Introduction to Domain Three — Security Architecture
Cybersecurity isn’t just about stopping threats as they happen—it’s also about designing systems that are harder to attack in the first place. And that’s the focus of Domain Three: Security Architecture. This domain helps you think like a builder. It’s about how we construct networks, applications, and environments that are secure by design, not just protected after deployment. In this episode, we’re going to introduce Domain Three and walk through the key themes you’ll need to understand—both for the Security Plus exam and for working in the real world.
Security Architecture makes up 18 percent of the Security Plus exam. That’s nearly a fifth of the questions, and every single one of them comes back to a central idea: how do we build technology that’s secure, resilient, and efficient? Whether you’re designing a physical network, a cloud deployment, or an Internet of Things environment, the decisions made at the architecture level determine how well that system can withstand attacks, recover from failures, and adapt to new threats.
Let’s begin with what’s inside this domain. You’ll start by exploring different infrastructure models—on-premises, hybrid, and cloud. You’ll learn the differences between traditional in-house servers, cloud-hosted environments, and setups that blend the two. And you’ll need to understand how security responsibilities change depending on the model. In a cloud environment, for example, you might not control the physical hardware—but you still need to configure virtual networks, define access controls, and secure application programming interfaces. The exam expects you to know how to design for all three models.
You’ll also learn about secure system components—like containers, virtual machines, and embedded systems. These aren’t just buzzwords. Containers, for instance, are widely used in modern development environments because they isolate applications and simplify deployment. But they also introduce unique security considerations—like managing container images, isolating resources, and securing orchestration tools. If you’ve heard terms like Docker, Kubernetes, or virtual desktop infrastructure, this domain will help you understand the security implications behind them.
Another core focus is data protection. That includes data classification, which is the practice of labeling information based on sensitivity—such as public, internal use only, confidential, or regulated. It also includes encryption—both at rest and in transit. You’ll be expected to know where and how to apply encryption, how to manage keys, and how to protect sensitive data throughout its lifecycle.
This domain also introduces privacy considerations. You’ll learn how data sovereignty, data minimization, and geographic regulations affect where and how data can be stored. Especially in cloud environments, understanding where your data physically resides can be the difference between compliance and a major violation. If an organization operates globally, it needs to know whether its storage model aligns with laws like the General Data Protection Regulation or other privacy regulations.
Then there’s high availability and system resilience. You’ll explore how to design systems that stay online even when things go wrong. That includes clustering, load balancing, redundant systems, geographic distribution, and backup strategies. These aren’t just about performance—they’re about survival. A critical application that goes down in the middle of a cyberattack needs to be recoverable, reliable, and protected from single points of failure.
Let’s talk about the practical focus of this domain. You won’t just be learning concepts. You’ll be expected to apply them to real-world scenarios. One of the most important ideas is reducing the attack surface. That means limiting the number of ways an attacker can access or exploit a system. This is done through segmentation, access control, removing unused services, enforcing least privilege, and properly scoping permissions.
Imagine designing a network for a new branch office. Do you put every device on the same flat network? Or do you segment user traffic from servers, separate guest Wi-Fi from internal systems, and monitor traffic between departments? A secure architecture uses segmentation to limit the blast radius of an attack. If a user clicks on malware, you don’t want that infection reaching the entire network. Segmentation helps contain it.
You’ll also study how firewalls are used—not just to block traffic, but to define trust boundaries, enforce policies, and inspect traffic. That includes traditional firewalls, web application firewalls, and next-generation firewalls that look deep into packets and make decisions based on behavior or content.
Let’s go through another example. A hospital is deploying a new patient data portal. Security architecture decisions include which subnet the servers will live on, whether the application is hosted in the cloud or on-prem, how the data will be encrypted, which ports will be open, and what happens if the system fails. All of these choices affect the security of the environment. Domain Three teaches you how to evaluate those decisions from a security perspective.
And here’s another critical point. You’ll need to understand not just design principles, but implementation examples. That means knowing the concept—and knowing what it looks like in action. For instance, if the question asks about limiting resource reuse in a virtual environment, you should know how containers isolate resources. If the question asks about protecting availability in the face of disaster, you should know what load balancing and failover clusters do.
Many Security Plus questions in this domain use scenario-based formats. You might get a diagram of a cloud deployment and be asked which component poses the greatest risk. Or you might be given a list of changes and asked how they affect data availability. The exam isn’t just asking if you can define high availability. It’s asking if you understand how to apply it in context.
Here’s a tip. As you study this domain, keep asking yourself, “What problem is this solving?” If you’re looking at segmentation, ask how it limits risk. If you’re learning about containers, ask how they isolate resources. If you’re reading about encryption, ask what happens if that control is missing. That’s how you move from memorization to understanding.
Security architecture is one of the most relevant domains to real jobs in cybersecurity. Whether you’re in infrastructure, cloud, or DevOps, the ability to understand system design from a security point of view is one of the most valuable skills you can bring to a team. And this domain lays the groundwork.
