CISSP Playbook – Domain 3: Security Architecture & Engineering

---

Purpose of Domain 3

Domain 3 validates your ability to design, evaluate, and reason about secure systems. It is not about tools or configurations—it is about architectural decisions that withstand failure, attack, and business pressure.

CISSP mindset:
“If security is not designed in, it will eventually be broken out.”

1. Core Security Principles

Every architectural decision must trace back to these principles.

• Confidentiality – Prevent unauthorized disclosure
• Integrity – Prevent unauthorized modification
• Availability – Ensure systems remain usable when needed

Supporting principles:

• Least Privilege
• Defense in Depth
• Separation of Duties
• Secure Defaults
• Fail Secure / Fail Safe
• Economy of Mechanism
• Complete Mediation

Exam lens:
If a control violates one principle to improve another, assess risk acceptance, not “right vs wrong.”

2. Security Models

Security models explain how rules are enforced, not merely defined.

Confidentiality Models

• Bell–LaPadula – No Read Up, No Write Down
• Used in classified / military systems

Integrity Models

• Biba – No Read Down, No Write Up
• Clark–Wilson – Well-formed transactions, separation of duties
• Preferred for commercial systems

Access Control Models

• DAC – Owner-controlled
• MAC – Centrally controlled
• RBAC – Role-based (enterprise default)
• ABAC – Attribute-based (cloud-native)

Exam pattern:
Military → MAC / Bell–LaPadula
Commercial → Clark–Wilson / RBAC

3. Security Architecture Core Concepts

Trusted Computing Base (TCB)

• All components enforcing security
• Must be small, protected, and verifiable

Security Perimeter

• Boundary where trust changes
• All access must be mediated

Reference Monitor

• Always invoked
• Tamper-proof
• Verifiable

4. Architecture Views & Control Placement

Security architecture must be understood across multiple views:

• Logical architecture – Trust relationships, data flows
• Physical architecture – Hardware, facilities, geography
• Layered architecture – Presentation, application, data layers

CISSP rule:
Controls must be placed as close as possible to the asset, not just at the perimeter.

5. Secure Design vs Secure Implementation

• Secure design answers what must be protected and why
• Secure implementation answers how controls are applied

Exam bias:
CISSP penalizes design flaws more than implementation flaws.

Example:

• Weak crypto algorithm → implementation issue
• Storing secrets in plaintext → design failure

6. Hardware Security & Root of Trust

Security begins below the operating system.

• Privileged vs user mode
• Memory protection, segmentation, paging
• ASLR, DEP, NX bit

Hardware Trust Anchors

• TPM – Secure boot, integrity attestation
• HSM – Key protection, cryptographic assurance

Side-Channel & Physical Attacks

• Power analysis
• Timing attacks
• Fault injection

7. Cryptography Engineering

Cryptography supports:

• Confidentiality
• Integrity
• Authentication
• Non-repudiation

Key principles:

• Approved algorithms only
• Strong key management lifecycle
• Separation of encryption vs hashing vs signing
• Never roll your own crypto

8. System Components & Virtualization

Operating Systems

• Kernel vs user mode
• Ring architecture
• OS hardening baselines

Virtualization & Containers

• Type 1 vs Type 2 hypervisors
• VM escape risks
• Container isolation limits

Databases

• Access control
• Encryption
• Auditing

9. Physical & Environmental Architecture

• Site selection
• Zoning
• HVAC, fire suppression
• Power redundancy
• Mantraps, CCTV, guards

CISSP axiom:
Logical security collapses without physical security.

10. Evaluation, Assurance & Trust

Security ≠ Assurance.

• Common Criteria (CC) – Evaluation framework
• EAL levels (1–7) – Assurance depth, not security strength
• Certification vs Accreditation
• Assurance = confidence that controls operate as intended

Exam trap:
Higher EAL does not mean more secure—only more rigorously evaluated.

11. Supply Chain & Firmware Trust

• Secure boot chains
• Firmware integrity validation
• Trusted updates and patch authenticity
• Hardware and software supply chain risks

Why this matters:
Modern attacks bypass software and target trust foundations.

12. Vulnerabilities & Architectural Weaknesses

• Race conditions
• TOCTOU
• Buffer overflows
• Injection flaws
• Improper error handling

Architect mindset:
Ask “How can this be abused?”, not “Does this work?”

13. Resilience, Availability & Fault Tolerance

• Redundancy (N+1)
• Load balancing
• Graceful degradation
• Failover vs fail-safe

Availability is recoverability under stress, not uptime.

14. Architecture Trade-Offs

Every design involves compromise:

• Security vs usability
• Security vs performance
• Security vs cost
• Security vs speed

CISSP expects risk-based decisions, not absolutism.

Final CISSP Domain 3 Mindset

“Security architecture is the discipline of deciding
where trust begins, where it ends,
and how failure is contained.”