ExamworthyExamworthy
Open the appStart free

SY0-701 domain - 18% of the exam

Security Architecture

Security Architecture is 18% of the CompTIA Security+ (SY0-701) (SY0-701) exam. These are the objectives it covers, each with practice questions and worked explanations.

Objectives in this domain

Sample question from this domain

Free sampleSecurity Architecturehard

A logistics start-up is rebuilding its order processing platform as a set of small services deployed independently to a Kubernetes cluster. Each service has its own database, owns one bounded context, and communicates with peers over authenticated REST and gRPC. The chief information security officer is briefing the board on how this microservices model changes the firm's security posture compared with the previous single Java monolith. Which statement best captures a distinctive security implication of moving to microservices rather than retaining the monolith?

  • AThe microservices design eliminates the need for network segmentation because each service runs in its own container and is therefore isolated from peers by default at the operating system level.
  • BPatching cycles can be relaxed because each microservice is small enough that a compromise is contained within that service's container and cannot affect data owned by other services in the platform.
  • CCentralised audit logging becomes simpler because every microservice writes to the same application log file and the team can rely on a single chain of custody across the whole order processing workflow.
  • DThe east-west attack surface grows because authentication, authorisation, and transport security must now be enforced on every inter-service call instead of relying on a single process boundary, which usually requires mutual TLS, service identities, and per-service policy. Correct
Recognise that microservices shift the security boundary from a single process to many authenticated inter-service hops and expand the east-west attack surface. A microservices architecture decomposes a monolith into independently deployable services that communicate over the network. Each inter-service call that was once an in-process function call becomes a network request that an attacker on the cluster network could observe, replay, or forge. To preserve the security guarantees the monolith got for free, defenders must terminate mutual TLS between services, assign workload identities, enforce per-service authorisation, and apply network policies. This expanded east-west attack surface is the defining security implication that distinguishes microservices from the monolithic model.

Why A is wrong: Container runtimes share a host kernel and a flat pod network unless deliberate network policies, service meshes, or namespaces enforce segmentation; assuming default isolation is a common misconception that leaves east-west traffic wide open.

Why B is wrong: A compromised service is often a stepping stone to peers via service tokens, shared secrets, or excessive RBAC; smaller blast radius is a goal, not an automatic property, and patching cadence must in fact rise because each service brings its own dependency tree.

Why C is wrong: Microservices typically emit logs from many pods to a shared pipeline, so achieving an end-to-end audit trail requires correlation IDs, distributed tracing, and centralised log aggregation; assuming a single log file is exactly the legacy mindset that microservice adoption breaks.

Why D is correct: Splitting a monolith into independently deployable services replaces in-process calls with network calls, so each hop must be authenticated, authorised, and encrypted; defenders typically introduce a service mesh, workload identities, and per-service policy to control the expanded east-west attack surface.

Other domains in this exam

See also the SY0-701 cert hub, the study guide, and the cheat sheet.

Examworthy is not affiliated with or endorsed by CompTIA. Original, blueprint-aligned practice material only.