FuturevisionIA
Back to Domain 2 · Asset Security
CISSP Mastery

CISSP Mastery · Module 3 / 8

Domain 3: Security Architecture & Engineering

Mastering the blueprints of secure systems: from hardware to the cloud.

Your progress

Domain 3 of 8 38%

Module 3
  1. Domain 1
  2. Domain 2
  3. Domain 3
  4. Domain 4
  5. Domain 5
  6. Domain 6
  7. Domain 7
  8. Domain 8

13%

Exam weight

Models

Bell-LaPadula · Biba · Clark-Wilson

3 / 8

Domain focus

PKI

Crypto · Cloud · Physical

Open preview · Domain overview

Why Domain 3 is the engineering brain of the CISSP

Domain 3 connects abstract security principles to concrete engineering. You learn to read a system the way a CISO would: which model governs its access decisions, where the cryptography lives, how the physical layer protects it, and how the cloud reshapes every assumption.

Domain 3 is the bridge between the data layer mastered in Domain 2 and the network & identity controls coming in Domains 4 and 5. Get the architecture vocabulary right and every later domain stops feeling like a separate exam.

  • Models = formalized policy

    Security models (Bell-LaPadula, Biba, Clark-Wilson) translate confidentiality, integrity and well-formed transactions into rules a system can actually enforce.

  • Cryptography = trust at scale

    Symmetric for speed, asymmetric for trust establishment, PKI for binding identities to keys. Every other domain plugs into this layer.

  • Physical = the bottom of the stack

    No firewall protects an unlocked rack. Site selection, perimeter design, and environmental controls are graded as security architecture, not facilities.

  • Cloud & virtualization = shared fate

    Multi-tenancy, hypervisors, and containers redraw the trust boundary. The exam tests how the shared responsibility model changes with IaaS / PaaS / SaaS.

Module 1 · Security models

Bell-LaPadula, Biba & Clark-Wilson

Three formal models the CISSP loves. Confidentiality (Bell-LaPadula), integrity (Biba), and well-formed transactions (Clark-Wilson). Recognize the rule, recognize the model, recognize the answer.

Model Property Focus Famous rule Typical use case
Bell-LaPadula Confidentiality Mandatory access control · multilevel security No read up · No write down (★-property) Military / classified information systems
Biba Integrity Prevents data corruption from lower-trust sources No read down · No write up Financial ledgers, audit logs, clinical records
Clark-Wilson Integrity (commercial) Well-formed transactions · separation of duties Subjects act on objects via constrained programs (TPs) Banking workflows, ERP transactions, regulated apps

  • Bell-LaPadula in plain English

    A subject cleared at Secret can read Secret and below, and can only write at Secret and above. Confidentiality wins.

  • Biba in plain English

    A high-integrity subject cannot read low-integrity data and cannot write up to higher-integrity objects. Integrity wins.

  • Clark-Wilson in plain English

    Users do not touch raw data. They run certified Transformation Procedures on Constrained Data Items, and duties are separated between roles.

Module 2 · Cryptography & PKI

Symmetric vs asymmetric — and the trust chain that ties them together

Symmetric for speed. Asymmetric for trust establishment. PKI to bind identities to keys. Read each diagram top-to-bottom: the data flow IS the answer.

Symmetric AES · ChaCha20 · 3DES

Same secret key encrypts and decrypts. Fast, but key distribution is the hard problem.

Plaintext Shared Key 🔑 Ciphertext
Ciphertext Shared Key 🔑 Plaintext

Watchpoint: the same key sits on both endpoints — protect it as you would a password vault.

Asymmetric RSA · ECC · Ed25519

Two mathematically linked keys: public (share freely) and private (never shared). Solves key distribution — slower than symmetric.

Plaintext Public Key Ciphertext
Ciphertext Private Key Plaintext

Watchpoint: reverse the keys for digital signatures — sign with private, verify with public.

PKI How a public key earns its trust
CA · RA · CRL · OCSP
  1. 01

    Subject generates keypair

    Creates public + private keys locally; private key never leaves the device.

  2. 02

    CSR → Registration Authority

    RA verifies identity (DV / OV / EV) before forwarding to the Certificate Authority.

  3. 03

    CA signs certificate

    CA binds the public key to the verified identity and signs with its own private key.

  4. 04

    Validation & revocation

    Relying parties walk the chain; CRL or OCSP confirms the certificate is still valid.

Module 3 · Physical security

Site, perimeter & environmental controls

No firewall protects an unlocked rack. Physical security is the foundation every other control rests on, and the CISSP grades it as security architecture — not facilities management.

  • Site selection & design

    Pick locations away from flood zones, fault lines, and high-crime areas. Design for CPTED (Crime Prevention Through Environmental Design): natural surveillance, access control, territorial reinforcement.

  • Perimeter security

    Layered defenses: bollards, fencing (8 ft + 3 strands of barbed wire for high security), lighting, CCTV with motion analytics, mantraps, badge readers, and 24/7 guards for Tier-3+ facilities.

  • Environmental controls

    HVAC redundancy, humidity 40–60%, fire suppression (FM-200, Inergen, water mist for sensitive areas), EMI/EMP shielding, and seismic anchoring for racks in earthquake-prone regions.

  • Power & continuity

    Dual utility feeds, UPS bridging to diesel generators, automatic transfer switches, fuel for 72h+ runtime, and surge protection at every distribution panel.

Module 4 · Cloud & virtualization

Containers, hypervisors & multi-tenant architectures

Cloud and virtualization redraw the trust boundary. The CISSP tests how shared responsibility shifts with IaaS / PaaS / SaaS, and how multi-tenancy and orchestration introduce new failure modes.

  • Shared responsibility model

    IaaS: you secure OS, app, data. PaaS: you secure app + data. SaaS: you secure identities, data, configuration. The provider always owns the physical layer.

  • Virtualization & hypervisors

    Type-1 (bare-metal: ESXi, Hyper-V, Xen) for production; Type-2 (hosted: VMware Workstation, VirtualBox) for desktops. VM escape and side-channel attacks are the headline risks.

  • Containers & orchestration

    Containers share the host kernel — smaller attack surface than VMs but weaker isolation. Sign images, scan vulnerabilities, enforce network policies, and use Kubernetes RBAC + namespaces.

  • Multi-tenant architectures

    Logical isolation via tenants, VPCs, and dedicated KMS keys. Watch for noisy-neighbor performance issues, cross-tenant data leakage, and shared infrastructure CVEs that affect every tenant at once.

Exam-grade takeaways

CISSP Exam Pro-Tip — high-signal anchors

Three callouts you can repeat out loud the morning of the exam. Same bar as Domain 1 / Domain 2 callouts.

Exam cue

Read the rule, name the model

"No write down" → Bell-LaPadula. "No write up" → Biba. "Constrained data item + transformation procedure" → Clark-Wilson. The rule fingerprint is your fastest path to the answer.

Pro tip

Sign with private, verify with public

When a question mixes confidentiality and signatures, remember: encryption uses the recipient's public key, signatures use the sender's private key. Direction of the keys reveals the goal.

Trap

Cloud does not erase your responsibility

In SaaS the provider runs the platform — but YOU still own identity, data classification and configuration. The exam loves the candidate who answers "shared responsibility" with the right side of the line.

Concept map

Defense in depth — the layered fortress

Concentric layers from the perimeter to the data core. An attacker has to defeat every ring; you only need one to hold.

Defense in depth
Defense in depth — concentric layers from perimeter to data core Perimeter Network Application Core · Data
  • L4

    Core · Data

    Crown jewels

    Encryption · DLP · keys · backups · classification

  • L3

    Application

    Code & identity surface

    WAF · IAM · SSO · SAST · DAST · MFA

  • L2

    Network

    Segmentation & traffic control

    Firewalls · VLANs · IDS/IPS · NAC

  • L1

    Perimeter

    Edge & physical boundary

    Fences · gates · CCTV · WAF · edge FW

Layers

Hover, tap, or Tab a layer for defense-in-depth focus and an exam cue.

An attacker must defeat every layer to reach the data core. Each ring buys time — time to detect, contain, and respond.

Quick check

Domain 3 quiz

One question at a time — instant feedback. Pair it with the diagrams and Pro-Tip callouts above.

Quiz progress

Question 1 of 5 · 20%

Q 1

Question 1 of 5

1.In a typical shared-responsibility model, who usually patches the guest OS in IaaS?

Ready for Domain 4?

Module 3 ties security models, cryptography, physical controls, and cloud architecture into one engineering narrative. Mark your progress, then move on to Domain 4. Every domain module is free to consult — premium access applies only to the full Final Mock Exam experience.

Back to Domain 2 · Asset Security Final Mock Exam Continue · Domain 4 · Communication & Network Security