Security Architecture Design Principles

What the Exam Is Really Testing

Architecture questions on Security+ are not about specific products or vendors. They test whether you can think in layers — and whether you understand why a single firewall at the perimeter stopped being a real security strategy a long time ago.

Good security architecture assumes every individual control can fail. The design ensures that no single failure compromises the entire system.

Expect scenarios that describe a network, an incident, or a design proposal — and ask you to pick the architectural principle that addresses the gap. Layered defenses, segmentation, zero trust, and failure planning all show up repeatedly.

Defense in Depth

Defense in depth applies multiple layers of security controls so that if one layer fails, others continue to protect the asset.

Layers typically include:

• Physical — Locks, cameras, fences, guards
• Network — Firewalls, IDS/IPS, network segmentation
• Host — Endpoint protection, host-based firewalls, patching
• Application — Input validation, authentication, secure coding
• Data — Encryption, access controls, DLP
• Administrative — Policies, procedures, training, background checks

The exam expects you to recognize that no single control is sufficient. An attacker who bypasses the firewall still faces host-based controls, application security, and data encryption.

Key principle:

Diversity of controls matters. If every layer uses the same vendor or technology, a single vulnerability defeats all layers.

Network Segmentation

Network segmentation divides a network into smaller zones with controlled traffic flow between them. It limits lateral movement — if an attacker compromises one segment, they cannot freely access others.

Segmentation Methods

• VLANs — Logical separation at Layer 2. Devices on different VLANs cannot communicate without routing through a firewall or Layer 3 device.
• Subnets — IP-based segmentation with access control lists (ACLs) controlling traffic between subnets.
• Firewalls — Stateful inspection between network zones, enforcing rules about which traffic is permitted.
• Microsegmentation — Fine-grained segmentation at the workload level, often using software-defined networking. Controls traffic between individual applications or services.

DMZ (Demilitarized Zone)

A DMZ is a network segment that sits between the internal network and the internet. It hosts services that must be accessible from the outside (web servers, email gateways, DNS) while keeping the internal network protected.

Architecture:

• External firewall filters traffic from the internet to the DMZ
• Internal firewall filters traffic from the DMZ to the internal network
• If a DMZ server is compromised, the attacker still cannot access the internal network directly

The exam may use the term screened subnet interchangeably with DMZ. They describe the same architectural concept.

Zero Trust Network Access (ZTNA)

Zero trust is an architecture that eliminates implicit trust based on network location. Every access request is verified regardless of whether it comes from inside or outside the network.

Core principles:

• Never trust, always verify — No user, device, or application is trusted by default
• Least privilege access — Users receive only the minimum access needed for their specific task
• Microsegmentation — Every application and resource is its own protected zone
• Continuous verification — Authentication and authorization are checked continuously, not just at login
• Assume breach — Design the architecture assuming attackers are already inside the network

Zero trust represents a shift from perimeter-based security (castle and moat) to identity-based security (verify every request).

The exam frequently tests the contrast between traditional perimeter models and zero trust. If a scenario describes implicit trust for internal users, the answer often involves zero trust principles.

Secure Access Service Edge (SASE)

SASE (pronounced "sassy") combines network security and wide-area networking into a single cloud-delivered service. It converges several security functions:

• SD-WAN — Software-defined wide area networking for optimized connectivity
• CASB — Cloud access security broker for cloud application visibility
• SWG — Secure web gateway for web traffic filtering
• ZTNA — Zero trust network access for application-level access control
• FWaaS — Firewall as a Service for cloud-based firewall functionality

SASE addresses the challenge of securing a distributed workforce. When users work from anywhere and applications live in the cloud, the traditional network perimeter is irrelevant. SASE delivers security at the edge — wherever the user is.

Security Zones

Security zones group network resources by trust level and apply controls based on zone boundaries:

• Untrusted zone — The internet. All traffic from this zone is treated as hostile.
• DMZ/Screened subnet — Semi-trusted zone for public-facing services.
• Internal zone — Corporate network with standard trust for authenticated users.
• Restricted zone — High-security areas containing sensitive data or critical systems. Additional controls required.
• Management zone — Isolated network for infrastructure management (out-of-band management).

Traffic between zones passes through firewalls with explicit rules. The principle: traffic flowing from a less trusted zone to a more trusted zone requires stricter inspection.

Failure Modes

How a system behaves when it fails is a critical architectural decision:

Fail-Open

When the control fails, access is permitted. Traffic passes through without inspection.

Use case: systems where availability is the priority. A firewall that fails-open allows all traffic rather than blocking everything.

Risk: during failure, no security filtering occurs. Attackers could exploit the window.

Fail-Closed (Fail-Secure)

When the control fails, access is denied. All traffic is blocked.

Use case: systems where security is the priority. A firewall that fails-closed blocks all traffic rather than allowing unfiltered access.

Risk: availability is impacted during failure. Legitimate traffic is blocked.

The exam tests whether you can choose the appropriate failure mode for a given scenario. Security-sensitive environments typically require fail-closed. Availability-critical environments may require fail-open with compensating controls.

Pattern Recognition

When you see architecture design scenarios on the exam:

• Single point of failure — The answer involves defense in depth or redundancy
• Flat network, lateral movement — The answer involves segmentation or microsegmentation
• Internal users trusted by default — The answer involves zero trust principles
• Remote workforce, cloud applications — The answer involves SASE or ZTNA
• System failure behavior — The answer involves choosing fail-open or fail-closed based on priorities

Trap Patterns

Watch for these common traps:

• "A strong perimeter firewall is sufficient" — Defense in depth means no single control is sufficient. Perimeter-only security is outdated.
• "Internal network traffic is safe" — Zero trust assumes internal traffic can be hostile. Answers that trust internal traffic by default are wrong.
• "Fail-open is always wrong" — Fail-open is appropriate when availability outweighs security risk, such as emergency exits or life-safety systems.
• Confusing DMZ with zero trust — A DMZ is a segmentation technique. Zero trust is a broader architecture that applies to all access, not just perimeter zones.

Scenario Practice

Question 1

An organization's internal audit reveals that once an attacker gained access to one workstation on the corporate network, they were able to access file servers, databases, and admin consoles without encountering additional controls.

What architectural principle was missing?

A. Data encryption at rest
B. Network segmentation and defense in depth
C. Stronger perimeter firewall rules
D. More frequent password rotation

Question 2

A company allows all internal employees to access every application without additional verification after their initial VPN login. A compromised employee account leads to unauthorized access to financial systems.

What approach would BEST prevent this type of attack?

A. Require longer VPN session timeouts for all users
B. Implement zero trust with continuous verification and least privilege access
C. Add a second VPN gateway for redundancy
D. Deploy additional antivirus software on all workstations

Question 3

A hospital's inline intrusion prevention system experiences a hardware failure. During the failure, all network traffic is blocked, preventing doctors from accessing patient records.

What configuration change should be evaluated for this environment?

A. Remove the IPS from the network entirely
B. Configure the IPS to fail-open with compensating monitoring controls
C. Replace the IPS with a less capable firewall
D. Disable all security controls during business hours

Key Takeaway

Security architecture is about designing for failure — not hoping controls never break. Every principle assumes that something will go wrong and limits the impact when it does.

Before answering any architecture question, ask:

• How many layers stand between the attacker and the asset?
• Can an attacker move laterally if one zone is compromised?
• Is trust implicit or verified continuously?
• What happens when a control fails?

Good architecture does not prevent every attack. It limits the blast radius of every breach.