Security+ Domain #3 Architecture and Design
Architecture and Design is a core component of a successfully managed Information Security environment. Not only is it a logical conclusion that Architecture and Design play an important role in Security+ preparation but rather a vital one. This article will examine Architecture and Design of an Information Security environment within the context of preparing for the CompTIA Security+ Certification Exam. Please note that this article will not suffice for an adequate review of the Architecture and Design portion of the Security+ exam. Rather, Security+ candidates should refer to InfoSec Institute’s comprehensive Security+ Training Course and/or Boot Camp for a proper refresher.
Outline of Security+ Architecture and Design Topics
Being that this article will focus on Architecture and Design from the point of view of the CompTIA Security+ exam, it would be helpful to define the universe of information that this portion of the exam covers. Below is a list of the subtopics covered on the Security+ exam:
- Use cases and purposes for frameworks, best practices, and secure configuration guides
- Implementation of secure network architecture concepts
- Implementation of secure systems design
- Importance of secure staging deployment concepts
- Security implications of embedded systems
- Secure application development and deployment concepts
- Cloud and visualization concepts
- Resiliency and automation to reduce risk
- Importance of physical security controls
Use Cases and Purpose for Frameworks, Best Practices, and Secure Configuration Guides
Candidates will want to divide this portion of Security+ into three subcategories – Industry-standard frameworks and reference architectures, Benchmarks/secure configuration guides, and Defense-in-depth/layered security.
Industry-standard frameworks and reference architectures will need to be able to be explained on the exam. Candidates will need to know the differences between regulatory and non-regulatory designations, national and international designations, as well as industry-specific frameworks.
Benchmarks/Secure Configuration Guides
Candidates will need to know the differences between the various Platform/vendor-specific configuration guides, such as web server, operating system, application server, and network infrastructure devices.
The focus here is that candidates will need to explain the differences between vendor and control diversity. User training is also focused on and should be studied.
Implementation of Secure Network Architecture Concepts
Security+ is well-known for testing individuals on the application of knowledge, and this part of Architecture and Design is no exception. Given a scenario, candidates will need to demonstrate competency in implementing zones/topologies, segregation/segmentation/isolation, tunneling/VPN, security devices/technology placement, and SDN.
Implementation of Secure Systems Design
Candidates will need to demonstrate application of their knowledge of secure systems design. This includes the effective implementation of hardware/firmware security, operating systems (including different operating system types, patch management, disabling default accounts/passwords, etc.), and peripherals.
The application of this knowledge is one of the most real-world applications of Information Security knowledge tested with Security+.
Importance of Secure Staging Deployment Concepts
The Security+ exam requires candidates to explain the importance of secure staging deployment concepts. Concepts that need to be explained are sandboxing, environment types (development, testing, staging, production), secure baseline, and integrity measurement.
Security Implications of Embedded Systems
This section of Architecture and Design requires candidates to explain the security implications of embedded systems in an Information Security environment. Material tested includes SCADA/ICS, Smart devices/Internet of things (wearable technology, home automation), HVAC, SoC, RTOS, Printers/MFD’s, camera systems, and special purpose technology (medical devices, vehicles, aircraft/UAV). The importance of embedded systems has increased dramatically over the course of the evolution of technology, and the importance of it will likely only increase. Therefore, this section should be reviewed by candidates preparing for Security+.
Secure Application Development and Deployment Concepts
Secure Application Development and Deployment Concepts cover more material than most of the other subtopics within Architecture and Design. First, candidates will need to summarize development life-cycle models. This specifically includes the Waterfall vs. Agile dichotomy that many in Information Security are faced with. Second, candidates will need to summarize Secure DevOps. This includes security automation, continuous integration, baselining, immutable systems, and infrastructure as code. Third, candidates will have to demonstrate competency with secure coding techniques. This includes proper error handling, proper input validation, normalization, encryption, and server-side vs. client-side execution just to name a few.
Code quality and testing also need summarization – including static code analyzers, stress testing, model verification, etc. Successful candidates will also need to demonstrate the ability to summarize version control and change management, provisioning/de-provisioning, and compiled vs. runtime code.
Summarize Cloud and Virtualization Concepts
With the ever-increasing importance of the use of the Cloud and other virtualization concepts, candidates will need to summarize this succinctly as well. Topics covered include Hypervisor, VM sprawl avoidance/escape protection, Cloud storage/deployment models, Cloud access security broker, and Security as a service just to name a few. Any successful Security+ client will need to know this like the back of their hand.
Resiliency and Automation Strategies
Next, candidates must explain how resiliency and automation strategies reduce risk in an Information Security environment. Material covered includes Automation/scripting – specifically automated courses of action, continuous monitoring, and configuration validation.
Other material covered includes a master image, non-persistence (snapshots, revert to the known state, rollback to a known configuration, live boot media), elasticity, scalability, redundancy, and fault tolerance. This list is not exclusive, and candidates should refer to InfoSec’s Security+ Training Course for more information/guidance in covering this information during the study.
Importance of Physical Security Controls
As with all Information Security environments, physical security controls are vital, and no viable environment lacks these controls. Candidates will have to explain the importance of lighting, security guards, alarms, signs, key management, locks, environmental controls, logs, cameras, and motion detection. This list is not exclusive therefore candidates should spend time learning how to explain the importance of the multitude of these security safeguards and how they impact an Information Security environment.
Conklin, W.A. (2018) CompTIA Security+ All-in-One Exam Guide, Fifth Edition (Exam SY0-501). New York, New York: McGraw Hill Education.
Myers, M. (2017) Mike Meyers’ CompTIA Security+ Certification Guide. New York, New York: McGraw-Hill Education.