Security+ Domain 3: Security Architecture
Domain 3.0 — Security Architecture · 18% of the exam
How secure systems are built — all 4 objectives (3.1–3.4) across architecture models from cloud to ICS/IoT, securing enterprise infrastructure, the full data-protection toolkit, and resilience and recovery. 81 pages with 60 exam-style practice questions.
All study guides — current and every new one.
- Interactive online guide
- Downloadable PDF
- Lifetime updates
- 30-day money-back guarantee
Secure checkout via Stripe · no account needed · instant access
18% of your exam score
Domain 3.0 is worth 18% of the SY0-701 exam. Walk in having mastered it — not hoping it doesn't come up.
Every objective, nothing extra
Built line by line from CompTIA's official objectives 3.1–3.4 — 26 in-depth topics with worked scenarios and exam tips, in a 81-page guide you'll actually finish.
60 exam-style questions
Every question comes with instant feedback and a full explanation, so a wrong answer teaches you as much as a right one.
The industry's baseline cert
Security+ is the most widely held cybersecurity certification in the world — the default HR filter for security roles and the baseline for DoD 8140 work.
Read a real excerpt — free
This is the actual opening of Module 3.1, Architecture models — not marketing copy. If you like how it teaches, the rest of the guide reads the same way.
Compare and contrast security implications of different architecture models
Every architecture is a bundle of trade-offs. This module surveys the major models — cloud, on-premises, hybrid, virtualized, containerized, serverless, and the specialized world of IoT and industrial systems — and gives you the vocabulary of considerations CompTIA uses to compare them.
The big idea of 3.1: where your workload runs determines who secures what, what can fail, and what you can fix. Move to the cloud and you trade physical control for provider-managed layers; virtualize and you gain density but inherit hypervisor risk; deploy an embedded controller on a factory floor and you may lose the ability to patch at all. The exam wants you to reason about these implications, not memorize marketing terms.
Cloud architecture and the responsibility matrix
Cloud computing delivers compute, storage, and services on demand from a provider's infrastructure. The defining security concept is the shared responsibility model, usually drawn as a responsibility matrix: a table showing, for each service model, which layers the cloud service provider (CSP) secures and which layers remain yours. The dividing line moves with the service model — but your data, your identities, and your access decisions are always your responsibility, in every model.
| Layer | On-premises | IaaS | PaaS | SaaS |
|---|---|---|---|---|
| Data & access (classification, IAM) | Customer | Customer | Customer | Customer |
| Application code / configuration | Customer | Customer | Customer | Provider (customer configures) |
| Runtime & middleware | Customer | Customer | Provider | Provider |
| Operating system (patching!) | Customer | Customer | Provider | Provider |
| Virtualization / hypervisor | Customer | Provider | Provider | Provider |
| Servers, storage, network hardware | Customer | Provider | Provider | Provider |
| Physical facility & data center | Customer | Provider | Provider | Provider |
A classic discriminator: in IaaS the customer manages the operating system and everything above it — including OS patching. In PaaS the provider manages the OS and runtime while the customer manages application code and data. In SaaS the provider manages nearly everything; the customer's job shrinks to data, user access, and configuration choices. If a stem says "the provider failed to patch the hypervisor," that is the provider's responsibility in every cloud model.
Hybrid considerations
A hybrid architecture combines on-premises infrastructure with one or more clouds, usually connected by VPN or dedicated links. Security implications: you now have two security stacks to keep consistent (identity, logging, encryption policy), a network boundary that spans environments, data moving between jurisdictions and trust zones, and a bigger, blurrier attack surface. Misaligned controls — say, MFA enforced on-prem but not on the cloud admin portal — are the classic hybrid failure. Authentication should be unified (federation/SSO), monitoring centralized, and data flows between the environments encrypted and mapped.
Not ready to buy? Read it later.
We'll email you a free sample of this guide as a PDF — no purchase needed.
Try 3 sample questions
Pulled straight from the guide's 60-question bank — tap an answer for instant feedback and the explanation.
From module 3.1 · Architecture models
1. A company migrates its application servers to an IaaS provider. Several months later, the servers are compromised through an unpatched operating system vulnerability. According to the cloud shared responsibility model, who was responsible for applying the OS patches?
From module 3.2 · Securing infrastructure
1. A security architect must place a new public-facing web server so that a compromise of the server cannot give an attacker direct access to internal systems. Where should the server be placed?
From module 3.3 · Data protection
1. A payment processor replaces stored credit card numbers with randomly generated values that have no mathematical relationship to the originals. The real numbers are kept in a separate, hardened vault. Which method is being used?
57 more questions like these are waiting inside.
What's inside
- 26 in-depth topics across 4 modules, mapped to objectives 3.1–3.4
- 60 exam-style practice questions with instant feedback
- Full answer key with explanations for every question
- Complete Security+ acronym & key-term reference
- 81-page downloadable PDF for offline study and printing
- Lifetime updates as the exam evolves
The modules, mapped to the objectives
- 3.115 Qs
Architecture models
Compare and contrast security implications of different architecture models
IaCInfrastructure as CodeServerlessMicroservices - 3.215 Qs
Securing infrastructure
Given a scenario, apply security principles to secure enterprise infrastructure
Jump servera.k.a. jump box / bastionProxy serverIPSIntrusion Prevention SystemIDSIntrusion Detection SystemLoad balancerSensors - 3.315 Qs
Data protection
Compare and contrast concepts and strategies to protect data
Data typesData classificationsData states — and general considerationsMethods to secure data - 3.415 Qs
Resilience & recovery
Explain the importance of resilience and recovery in security architecture
Platform diversityMulti-cloud systemsCOOPContinuity of OperationsOnsite / offsiteFrequencyEncryption

About the author
Chris Rees
Professional information technologist with 25+ years in IT and the author of 60+ certification training courses — 50+ live on Pluralsight, rated 4.6/5 across more than 2,000 reviews. This guide is that same exam-focused teaching, in a format you can finish.
More about ChrisSitting the whole exam? Get the Complete Security+ Collection.
All 5 SY0-701 domains — including this guide — for $29.95 instead of $49.75.
See everything insideQuestions, answered
Do I need an account to buy?
No. Checkout is a single Stripe form — email and card, about 30 seconds. We create your access from your checkout email automatically and sign you in the moment payment completes.
Is this up to date with the real SY0-701 exam?
Yes — the guide is mapped module-by-module to CompTIA's official Security+ objectives (3.1–3.4), and lifetime updates are included, so as the exam evolves your guide does too.
What exactly do I get?
Instant access to the interactive online guide with all 60 practice questions, plus a 81-page PDF you can download, print, and keep forever.
Do I need the other domains too?
This guide covers Domain 3.0 (18% of the exam). To prepare for the whole exam, the Complete Security+ Collection bundles all 5 domains for $29.95 — less than the price of three guides.
What if it isn't for me?
Every purchase comes with a 30-day money-back guarantee — email us and we'll refund you, no hoops.
Who wrote it?
Chris Rees — a professional information technologist with 25+ years in IT and the author of 60+ certification courses, rated 4.6/5 across 2,000+ reviews on Pluralsight.
Be ready for 18% of the exam — for $9.95
Instant access, lifetime updates, and a 30-day money-back guarantee. The only risk is walking into the exam without it.
Get the guide