Skip to content
CompTIA Security+ · SY0-701

Security+ Domain 3: Security Architecture

Domain 3.0 — Security Architecture · 18% of the exam

How secure systems are built — all 4 objectives (3.1–3.4) across architecture models from cloud to ICS/IoT, securing enterprise infrastructure, the full data-protection toolkit, and resilience and recovery. 81 pages with 60 exam-style practice questions.

4 modules · 26 topics 81-page PDF 60 practice questions
Read a free sample By the author of 60+ Pluralsight courses · 4.6/5 from 2,000+ ratings
Best value
$19.95/ month

All study guides — current and every new one.

or own the whole exam
$29.95one-time · all 5 domains$49.75
or just this guide
$9.95one-time · lifetime access
  • Interactive online guide
  • Downloadable PDF
  • Lifetime updates
  • 30-day money-back guarantee

Secure checkout via Stripe · no account needed · instant access

18% of your exam score

Domain 3.0 is worth 18% of the SY0-701 exam. Walk in having mastered it — not hoping it doesn't come up.

Every objective, nothing extra

Built line by line from CompTIA's official objectives 3.1–3.4 — 26 in-depth topics with worked scenarios and exam tips, in a 81-page guide you'll actually finish.

60 exam-style questions

Every question comes with instant feedback and a full explanation, so a wrong answer teaches you as much as a right one.

The industry's baseline cert

Security+ is the most widely held cybersecurity certification in the world — the default HR filter for security roles and the baseline for DoD 8140 work.

Read a real excerpt — free

This is the actual opening of Module 3.1, Architecture models — not marketing copy. If you like how it teaches, the rest of the guide reads the same way.

Objective 3.1

Compare and contrast security implications of different architecture models

Every architecture is a bundle of trade-offs. This module surveys the major models — cloud, on-premises, hybrid, virtualized, containerized, serverless, and the specialized world of IoT and industrial systems — and gives you the vocabulary of considerations CompTIA uses to compare them.

The big idea of 3.1: where your workload runs determines who secures what, what can fail, and what you can fix. Move to the cloud and you trade physical control for provider-managed layers; virtualize and you gain density but inherit hypervisor risk; deploy an embedded controller on a factory floor and you may lose the ability to patch at all. The exam wants you to reason about these implications, not memorize marketing terms.

Cloud architecture and the responsibility matrix

Cloud computing delivers compute, storage, and services on demand from a provider's infrastructure. The defining security concept is the shared responsibility model, usually drawn as a responsibility matrix: a table showing, for each service model, which layers the cloud service provider (CSP) secures and which layers remain yours. The dividing line moves with the service model — but your data, your identities, and your access decisions are always your responsibility, in every model.

LayerOn-premisesIaaSPaaSSaaS
Data & access (classification, IAM)CustomerCustomerCustomerCustomer
Application code / configurationCustomerCustomerCustomerProvider (customer configures)
Runtime & middlewareCustomerCustomerProviderProvider
Operating system (patching!)CustomerCustomerProviderProvider
Virtualization / hypervisorCustomerProviderProviderProvider
Servers, storage, network hardwareCustomerProviderProviderProvider
Physical facility & data centerCustomerProviderProviderProvider
Figure 3.1 — The cloud responsibility matrix. The line moves up as you go from IaaS → PaaS → SaaS, but data and identity never leave the customer's column.
Exam tip · who patches the OS?

A classic discriminator: in IaaS the customer manages the operating system and everything above it — including OS patching. In PaaS the provider manages the OS and runtime while the customer manages application code and data. In SaaS the provider manages nearly everything; the customer's job shrinks to data, user access, and configuration choices. If a stem says "the provider failed to patch the hypervisor," that is the provider's responsibility in every cloud model.

Hybrid considerations

A hybrid architecture combines on-premises infrastructure with one or more clouds, usually connected by VPN or dedicated links. Security implications: you now have two security stacks to keep consistent (identity, logging, encryption policy), a network boundary that spans environments, data moving between jurisdictions and trust zones, and a bigger, blurrier attack surface. Misaligned controls — say, MFA enforced on-prem but not on the cloud admin portal — are the classic hybrid failure. Authentication should be unified (federation/SSO), monitoring centralized, and data flows between the environments encrypted and mapped.

The guide continues for 81 pagesKeep reading — unlock the full guide

Not ready to buy? Read it later.

We'll email you a free sample of this guide as a PDF — no purchase needed.

Try 3 sample questions

Pulled straight from the guide's 60-question bank — tap an answer for instant feedback and the explanation.

From module 3.1 · Architecture models

  1. 1. A company migrates its application servers to an IaaS provider. Several months later, the servers are compromised through an unpatched operating system vulnerability. According to the cloud shared responsibility model, who was responsible for applying the OS patches?

From module 3.2 · Securing infrastructure

  1. 1. A security architect must place a new public-facing web server so that a compromise of the server cannot give an attacker direct access to internal systems. Where should the server be placed?

From module 3.3 · Data protection

  1. 1. A payment processor replaces stored credit card numbers with randomly generated values that have no mathematical relationship to the originals. The real numbers are kept in a separate, hardened vault. Which method is being used?

57 more questions like these are waiting inside.

What's inside

  • 26 in-depth topics across 4 modules, mapped to objectives 3.1–3.4
  • 60 exam-style practice questions with instant feedback
  • Full answer key with explanations for every question
  • Complete Security+ acronym & key-term reference
  • 81-page downloadable PDF for offline study and printing
  • Lifetime updates as the exam evolves

The modules, mapped to the objectives

  1. 3.1

    Architecture models

    Compare and contrast security implications of different architecture models

    15 Qs
    IaCInfrastructure as CodeServerlessMicroservices
  2. 3.2

    Securing infrastructure

    Given a scenario, apply security principles to secure enterprise infrastructure

    15 Qs
    Jump servera.k.a. jump box / bastionProxy serverIPSIntrusion Prevention SystemIDSIntrusion Detection SystemLoad balancerSensors
  3. 3.3

    Data protection

    Compare and contrast concepts and strategies to protect data

    15 Qs
    Data typesData classificationsData states — and general considerationsMethods to secure data
  4. 3.4

    Resilience & recovery

    Explain the importance of resilience and recovery in security architecture

    15 Qs
    Platform diversityMulti-cloud systemsCOOPContinuity of OperationsOnsite / offsiteFrequencyEncryption
Chris Rees

About the author

Chris Rees

Professional information technologist with 25+ years in IT and the author of 60+ certification training courses — 50+ live on Pluralsight, rated 4.6/5 across more than 2,000 reviews. This guide is that same exam-focused teaching, in a format you can finish.

More about Chris
Save 40%

Sitting the whole exam? Get the Complete Security+ Collection.

All 5 SY0-701 domains — including this guide — for $29.95 instead of $49.75.

See everything inside

Questions, answered

Do I need an account to buy?

No. Checkout is a single Stripe form — email and card, about 30 seconds. We create your access from your checkout email automatically and sign you in the moment payment completes.

Is this up to date with the real SY0-701 exam?

Yes — the guide is mapped module-by-module to CompTIA's official Security+ objectives (3.1–3.4), and lifetime updates are included, so as the exam evolves your guide does too.

What exactly do I get?

Instant access to the interactive online guide with all 60 practice questions, plus a 81-page PDF you can download, print, and keep forever.

Do I need the other domains too?

This guide covers Domain 3.0 (18% of the exam). To prepare for the whole exam, the Complete Security+ Collection bundles all 5 domains for $29.95 — less than the price of three guides.

What if it isn't for me?

Every purchase comes with a 30-day money-back guarantee — email us and we'll refund you, no hoops.

Who wrote it?

Chris Rees — a professional information technologist with 25+ years in IT and the author of 60+ certification courses, rated 4.6/5 across 2,000+ reviews on Pluralsight.

Be ready for 18% of the exam — for $9.95

Instant access, lifetime updates, and a 30-day money-back guarantee. The only risk is walking into the exam without it.

Get the guide

Share this guide