RTO vs RPO
      RTO = Time · RPO = Point
      T for time-to-up; P for point-in-time (how far back the data goes).
      Scenario

      “System must be restored within 4 hours” — RTO or RPO?

      Answer

      RTO. Time-to-restore. RPO is about tolerable data loss — if the question said “lose no more than 15 minutes of transactions,” that’s RPO.

      Exam tip: any value in “minutes of data loss” is RPO. Any value in “hours of downtime” is RTO.
      click to advance →1 of 3
      Site Tiers
      Hot = now · Warm = soon · Cold = later
      Match tier to the stated RTO/RPO. The cheapest tier that meets the numbers is the right answer.
      Scenario

      Internal HR system with 48-hour RTO and tight budget. Which site type?

      Answer

      Cold site. 48 hours is plenty of time to stand up a cold site with nightly backups. Hot or warm would be overbuilt for the stated RTO and budget.

      Exam tip: don’t default to hot site when DR is mentioned. Match the site tier to the number. Budget-constrained language almost always implies warm or cold.
      click to advance →1 of 3

      The Forcing-Function Rule — Exam Strategy

      Domain 3 scenarios encode the answer in their constraints. Ask: what are the forcing functions? RTO and RPO drive site tier and backup cadence. Data state drives the protection control. Unpatchable asset drives segmentation. Cost constraint drives you toward the simplest option that meets the requirement. Don’t overbuy.

      ↓ Download Flashcards (Anki-Compatible)
      05Think Like an Architect

      Security+ Tests How You Design Controls

      01
      Scenario

      The Unpatchable MRI

      A regional hospital has a 20-year-old MRI that runs a vendor-supported but unpatchable embedded OS. The vendor will only support the current configuration. The scanner must connect to the imaging network to return results. Which architectural approach is most appropriate?
      • ×
        Replace the scanner immediatelyCost and clinical impact make immediate replacement unrealistic; the question is how to operate safely in the interim.
      • ×
        Install EDR agents on the scannerVendor-supported unpatchable embedded systems typically cannot run third-party agents without voiding support.
      • ✓
        Place the scanner on a dedicated segmented VLAN with strict ACLs; log and monitor out-of-bandWhat you cannot patch, you must isolate. Segmentation + monitoring + compensating controls is the Security+ answer for legacy medical devices.
      • ×
        Move the scanner to a cloud-hosted radiology servicePhysical device cannot be relocated to the cloud; cloud migration applies to software not hardware-bound systems.
      Principle: What you cannot patch, you must isolate. Segmentation + monitoring + compensating controls carry legacy and embedded systems.
      02
      Scenario

      PCI Scope Reduction

      A retailer’s orders database stores the full PAN. Analytics, BI, and customer-service tools all read that database, and the QSA has flagged them all as in scope for PCI DSS. The CISO wants to take them back out of scope. Which single control most directly achieves that?
      • ×
        Transparent database encryption (TDE)TDE protects disk, but any query result returns a decrypted PAN — so downstream systems stay in scope.
      • ✓
        Tokenize the PAN; store the real value in a processor-run vaultDownstream systems only ever see a token with no math relationship to the PAN — they fall out of PCI scope entirely.
      • ×
        Mask the PAN to last four in the reportsMasking is a display control; the stored value is unchanged, so database-level scope is unchanged.
      • ×
        Hash the PAN before writing to the databaseHashing destroys the ability to correlate transactions; PCI DSS also treats truncated/hashed PANs with care.
      Principle: Encryption protects data; tokenization shrinks scope. For PCI, pick tokenization when the goal is removing downstream systems from the audit boundary.
      03
      Scenario

      The Ransomware Recovery

      Ransomware encrypted a company’s production file servers, the hourly snapshots on the same storage array, and the nightly backup appliance co-located in the production rack. Leadership asks: what control would most directly have prevented this single-event wipeout next time?
      • ×
        More frequent snapshots on the same storage arraySame failure domain. More snapshots still fall to the same event.
      • ×
        Upgrade the backup appliance to a newer modelSame rack, same credential exposure. Hardware refresh does not change failure-domain geometry.
      • ✓
        Offsite, immutable (or air-gapped) backups in a separate failure domain, with tested restoresA copy the attacker cannot reach — and a verified restore — is the control the scenario is missing.
      • ×
        Larger UPS capacity in the primary datacenterPower resilience does not address ransomware encryption. Wrong layer.
      Principle: A backup that shares fate with production is not a backup. Immutable / offsite / air-gapped + tested restore = real resilience.
      🎯

      Adaptive Domain 3 drills — Coming Soon

      TJS Platform will track your weak areas and generate focused scenario drills. AI Study Buddy will explain why you got it wrong.

      Coming Soon
      06Common Traps

      The Tempting Wrong Answer

      1

      Shared Responsibility Drift

      SaaS is not “no security work.” Identity, access, configuration, and data remain the customer’s responsibility across every cloud service model.

      2

      Air-Gap ≠ Secure

      Air-gapped systems can still be breached via removable media, vendor laptops, or supply chain. Isolation reduces exposure but does not eliminate it.

      3

      WAF vs NGFW vs UTM

      WAF = HTTP-only application protection. NGFW = broad L7, app-aware, user-aware. UTM = bundled all-in-one for SMB. Different tools, different scopes.

      4

      Hashing Is Not Encryption

      Hashing is one-way (no key, no reversal) and provides integrity. Passwords should be hashed with salt + bcrypt/scrypt/Argon2, never encrypted.

      5

      Sovereignty ≠ Locality

      Locality is the physical location of data. Sovereignty is the legal regime that applies. An EU region does not automatically satisfy GDPR obligations.

      6

      Snapshots Are Not Backups

      Snapshots live on the same storage array as the primary — same failure domain. For ransomware and site-loss, offsite/immutable backups are the real control.

      7

      RTO vs RPO Swap

      RTO = time to restore (downtime tolerance). RPO = data-loss tolerance. Under pressure the two get swapped — read the units.

      8

      HA vs DR Conflation

      HA addresses failures within a site (server, rack, AZ). DR addresses loss of the site. A load balancer is not a disaster recovery plan.

      07Self-Check Quiz

      5 Practice Questions

      Select an answer, then click Check. Full adaptive quiz engine with 200+ questions coming soon on TJS Platform.

      UnderstandBeginner3.1
      Q1. A customer migrates an in-house payroll app to a PaaS offering. Which responsibility most clearly shifts from the customer to the provider?
      • A Identity and access management
      • B Application source code security
      • C Operating system patching and runtime maintenance
      • D Data classification and encryption key ownership
      Correct: C

      PaaS shifts OS and runtime to the provider while the customer still owns code, data, identity, and configuration. IaaS would leave OS patching with the customer.

      Source: CompTIA SY0-701 Objectives v5.0 — 3.1
      ApplyIntermediate3.2
      Q2. Administrators must reach servers in a sensitive DMZ zone. Which placement best provides controlled, auditable access without exposing those servers directly to the corporate network?
      • A Open RDP directly from the corporate LAN to each server
      • B Route administrators through a hardened jump server (bastion)
      • C Place a WAF between the corporate LAN and the servers
      • D Create a site-to-site VPN from each admin workstation
      Correct: B

      A jump server (bastion) concentrates and logs administrative access into a sensitive zone, enforcing MFA and auditing at a single choke point. Direct RDP bypasses the control; a WAF is for web-app traffic; site-to-site VPN is for network-to-network, not user access.

      Source: CompTIA SY0-701 Objectives v5.0 — 3.2
      AnalyzeAdvanced3.3
      Q3. A payment app processes the PAN in memory during authorization. Which control best protects the PAN while it is being processed?
      • A Full-disk encryption on the application server
      • B TLS 1.3 between the app and the card network
      • C A secure enclave (SGX/SEV) isolating the processing from the host OS
      • D Daily tape backups of the transaction log
      Correct: C

      Data-in-use is the target state. Enclaves / confidential computing (SGX, SEV) protect computation from the host OS and hypervisor. Full-disk encryption protects at-rest; TLS protects in-transit; backups are a recovery control.

      Source: CompTIA SY0-701 Objectives v5.0 — 3.3
      ApplyIntermediate3.4
      Q4. A financial firm states that transaction data can tolerate no more than 15 minutes of loss, and systems must be restored within 1 hour. Which pairing reflects the stated objectives?
      • A RTO = 15 minutes; RPO = 1 hour
      • B RPO = 15 minutes; RTO = 1 hour
      • C MTTR = 15 minutes; MTBF = 1 hour
      • D Both are MTTR targets
      Correct: B

      Data-loss tolerance is RPO (15 minutes here); downtime tolerance is RTO (1 hour here). MTTR and MTBF describe observed behavior, not stated targets.

      Source: CompTIA SY0-701 Objectives v5.0 — 3.4
      AnalyzeAdvanced3.4
      Q5. Ransomware encrypts production file servers, hourly snapshots on the same storage array, and the backup appliance co-located in the same rack. Which control would most directly have prevented this single-event wipeout?
      • A Additional hourly snapshots on the same array
      • B Faster replication between production servers
      • C Offsite, immutable (or air-gapped) backups in a separate failure domain
      • D Larger UPS capacity in the primary datacenter
      Correct: C

      Snapshots and onsite backups share the production failure domain. A copy in a different failure domain — offsite, immutable, or air-gapped — is what the attacker cannot reach, and is the defining control for ransomware resilience.

      Source: CompTIA SY0-701 Objectives v5.0 — 3.4

      Continue Your Prep

      Choose how you want to study. All paths lead to the same goal — passing the Security+ on exam day.

      Recommended
      TJS Platform

      All 5 domains, 200+ adaptive questions, AI Study Buddy, timed exams, and certificate of completion.

      Coming Soon
      Coming Soon
      Pocket Reference PDF

      Printable desk reference with key concepts, mnemonics, and quick-reference tables for all 5 domains.

      $12 / one-time
      Get the PDF
      Free Domain 3 Cheat Sheet

      Shared-responsibility, site tiers, data-state controls, and RTO/RPO matching on one page.

      Free / email signup
      Download Free
      Disclaimer
      This content is provided for educational and exam preparation purposes only. It is designed to supplement your study efforts with additional context, scenarios, and practice material. This is not official CompTIA content, is not endorsed by CompTIA, and does not guarantee exam success. All practice questions are original and based on published exam objectives — they are not actual exam questions. Exam content, format, and policies are determined solely by CompTIA. Always refer to the official CompTIA Security+ SY0-701 Exam Objectives as your primary reference. Tech Jacks Solutions is not responsible for exam outcomes.
      Tech Jacks Solutions

      CompTIA Security+ SY0-701 Exam Objectives · GAIO Integrity Lock Active · No brain dumps · No fabricated statistics