Security Architecture & Engineering
Domain 3 covers secure design principles, security models, cryptography, PKI, and physical security. Expect heavy crypto math and model questions on the exam.
Lessons
8 secure design principles, Kerckhoffs's Principle, Zero Trust Architecture. Anchored to Platform C's defense-in-depth stack and the PII incident.
Bell-LaPadula (confidentiality), Biba (integrity), Clark-Wilson (commercial integrity), Brewer-Nash (conflict of interest).
Symmetric (AES modes), asymmetric (RSA, ECC), hashing (SHA-256, HMAC), hybrid encryption. Quantum threats. Platform C crypto audit.
PKI hierarchy, CRL vs. OCSP, HSM, TPM, Vault key management, key lifecycle, certificate pinning. Platform C JWT key rotation.
Hypervisor types, VM escape, shared responsibility model, Kubernetes security (RBAC, NetworkPolicy, PSS). Platform C on GCP.
Physical access layers, CPTED, mantraps, fire suppression systems, temperature/humidity, UPS. Manila data center planning.
Domain 3 at a Glance
| Lesson | Core Topic | Key Models / Standards | TS Relevance |
|---|---|---|---|
| 01 | Secure Design Principles | 8 Principles, Zero Trust (ZTA) | PII incident root cause, Platform C arch |
| 02 | Security Models | BLP, Biba, Clark-Wilson, Brewer-Nash | Credit scoring integrity, loan workflows |
| 03 | Cryptography | AES, RSA, ECC, SHA-256, HMAC | AES-256-CTR PII, JWT RSA, TLS 1.3 |
| 04 | PKI & Key Management | X.509, CRL, OCSP, FIPS 140-2 | Vault, cert-manager, key rotation |
| 05 | Virtualization & Cloud | IaaS/PaaS/SaaS, K8s security | GKE, NetworkPolicies, Trivy scanning |
| 06 | Physical Security | CPTED, fire suppression, HVAC | Manila data center (Partner E) |