CompTIA SecurityX (CAS-005) · Domain 2 · 27% of exam

Security Architecture

Drill 20 practice questions focused entirely on Security Architecture for the CompTIA CAS-005 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A hospital's security architect is redesigning the backup architecture after a tabletop exercise revealed that a ransomware actor with domain admin credentials could encrypt or delete both production data and the existing network-attached backup repository. Regulatory requirements mandate a 4-hour RPO for patient records, and the organization needs assurance that backups cannot be altered or deleted during their retention window, even by a compromised administrator account. Which design BEST meets these resilience requirements?

Reviewed for accuracy · Report an issue
Question 2 of 20

A financial services firm is migrating a highly regulated trading platform to a public cloud provider. Compliance mandates strict isolation from other customers' workloads at the physical hardware level, and the firm's risk team will not accept any control that relies solely on hypervisor-enforced logical separation. Cost is a secondary concern. Which cloud compute deployment approach best satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 3 of 20

A retail analytics team must run demographic reports on a dataset containing customer national ID numbers stored in a cloud data warehouse. Legal requires that raw national IDs never reside in the warehouse or be recoverable by analysts, yet the reports must still correlate records belonging to the same customer across multiple tables and preserve the original field length/format for the legacy reporting tool. Which data protection design best meets these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 20

A financial services company stores highly sensitive customer records in a cloud-hosted database. Regulators require that the organization retain full control over the master key used to protect the data, that the master key never leave a FIPS 140-2 Level 3 boundary, and that individual data-encryption keys be rotatable without re-encrypting the entire dataset. Which data-at-rest design BEST satisfies all three requirements?

Reviewed for accuracy · Report an issue
Question 5 of 20

A financial services firm stores customer records, internal marketing plans, and public regulatory filings on the same file-sharing platform. The security architect has been asked to design a data protection scheme that applies the strongest controls (encryption, egress blocking, watermarking) only where warranted, while avoiding unnecessary friction for low-sensitivity content. Which approach should the architect implement FIRST to make the downstream control decisions defensible and consistent?

Reviewed for accuracy · Report an issue
Question 6 of 20

A financial services firm is designing a data security architecture that spans Microsoft 365, an on-premises file server, and an AWS S3 data lake used for analytics. Regulators require that once a document is labeled 'Restricted,' the classification and its associated protections must remain enforced regardless of where the file is moved, copied, or downloaded. The security architect must select an approach that ensures the label and its protection travel with the data across all three environments. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 7 of 20

A financial services company is redesigning the TLS configuration for its customer-facing web portal. The security architect wants to ensure that even if the server's long-term private key is compromised in the future, previously captured encrypted session traffic cannot be retroactively decrypted. Which configuration decision most directly achieves this requirement?

Reviewed for accuracy · Report an issue
Question 8 of 20

A financial services firm discovers that employees are exfiltrating sensitive client records by copying files to USB drives and by pasting data into personal webmail accessed over HTTPS from company laptops. The existing DLP deployment consists solely of a network-based inspection appliance at the internet egress gateway that decrypts and scans outbound traffic. The security architect is asked to close the identified gaps while minimizing additional decryption infrastructure. Which design change most directly addresses BOTH exfiltration vectors?

Reviewed for accuracy · Report an issue
Question 9 of 20

A retail company processes millions of loyalty transactions per hour and must protect customer national ID numbers. The architecture team requires that the sensitive values be replaced with surrogate tokens usable in analytics joins, but the solution must scale horizontally without a centralized data store that could become a performance bottleneck or single point of failure. Reversibility must still be supported for authorized fraud investigations. Which tokenization approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 10 of 20

A financial services firm discovers that employees are exfiltrating classified customer records by uploading them to personal cloud storage accounts over TLS-encrypted connections. The existing network DLP appliance sees only encrypted traffic and cannot inspect payloads. The security architect must design a control that reliably detects and blocks sensitive data leaving via these HTTPS uploads while preserving user privacy for personal banking and healthcare sites. Which design best meets these requirements?

Reviewed for accuracy · Report an issue
Question 11 of 20

A financial services company is designing a resilient enterprise architecture. Their threat model identifies data exfiltration via DNS tunneling as a critical risk because compromised endpoints have been observed encoding stolen data into DNS queries to attacker-controlled authoritative name servers. The security architect must design a control that preserves normal name resolution for legitimate business while preventing covert data channels over DNS. Which design approach BEST addresses this requirement?

Reviewed for accuracy · Report an issue
Question 12 of 20

A financial services company is deploying a microservices application across a Kubernetes cluster. Security requirements mandate that all service-to-service traffic be encrypted and that each service cryptographically prove its identity before communication is allowed, without embedding credentials in application code. Services scale up and down dynamically, so certificates must be issued and rotated automatically. Which approach best satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 13 of 20

A financial analytics firm must process highly sensitive customer datasets on a public cloud provider. Regulatory reviewers accept the firm's existing controls for data at rest (envelope encryption with a CMK) and in transit (mTLS), but they raise a concern: during active computation, plaintext data and the derived models reside in host memory where a compromised hypervisor or malicious cloud administrator could theoretically extract them. The architecture team must select a control that protects data while it is being processed, without moving the workload off the provider. Which approach BEST addresses this specific requirement?

Reviewed for accuracy · Report an issue
Question 14 of 20

A financial services company federates its on-premises Active Directory to a cloud SaaS suite using SAML through an on-premises identity provider (IdP). The security architect learns that a compromised token-signing certificate could allow an attacker to forge assertions for any user, including administrators, without triggering authentication logs at the IdP. Which design change most directly reduces the impact of a forged-assertion (golden SAML) attack against the SaaS environment?

Reviewed for accuracy · Report an issue
Question 15 of 20

A cloud security architect discovers that developers frequently apply manual hotfixes directly to production resources during incidents, causing the running infrastructure to diverge from the Terraform state stored in the pipeline. This creates unpredictable security posture across the environment. Which approach BEST addresses the root cause while maintaining resilient, secure infrastructure?

Reviewed for accuracy · Report an issue
Question 16 of 20

A manufacturing company operates a converged network where corporate IT systems share infrastructure with the plant's operational technology (OT), including PLCs and SCADA controllers. A recent assessment found that a compromised IT workstation could directly reach the OT control network. The controllers run legacy protocols that cannot support host-based agents, encryption, or authentication, and they must exchange limited production data with an IT-based MES (Manufacturing Execution System). The security architect must design a segmentation approach that limits IT-to-OT exposure while still permitting the required data exchange. Which design best meets these requirements?

Reviewed for accuracy · Report an issue
Question 17 of 20

A financial services company is redesigning its identity architecture after an audit found that 40 domain administrators hold permanent membership in privileged groups, many of whom rarely perform administrative tasks. The security architect must reduce the attack surface associated with standing privileges while still allowing administrators to perform occasional emergency and routine maintenance. Which approach BEST addresses this requirement?

Reviewed for accuracy · Report an issue
Question 18 of 20

A financial services company runs its customer-facing transaction platform in a single cloud region. The business requires a recovery time objective (RTO) of near-zero and a recovery point objective (RPO) of near-zero, and it must survive the complete loss of an entire region without manual failover steps. The architecture team must redesign the platform to meet these resilience requirements while keeping data consistent across sites. Which design approach BEST satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 19 of 20

A financial services company operates a customer-facing loan application platform. Architects are designing for resilience against partial failures of downstream dependencies (fraud scoring service, credit bureau API, and a document-storage backend). Leadership requires that a dependency outage never cause a total platform outage, and that core functions remain usable even when non-essential services are unavailable. Which design approach BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 20 of 20

A global retailer operates 200 branch offices that currently backhaul all internet and SaaS traffic through two regional data centers for inspection via legacy firewalls and web proxies. Users report high latency to cloud-based POS and collaboration apps, and the security team struggles to enforce consistent policy for a growing remote workforce. Leadership wants a cloud-delivered architecture that unifies network and security controls, applies identity-aware policy close to the user, and eliminates the data center hairpin. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue

More CAS-005 practice

Keep going with the other CompTIA SecurityX (CAS-005) domains, or take a full timed mock exam.

← Back to CAS-005 overview