Phase 3: Domain 3 — Security Architecture & Engineering

Phase 3: Domain 3 — Security Architecture & Engineering (13%)

Timeline: Apr 19-25 (Week 3, first half)

Covers cryptography, security models, and secure design. Your Vault PKI and EAP-TLS work maps directly here but formal security models (Bell-LaPadula, Biba) need study.

Key Concepts

Cryptography

Symmetric: AES (128/192/256), 3DES (legacy), one key for encrypt + decrypt
Asymmetric: RSA, ECC, Diffie-Hellman — key exchange, digital signatures
Hashing: SHA-256, SHA-3, MD5 (broken) — integrity verification
Digital signatures: Hash + encrypt with private key = non-repudiation
PKI: Your Vault infrastructure IS this — Root CA → Intermediate → End entity
Key management: Key lifecycle, escrow, recovery, destruction

Security Models

Model	Focus
Bell-LaPadula	Confidentiality — "no read up, no write down" (military)
Biba	Integrity — "no read down, no write up" (opposite of BLP)
Clark-Wilson	Integrity — well-formed transactions, separation of duties
Brewer-Nash (Chinese Wall)	Conflict of interest prevention
Graham-Denning	Access control matrix operations
Harrison-Ruzzo-Ullman	Access control with generic rights

Model

Focus

Bell-LaPadula

Confidentiality — "no read up, no write down" (military)

Biba

Integrity — "no read down, no write up" (opposite of BLP)

Clark-Wilson

Integrity — well-formed transactions, separation of duties

Brewer-Nash (Chinese Wall)

Conflict of interest prevention

Graham-Denning

Access control matrix operations

Harrison-Ruzzo-Ullman

Access control with generic rights

Secure Design Principles

Defense in depth (your VLAN segmentation + ISE + firewall + encryption)
Least privilege (your sudo/wheel configs, Vault policies)
Separation of duties (ISE admin roles, Vault auth methods)
Fail-safe defaults (deny by default — your firewall rules)
Economy of mechanism (keep it simple)
Complete mediation (check every access — ISE posture)
Open design (Kerckhoffs' principle)
Psychological acceptability (usable security)

Physical Security

Site selection, CPTED (Crime Prevention Through Environmental Design)
Fire suppression: wet pipe, dry pipe, preaction, deluge, gas (FM-200, Halon replacement)
Electrical: UPS, generator, surge protector
HVAC: positive pressurization, humidity control

Practice Questions

25 questions/day from Official Practice Tests — Domain 3 section.

Check	Status
Read Study Guide Chapters 6-7 (Crypto, Security Models)	[ ]
Watch Destination Certification MindMap — Domain 3	[ ]
Security models memorized (BLP, Biba, Clark-Wilson)	[ ]
Crypto types and use cases understood	[ ]
Mapped Vault PKI to CISSP PKI concepts	[ ]
Physical security basics (fire, electrical, HVAC)	[ ]
50+ practice questions completed (Domain 3)	[ ]

Check

Status

Read Study Guide Chapters 6-7 (Crypto, Security Models)

[ ]

Watch Destination Certification MindMap — Domain 3

[ ]

Security models memorized (BLP, Biba, Clark-Wilson)

[ ]

Crypto types and use cases understood

[ ]

Mapped Vault PKI to CISSP PKI concepts

[ ]

Physical security basics (fire, electrical, HVAC)

[ ]

50+ practice questions completed (Domain 3)

[ ]