Overview
Security architecture encompasses the frameworks, principles, and technologies used to design and implement secure systems. This guide covers foundational design principles, network segmentation strategies, Zero Trust models, cloud security responsibilities, and hardware-level protections. Mastery of these concepts is essential for the CompTIA Security+ exam and real-world security practice.
---
Secure Design Principles
Summary
Secure design principles are the foundational rules that guide how secure systems are built, configured, and maintained. These principles work together to reduce risk by limiting access, containing failures, and minimizing exploitable surfaces.
Key Concepts
• Least Privilege – Grant users, systems, and processes only the minimum access required to perform their function. Nothing more.
• Defense in Depth – Layer multiple security controls so no single point of failure exists. If one layer fails, others compensate.
• Separation of Duties – Divide sensitive tasks among multiple individuals so no one person can complete a critical action alone, reducing fraud and error risk.
• Secure by Default – Systems ship with the most restrictive settings enabled; administrators must explicitly loosen restrictions rather than tighten them.
• Open Design – Security relies on secret keys, not secret algorithms. A system remains secure even when its design is publicly known.
• Fail Secure (Fail Closed) – When a system fails, it defaults to denying access, not granting it.
• Privacy by Design – Data privacy protections are built into systems from the start, not added later as an afterthought.
• Attack Surface Reduction – Minimize exploitable entry points by disabling unused services, ports, and features; removing unnecessary software.
Key Terms
• Blast Radius – The scope of damage a successful attack or failure can cause
• Chokepoint – A single controlled access point that all traffic must pass through
• Implicit Trust – The dangerous assumption that internal network traffic is safe by default
Relationships Between Principles
| Principle | Primary Goal |
|---|---|
| Least Privilege | Limit access scope |
| Separation of Duties | Prevent single-person abuse |
| Defense in Depth | Eliminate single points of failure |
| Fail Secure | Maintain security during failures |
| Attack Surface Reduction | Minimize exploitable entry points |
Watch Out For
> ⚠️ Fail Secure vs. Fail Safe – "Fail safe" (fail open) prioritizes availability (e.g., fire doors unlock during a power failure). "Fail secure" (fail closed) prioritizes security by denying access. Know which applies in a given scenario.
> ⚠️ Open Design ≠ Open Source – Open design means the security mechanism doesn't depend on keeping the design secret. It does not mean the source code must be publicly available.
> ⚠️ Least Privilege vs. Need to Know – Least privilege applies to system permissions; need to know applies to information access. Both restrict, but in different contexts.
---
Network Segmentation & Zones
Summary
Network segmentation divides a network into isolated zones to contain breaches, limit lateral movement, and enforce access controls between different trust levels.
Key Concepts
• DMZ (Demilitarized Zone) – A buffer network segment between the untrusted internet and the trusted internal network. Hosts public-facing services (web servers, email gateways) while protecting internal resources from direct external access.
• VLAN (Virtual Local Area Network) – Logically segments a physical network into separate broadcast domains, isolating traffic without requiring separate physical hardware.
• Air Gap – A physical isolation of a system from all external connections, including the internet. Used in ICS, military, and classified government environments.
• Microsegmentation – Applies granular, workload-level security policies within data centers or clouds, enabling control of east-west traffic (internal lateral movement), not just north-south (external) traffic.
• Intranet – Private internal network for employees only.
• Extranet – Extends limited, controlled intranet access to trusted external parties (partners, suppliers) via VPN or dedicated links.
Network Zone Trust Hierarchy
```
[Internet / Untrusted]
↓
[DMZ / Semi-Trusted]
↓
[Internal Network / Trusted]
↓
[Highly Sensitive Zones / Air-Gapped]
```
Key Terms
• Lateral Movement – An attacker's technique of moving from one compromised system to others within the same network
• East-West Traffic – Network traffic moving between systems within a data center or network (internal to internal)
• North-South Traffic – Network traffic moving into or out of the network (external to internal)
• Broadcast Domain – A logical segment where broadcast traffic is contained
Watch Out For
> ⚠️ VLANs Are Logical, Not Physical – VLANs improve segmentation but are not a substitute for physical separation in high-security environments. VLAN hopping attacks can bypass logical segmentation.
> ⚠️ Air Gap ≠ Wireless Disabled – A true air gap means no electronic connections of any kind. Simply disabling Wi-Fi on a connected device is not an air gap.
> ⚠️ DMZ Placement – In exam scenarios, public-facing servers (web, DNS, mail) belong in the DMZ, not on the internal network. Internal servers (databases, domain controllers) should never be in the DMZ.
---
Zero Trust Architecture
Summary
Zero Trust Architecture (ZTA) eliminates the assumption that anything inside the network perimeter is trustworthy. Every access request must be explicitly verified, regardless of where it originates.
Core Principle
> "Never trust, always verify." — No user, device, or network segment is trusted by default, even inside the corporate network.
NIST SP 800-207: Three Core Components
| Component | Role |
|---|---|
| Policy Engine | Makes the access decision (grant, deny, revoke) |
| Policy Administrator | Executes the decision by enabling or disabling communication paths |
| Policy Enforcement Point (PEP) | Acts as the gatekeeper, controlling actual resource access |
Key Concepts
• Implicit Trust Zones Eliminated – Traditional architectures trust internal traffic by default. Zero Trust requires every request—internal or external—to be verified before access is granted.
• Identity as the New Perimeter – With users working remotely and resources in the cloud, network location is no longer meaningful. Verified identity (user + device) becomes the primary access control mechanism.
• Continuous Verification – Authentication and authorization are not one-time events; trust is continuously re-evaluated throughout a session.
• Micro-segmentation + Zero Trust – Microsegmentation is often a technical implementation of Zero Trust principles at the workload level.
Traditional Perimeter vs. Zero Trust
| Aspect | Traditional Model | Zero Trust Model |
|---|---|---|
| Internal traffic | Trusted by default | Must be verified |
| Perimeter | Network boundary | Identity + device |
| Lateral movement risk | High | Minimized |
| Remote work support | Limited | Native |
Watch Out For
> ⚠️ Zero Trust Is Not a Single Product – Zero Trust is an architecture and philosophy, not a technology you can purchase. It requires multiple controls working together (MFA, microsegmentation, identity management, etc.).
> ⚠️ "Verify Explicitly" Applies Internally Too – A common misconception is that Zero Trust only applies to external users. It applies to all requests, including those from internal employees on the internal network.
---
Cloud & Hybrid Architecture
Summary
Cloud security introduces a shared model of responsibility between providers and customers. Understanding who owns what—and how different deployment models change those boundaries—is critical.
Shared Responsibility Model
```
IaaS PaaS SaaS
─────────────────────────────────
Data Data ──────── ← Customer always owns DATA
Apps Apps Apps
OS ──────── ────────
Middleware Middleware ────────
Runtime Runtime ────────
──────────────────────────────────← Provider boundary shifts up
Hardware Hardware Hardware
```
| Model | Customer Responsible For | Provider Responsible For |
|---|---|---|
| IaaS | OS, middleware, runtime, apps, data | Hardware, virtualization |
| PaaS | Applications, data | OS, middleware, runtime, hardware |
| SaaS | Data, user access | Everything else |
Key Concepts
• Hybrid Cloud Risk – Inconsistent security policies across on-premises and cloud environments; increased attack surface through the connectivity links between environments.
• Cloud Access Security Broker (CASB) – Sits between users and cloud services to enforce policies, provide visibility, prevent data leakage, and detect threats. Solves shadow IT problems.
• Serverless Security – The provider secures the OS and runtime, but the customer owns application code security, function permissions, and injection vulnerability prevention. Ephemeral nature complicates forensics and monitoring.
• Shadow IT – Unauthorized cloud service use by employees without IT approval, creating unmonitored data exposure risks.
Key Terms
• Shadow IT – Unauthorized use of cloud apps or services outside IT governance
• Ephemeral – Short-lived; serverless functions exist only during execution, making logging and forensics difficult
• East-West Security – Security controls applied to traffic between workloads within the cloud environment
Watch Out For
> ⚠️ "Security OF the Cloud" vs. "Security IN the Cloud" – The provider always owns security of the physical infrastructure. The customer always owns security of their data. The dividing line shifts based on IaaS/PaaS/SaaS.
> ⚠️ CASB Is Not a Firewall – A CASB focuses on cloud service visibility and policy enforcement. It does not replace a firewall or IDS.
> ⚠️ Serverless ≠ Worry-Free – Despite the provider managing infrastructure, customers are still responsible for insecure code, over-permissioned functions, and injection attacks (e.g., event injection).
---
Infrastructure & Hardware Security
Summary
Hardware and infrastructure security addresses protections at the physical and firmware levels, including trusted hardware components, secure provisioning, and hardened access controls.
Key Concepts
• Hardware Security Module (HSM) – A dedicated physical device that securely generates, stores, and manages cryptographic keys. Keys never exist in plaintext outside the device. Used for PKI root keys, digital signing, and key management.
• Trusted Platform Module (TPM) – A microchip embedded on a device's motherboard that stores keys, certificates, and integrity measurements. Enables:
- Secure Boot – Verifies OS integrity at startup
- Full-Disk Encryption – Stores BitLocker encryption keys
- Device Attestation – Proves device identity and integrity state
• Secure Boot – Ensures only software with a valid cryptographic signature from a trusted source loads during startup, blocking bootkits and rootkits.
• Infrastructure as Code (IaC) – Uses configuration files to provision infrastructure automatically. Security risk: misconfigured templates can deploy vulnerabilities at scale consistently across an environment.
• Jump Server (Bastion Host) – A hardened system serving as the sole access point into a secure network zone. Creates a single audited chokepoint for administrative access.
• Containerization – Isolates applications and their dependencies from the host OS and other containers, limiting blast radius if a container is compromised.
• Software-Defined Networking (SDN) – Separates the control plane (policy decisions) from the data plane (traffic forwarding), enabling centralized, dynamic, programmable security policy enforcement without reconfiguring individual hardware.
HSM vs. TPM Comparison
| Feature | HSM | TPM |
|---|---|---|
| Form Factor | Dedicated external/internal device | Chip soldered to motherboard |
| Primary Use | Enterprise key management, PKI | Device integrity, disk encryption |
| Portability | Portable (rack, USB, network) | Device-bound |
| Scale | Enterprise/data center | Individual device |
Key Terms
• Control Plane – The layer that makes routing/policy decisions in a network
• Data Plane – The layer that actually forwards/processes traffic based on control plane decisions
• Attestation – The process of cryptographically proving a device's identity and configuration state
• Bootkit/Rootkit – Malware that executes before the OS loads, bypassing traditional antivirus
• Blast Radius – The scope of damage if a component is compromised
Watch Out For
> ⚠️ HSM vs. TPM – HSMs are enterprise-scale key management devices; TPMs are device-bound chips. An HSM can be removed and used elsewhere; a TPM is tied to a specific machine.
> ⚠️ IaC = Configuration at Scale – A single misconfiguration in an IaC template doesn't affect one server—it affects every server deployed from that template. This is both the power and the risk.
> ⚠️ Containers ≠ Virtual Machines – Containers share the host OS kernel; VMs have separate OS instances. A kernel-level exploit can potentially escape a container; VMs provide stronger isolation.
> ⚠️ Jump Servers Create Chokepoints, Not Immunity – A compromised jump server gives attackers access to everything it connects to. Jump servers must be heavily hardened and monitored.
---
Quick Review Checklist
Use this checklist to confirm mastery before exam day:
Secure Design Principles
• [ ] Define least privilege and give an example of enforcement
• [ ] Explain how defense in depth eliminates single points of failure
• [ ] Distinguish separation of duties from least privilege
• [ ] Describe what fail secure means and contrast it with fail safe/fail open
• [ ] Explain why open design relies on key secrecy, not algorithm secrecy
• [ ] Describe attack surface reduction methods
Network Segmentation & Zones
• [ ] Identify what services belong in a DMZ
• [ ] Explain the security benefit of network segmentation (lateral movement containment)
• [ ] Distinguish VLAN segmentation from physical segmentation
• [ ] Define air gap and name two environments that use it
• [ ] Explain microsegmentation and east-west traffic control
• [ ] Contrast intranet and extranet
Zero Trust Architecture
• [ ] State the Zero Trust core principle ("never trust, always verify")
• [ ] Name and define the three NIST SP 800-207 ZTA components
• [ ] Explain why identity is the new perimeter in Zero Trust
• [ ] Describe what eliminating implicit trust zones means in practice
Cloud & Hybrid Architecture
• [ ] Identify the customer's security responsibilities in IaaS, PaaS, and SaaS
• [ ] Explain the shared responsibility model in one sentence
• [ ] Define CASB and the problem it solves (shadow IT)
• [ ] Describe the unique security challenges of hybrid cloud
• [ ] Explain why serverless computing complicates forensics
Infrastructure & Hardware Security
• [ ] Distinguish HSM from TPM by use case and form factor
• [ ] Explain what Secure Boot prevents
• [ ] Describe the security risk of Infrastructure as Code (IaC)
• [ ] Define a jump server and its security purpose
• [ ] Explain how containerization limits blast radius
• [ ] Describe how SDN separates control and data planes for security benefit
---
Focus extra attention on shared responsibility model boundaries, Zero Trust components (NIST SP 800-207), HSM vs. TPM distinctions, and fail secure vs. fail safe—these are high-frequency exam topics.