CASP+ Domain #1: Security Architecture [2022 update]
Are you an advanced-level security architect or senior security engineer and want to verify your high level of cyber security skills? Do you want to prove to hire organizations that you have the knowledge that is up to the task of leading and improving your organization’s cyber security readiness? If so, the CompTIA Advanced Security Practitioner, or CASP+, may be the certification for you. To earn the cert, you will first have to pass the certification exam covering four knowledge domains.
Earn your CASP+, guaranteed!
What is CASP+?
CASP+ is an advanced-level cyber security certification that is intended for cyber security practitioners. Successful certification candidates will have the knowledge and skill required to:
- Architect, engineer, integrate, and implement secure solutions across complex environments to support a resilient enterprise
- Use monitoring, detection, incident response, and automation to proactively support ongoing security operations in an enterprise environment
- Apply security practices to cloud, on-premises, endpoint, and mobile infrastructure, while considering cryptographic technologies and techniques
- Consider the impact of governance, risk, and compliance requirements throughout the enterprise
What has changed since the last CASP+ exam version?
The latest CASP+ exam version is CAS-004, and much has changed since CAS-003. The CASP+ certification exam has dropped a Domain (down to four), and all Domain names and respective percentages of exam material have all changed. Below is a comparison:
CASP+ Domain 1: Security Architecture
Below is the material covered by Domain 1 of the CASP+ certification exam.
1.1 Given a scenario, analyze the security requirements and objectives to ensure an appropriate, secure network architecture for a new or existing network
1. Services
- Load balancer
- Intrusion detection system (IDS)/Network intrusion detection system (NIDS)/Wireless intrusion detection system (WIDS)
- Intrusion prevention system (IPS)/Network intrusion prevention system (NIPS)/Wireless intrusion prevention system (WIPS)
- Web application firewall (WAF)
- Network access control (NAC)
- Virtual private network (VPN)
- Domain Name System Security Extensions (DNSSEC)
- Firewall/unified threat management (UTM)/next-generation firewall (NGFW)
- Network address translation (NAT) gateway
- Internet gateway
- Forward/transparent proxy
- Reverse proxy
- Distributed denial-of-service (DDoS) Protection
- Routers
- Mail security
- Application programming interface (API) gateway/Extensible Markup Language (XML) gateway
- Traffic mirroring
- Switched port analyzer (SPAN) ports
- Port mirroring
- Virtual private cloud (VPC)
- Network tap
- Sensors
- Security information and event management (SIEM)
- File integrity monitoring (FIM)
- Simple Network Management Protocol (SNMP) traps
- NetFlow
- Data loss prevention (DLP)
- Antivirus
2. Segmentation
- Microsegmentation
- Local area network (LAN)/virtual local area network (VLAN)
- Jump box
- Screened subnet
- Data zones
- Staging environments
- Guest environments
- VPC/virtual network (VNET)
- Availability Zone
- NAC lists
- Policies/security groups
- Regions
- Access control lists (ACLs)
- Peer-to-peer
- Air gap
3. Deperimeterization/zero trust
- Cloud
- Remote work
- Mobile
- Outsourcing and contracting
- Wireless/radio frequency (RF) networks
4. Merging of networks from various organizations
- Peering
- Cloud to on-premises
- Data sensitivity levels
- Mergers and acquisitions
- Cross-domain
- Federation
- Directory services
5. Software-defined networking (SDN)
- Open SDN
- Hybrid SDN
- SDN overlay
1.2 Given a scenario, analyze the organizational requirements to determine the proper infrastructure security design
1. Scalability
- Vertically
- Horizontally
2. Resiliency
- High availability
- Diversity/heterogeneity
- Course of action orchestration
- Distributed allocation
- Redundancy
- Replication
- Clustering
3. Automation
- Autoscaling
- Security Orchestration, Automation, and Response (SOAR)
- Bootstrapping
4. Performance
5. Containerization
6. Virtualization
7. Content Delivery network
8. Caching
1.3 Given a scenario, integrate software applications securely into an enterprise architecture
- Secure design patterns/types of web technologies
- Storage design patterns
- Container APIs
- Secure coding standards
- Application vetting processes
- API management
- Middleware
3. Software assurance
- Sandboxing/development environment
- Validating third-party libraries
- Defined DevOps pipeline
- Code signing
- Interactive application security testing (IAST) vs. dynamic application security testing (DAST) vs. static application testing (SAST)
4. Considerations of integrating enterprise applications
- Customer relationship management (CRM)
- Enterprise resource planning (ERP)
- Configuration management database (CMDB)
- Content management system (CMS)
- Integration enablers
5. Integrating security into development life cycle
- Formal methods
- Requirements
- Fielding
- Insertions and upgrades
- Disposal and reuse
- Testing
- Development approaches
- Best practices
1.4 Given a scenario, implement data security techniques for securing enterprise architecture
1. Data loss prevention
- Blocking use of external media
- Print blocking
- Remote Desktop Protocol (RDP) blocking
- Clipboard privacy controls
- Restricted virtual desktop infrastructure (VDI) implementation
- Data classification blocking
2. Data loss detection
- Watermarking
- Digital rights management (DRM)
- Network traffic analysis
3. Data classification, labeling, and tagging
4. Obfuscation
5. Anonymization
6. Encrypted vs. unencrypted
7. Data life cycle
8. Data inventory and mapping
9. Data integrity management
10. Data storage, backup, and recovery
1.5 Given a scenario, analyze the security requirements and objectives to provide the appropriate authentication and authorization controls
- Credential management
- Password policies
- Federation
- Access control
- Protocols
- Multifactor authentication (MFA)
- One-time password (OTP)
- Hardware root of trust
- Single Sign-on (SSO)
- JavaScript Object Notation (JSON) web token (JWT)
- Attestation and identity proofing
1.6 Given a set of requirements, implement secure cloud and virtualization solutions
- Virtualization strategies
- Provisioning and deprovisioning
- Middleware
- Metadata and tags
- Deployment models and considerations
- Hosting models
- Service models
- Cloud provider limitations
- Extending appropriate on-premises controls
- Storage models
1.7 Explain how cryptography and public key infrastructure (PKI) support security objectives and requirements
- Privacy and confidentiality requirements
- Integrity requirements
- Non-repudiation
- Compliance and policy requirements
- Common cryptography use cases
- Common PKI use cases
1.8 Explain the impact of emerging technologies on enterprise security and privacy
- Artificial intelligence
- Machine learning
- Quantum computing
- Blockchain
- Homomorphic encryption
- Security multiparty computation
- Distributed consensus
- Big Data
- Virtual/augmented reality
- 3-D printing
- Passwordless authentication
- Nanotechnology
- Deep learning
- Biometric impersonation
Earn your CASP+, guaranteed!
CASP+ Domain 1
CASP+ is an advanced-level security architecture and senior security engineering cybersecurity certification. To earn this certification, you will have to pass the CASP+ certification exam that covers four Domains of knowledge. Use this article to help you map out your study outline for Domain 1, and you will have a solid start toward passing this certification exam and earning the CASP+ cert for yourself.
Sources
CASP C00-4 Exam Objectives, CompTIA
CASP+ Certification! 003 vs. 004, Cyberkrafttraining