Try 10 focused CompTIA SecurityX CAS-005 questions on Security Architecture, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA SecurityX CAS-005 on Web View full CompTIA SecurityX CAS-005 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA SecurityX CAS-005 |
| Topic area | Security Architecture |
| Blueprint weight | 27% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Security Architecture for CompTIA SecurityX CAS-005. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 27% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: Security Architecture
A financial services company is redesigning data security for a hybrid environment with SaaS file sharing, object storage, and analytics pipelines. Requirements: apply consistent sensitivity levels, preserve labels when data moves between platforms, drive DLP/encryption/retention policies from those labels, and support automated discovery of regulated data with human review for exceptions. Which approach best maps to these requirements?
Options:
A. Place regulated repositories in isolated network segments with stricter firewall rules
B. Implement an enterprise classification taxonomy with persistent metadata tags and automated labeling workflows
C. Require data owners to maintain separate access-control lists for each storage platform
D. Tokenize all analytics data before it enters reporting pipelines
Best answer: B
Explanation: The core design need is data-centric classification: a common taxonomy, labels that travel with or are mapped to the data, and tags that downstream controls can consume. In a hybrid environment, security decisions should not depend only on where the data is stored because data moves between SaaS, object storage, email, and analytics systems. Automated discovery can suggest labels for regulated data, while human review handles exceptions and reduces misclassification risk. Once labels are reliable, DLP, encryption, key handling, retention, access, and monitoring policies can be enforced consistently through policy engines and integrations. Network controls and platform-specific ACLs may still help, but they do not provide portable, governance-driven classification.
Topic: Security Architecture
A financial services company is redesigning a customer claims platform. Which resilient architecture best satisfies the requirements in the exhibit?
Exhibit: Resilience requirements
| Requirement | Value |
|---|---|
| RTO / RPO | 15 minutes / 5 minutes |
| Geography | EU customer data must remain in the EU |
| Demand | Up to 8x traffic bursts |
| State | Transactions persist; web sessions are disposable |
| Integration | On-prem fraud API outages must not lose requests |
Options:
A. Active-active stateless services in two EU regions with autoscaling, replicated storage, and a durable queue
B. Active-passive virtual machines in one EU region using local disks and manual DNS failover
C. Active-active services across EU and US regions with global database replication
D. Large persistent application servers with sticky sessions and direct synchronous fraud API calls
Best answer: A
Explanation: Resilient design should separate nonpersistent and persistent layers. Disposable web/API tiers can run active-active and autoscale across eligible EU regions because session continuity is not required. Transactions require replicated durable storage that can meet the 5-minute RPO. The on-prem fraud API is an interoperability dependency, so a durable queue prevents request loss during outages and allows retry without coupling platform availability to the legacy service. The geography constraint rules out designs that place EU customer data outside the EU. The key takeaway is to scale stateless components while deliberately protecting persistent state and external dependencies.
Topic: Security Architecture
A security architect is updating the CI/CD quality gate for a containerized payment API. Which software assurance capability best satisfies the requirement in the exhibit?
Exhibit: Release gate requirement
Trigger: before image promotion to staging
Scope: application packages and container dependencies
Must include: direct and transitive components
Decision: fail build for known critical CVEs or prohibited licenses
Output: evidence report for audit review
Constraint: no deployed runtime instrumentation is available
Options:
A. Software bill of materials generation
B. Static application security testing
C. Dynamic application security testing
D. Software composition analysis
Best answer: D
Explanation: Software composition analysis (SCA) is the best fit because the requirement is about dependency risk, not custom code flaws or runtime behavior. SCA inspects package manifests, lock files, container layers, and dependency graphs to identify direct and transitive third-party components with known vulnerabilities or prohibited licenses. It can also enforce CI/CD policy decisions, such as failing a build for critical CVEs. An SBOM is useful evidence and may be produced by SCA tooling, but the SBOM itself is primarily an inventory, not the analysis and enforcement capability described in the release gate.
Topic: Security Architecture
A global enterprise is replacing a hub-and-spoke VPN model. The security architecture team must choose an access architecture for SaaS, public cloud workloads, and a small set of data center applications. Which action is best supported by the assessment?
Exhibit: Access architecture assessment
| Finding | Detail |
|---|---|
| Workforce | 70% remote or branch-based |
| Traffic | SaaS and cloud traffic is hairpinned through the data center |
| Goal | Enforce identity, device posture, DLP, and app-level authorization per session |
| Constraint | Reduce reliance on the data center perimeter without allowing unmanaged direct access |
Options:
A. Deploy SD-WAN solely for link optimization
B. Deperimeterize by removing VPN and perimeter controls
C. Use SDN only to microsegment data center workloads
D. Adopt SASE with SD-WAN and ZTNA policy enforcement
Best answer: D
Explanation: The exhibit points to a SASE-oriented access architecture. The organization needs distributed enforcement for identity, device posture, DLP, and application-level authorization across remote users, branches, SaaS, cloud, and private apps. SASE can place security controls closer to users and cloud destinations, while SD-WAN can improve branch connectivity and steer traffic without forcing all sessions through a central data center perimeter. This supports deperimeterization safely because access decisions move from network location to identity, posture, application, and data context. SD-WAN alone improves transport but does not provide the full policy enforcement plane.
Topic: Security Architecture
A financial services company is redesigning access to a hybrid claims platform after an attacker used a compromised VPN account from an approved corporate subnet to reach internal APIs. Requirements: support remote and office users, keep the legacy API online during migration, preserve centralized audit evidence for regulated data access, and avoid granting broad network access after authentication. Which design change is the BEST professional decision?
Options:
A. Put an identity-aware proxy in front of the APIs and enforce per-request access using user identity, device posture, data classification, and session risk.
B. Restrict API access to corporate subnets and require quarterly VPN credential rotation.
C. Move the VPN concentrator to a SASE provider and keep subnet-based API authorization.
D. Add an internal firewall rule allowing only the VPN address pool to reach the APIs.
Best answer: A
Explanation: Zero Trust design does not treat being on a corporate subnet, VPN, or office network as sufficient proof of trust. The safer correction is to move the enforcement point closer to the protected application or API and authorize each request based on the subject, target object, device state, sensitivity, and risk signals. An identity-aware proxy or similar policy enforcement point can support remote and office users consistently, produce centralized access logs, and allow phased migration without exposing the broader internal network. Network controls can still reduce attack surface, but they should not be the main trust decision for regulated application access. The key takeaway is to validate subject-object access continuously instead of extending implicit trust from network location.
Topic: Security Architecture
A health network is consolidating integrations among a cloud patient portal, third-party labs over a private WAN, and an on-premises EHR interface engine. REST/FHIR and legacy HL7 messages must be authenticated, schema-validated, and rate-limited before reaching the EHR. Third parties cannot install the network’s agents or change internal routing. The control must scale independently and create one audited trust boundary for all integrations. Which placement best meets these requirements?
Options:
A. Require EDR agents on every third-party lab endpoint.
B. Move the WAF to the cloud portal ingress only.
C. Deploy protocol-aware gateways in the integration DMZ before the interface engine.
D. Place NIDS sensors on the EHR VLAN after the interface engine.
Best answer: C
Explanation: Interoperability requirements often determine where security controls must sit. Here, multiple external and hybrid integration paths converge before the EHR interface engine, so the control should be placed at that convergence point and trust boundary. A protocol-aware gateway in an integration DMZ can validate REST/FHIR and HL7 traffic, enforce mTLS or token-based authentication, apply rate limits, and centralize audit logging without requiring third-party endpoint changes. It also scales independently from the EHR and avoids exposing the interface engine directly to partner traffic. The closest distractors either protect only one path, detect issues too late, or depend on controls outside the organization’s authority.
Topic: Security Architecture
A financial services company moved a customer API from VMs to a managed Kubernetes platform. Security leadership wants the architecture updated so prevention, hardening, detection, and monitoring cover the new traffic paths without adding a perimeter-only blind spot.
Exhibit: Current control coverage
| Area | Current state |
|---|---|
| WAF | Internet-to-API gateway only |
| EDR | VM hosts only; no pod/runtime events |
| Scanning | Registry images only; no running workload view |
| Network logs | Firewall north-south only; no pod-to-pod or egress logs |
| Policy | Workloads may call approved external APIs only |
Options:
A. Increase registry image scan frequency and block critical CVEs in CI/CD.
B. Require PAM and MFA for all Kubernetes administrator access.
C. Tune WAF rules and forward WAF alerts to the SIEM.
D. Add workload network policies, egress gateway logging, runtime sensors, and workload scanning.
Best answer: D
Explanation: The key issue is control coverage across the new Kubernetes trust boundaries. The exhibit shows perimeter controls still protect only inbound API traffic, while pod-to-pod communication, runtime behavior, running workload exposure, and approved external egress are not enforced or monitored. A balanced architecture adds preventive controls such as workload network policies, detective telemetry such as runtime sensors, hardening validation such as workload-aware scanning, and monitoring such as egress gateway logs. This aligns the controls with the actual data paths instead of leaving east-west and outbound activity invisible.
Topic: Security Architecture
A financial services company is redesigning access to a privileged reporting portal that contains regulated customer data. Requirements are:
Which approach best maps to these requirements?
Options:
A. Allow access through a VPN and collect web server logs
B. Require MFA and send portal events to the SIEM
C. Use SSO federation and review contractor access quarterly
D. Use conditional access with signed device posture attestation and decision logs
Best answer: D
Explanation: The key requirement is not only authentication; the access decision must depend on evidence. A conditional access architecture can act as the policy decision point, consume federated identity claims, require signed device posture or compliance attestation, and deny sessions that do not meet endpoint requirements. The decision logs then provide audit evidence showing who accessed the portal, from which asserted device state, under which policy result. This is stronger than collecting activity logs after access is granted because the attestation evidence is part of the authorization decision itself.
The takeaway is that logging supports accountability, but attestation evidence is needed when device trust directly affects access control.
Topic: Security Architecture
A security architect is reviewing shared-responsibility ownership for a hybrid cloud deployment. Compliance requires the team to identify which controls require customer evidence versus provider attestations.
Exhibit: Cloud control matrix
| Resource | Deployment model | Encryption key model | Workload owner |
|---|---|---|---|
| Payment API VM | IaaS VM | Customer-managed key | Customer app team |
| Image resize function | FaaS | Provider-managed key | Customer app team |
| Evidence bucket | Object storage | Customer-managed key | Customer data team |
| HR platform | SaaS | Provider-managed key | SaaS provider |
Which interpretation is best supported by the exhibit?
Options:
A. The customer must patch the FaaS host operating system.
B. Provider attestations cover all encryption keys once encryption is enabled.
C. The customer owns SaaS platform encryption lifecycle management.
D. Customer evidence is needed for CMKs and custom workload code.
Best answer: D
Explanation: Shared responsibility depends on both the service model and the specific control. In the exhibit, customer-managed keys for the VM and object storage bucket require customer evidence for key policy, access control, rotation, monitoring, and recovery procedures. Customer-owned code also remains the customer’s responsibility, including vulnerabilities in the Payment API and the function logic or dependencies. The provider manages the FaaS platform, host infrastructure, and provider-managed encryption keys. For the SaaS HR platform, the provider owns the application stack and encryption lifecycle, while the customer typically owns tenant configuration such as identity, access, and data governance. The key distinction is that abstraction reduces infrastructure duties, not customer accountability for tenant keys, configurations, and code.
Topic: Security Architecture
A financial services company is moving a regulated application from on-premises source control to a cloud CI/CD platform while keeping production deployment in a private Kubernetes cluster. Security leadership wants evidence that a released container can be traced from reviewed source code through build, signing, and deployment. The solution must support automated promotion, incident investigation, and zero trust verification without relying on administrator screenshots. Which evidence set is the BEST professional decision?
Options:
A. Signed provenance attestations tied to commits, build identity, artifact digest, SBOM, and deployment verification
B. A signed container image and deployment timestamp from the production cluster
C. Source repository branch protections and CI job logs retained for audit review
D. A vulnerability scan report, SBOM, and change ticket approval for each release
Best answer: A
Explanation: Software provenance validation needs linked, tamper-evident evidence across the full delivery chain, not isolated audit artifacts. The strongest evidence binds the reviewed source commit to the CI workload identity, build process, artifact digest, SBOM, and signature, then verifies that same digest and signature at deployment. This supports automated zero trust enforcement because the deployment system can make a policy decision from cryptographic attestations rather than trusting operators or screenshots. It also improves incident response because investigators can trace a running artifact back to its source, builder, dependencies, and approval context. Scan reports, tickets, signatures, and logs are useful, but they do not independently prove the complete source-to-runtime chain.
Use the CompTIA SecurityX CAS-005 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA SecurityX CAS-005 on Web View CompTIA SecurityX CAS-005 Practice Test
Read the CompTIA SecurityX CAS-005 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.