CISSP Domain 3 (Security Architecture) mental models | Pruvos — Pruvos

Domain 3 — Security Architecture and Engineering — is 13% of the CISSP blueprint and where most of my candidates lose 40% of their domain 3 questions on first attempt. The usual failure mode is rote memorization: people memorize Bell-LaPadula but cannot apply it to a scenario that asks about a system handling mixed classifications. Memorization is not enough for Domain 3; you need mental models that can be applied to novel scenarios.

Here are the three I teach.

Model 1: the security-model map

Every security model on CISSP fits into one of four buckets by what it protects:

Model	Protects	Key rules
Bell-LaPadula (BLP)	Confidentiality	No read up, no write down
Biba	Integrity	No read down, no write up
Clark-Wilson	Integrity	Well-formed transactions, separation
Brewer-Nash (Chinese Wall)	Conflict of int.	Dynamic COI classes based on access history

Three more models show up occasionally:

Take-Grant: models how access rights can be transferred between subjects and objects
Lattice: generalizes BLP/Biba into a lattice of classification levels
Non-interference: higher-level actions do not affect lower-level observations

When you see a scenario, ask:

What is being protected? (Confidentiality, integrity, or a COI?)
What is the rule being applied? (About reading or about writing?)

That narrows the options to one or two models.

Example stem:

"A financial advisor cannot access a client's records once they have accessed a competitor client's records."

Conflict of interest → Brewer-Nash. Done in 10 seconds.

Example stem:

"A clerk can read a document classified Top Secret but cannot copy it into a Secret-classified file."

Confidentiality + no-write-down → Bell-LaPadula.

Memorization is not the tool here. The model is.

Model 2: the cryptographic hierarchy

People lose points on Domain 3 crypto because they try to memorize every algorithm. The more useful structure is a hierarchy:

Layer 1 — symmetric vs asymmetric. Symmetric is fast, uses one shared key, has key-distribution problems. Asymmetric is slow, uses key pairs, solves key distribution. In practice, you combine them: asymmetric to exchange the symmetric key, then symmetric for the bulk data.

Layer 2 — key lifecycle. Generation, distribution, storage, use, rotation, revocation, destruction. Every cryptographic system question is secretly a key-lifecycle question. When you are reading a Domain 3 crypto question, ask "which part of the lifecycle are they testing?"

Layer 3 — algorithm families.

Symmetric: AES (modern), 3DES (legacy), Blowfish, Twofish
Asymmetric: RSA, ECC, ElGamal, DSA
Hashing: SHA-2, SHA-3 (use these), MD5 (broken), SHA-1 (deprecated)
MACs: HMAC, CMAC (combine hashing + symmetric for integrity + authenticity)

Layer 4 — cryptographic protocols. TLS, IPsec, Kerberos, PGP, S/MIME. Each combines primitives from Layer 3 in specific ways. Know what each protocol protects: TLS = confidentiality + integrity in transit; Kerberos = authentication with tickets; IPsec = confidentiality + integrity at the network layer.

When you get a cryptographic question, walk the layers: which layer is the question about? That determines which facts are relevant.

Model 3: the physical-through-virtual stack

Domain 3 tests physical security, embedded system security, virtualization security, and cloud-deployment security in one mixed bag. The mental model that makes this coherent is a stack:

Layer 7 — Human / admin (social engineering, training)
Layer 6 — Data (DLP, classification, retention)
Layer 5 — Application (OWASP, WAFs, input validation)
Layer 4 — Runtime (container security, hypervisor, OS hardening)
Layer 3 — Network (segmentation, firewalls, IDS/IPS)
Layer 2 — Hardware (TPM, HSM, secure boot)
Layer 1 — Physical (locks, guards, CCTV, fencing)

Every Domain 3 scenario is happening at one or two layers. "A guard signs in visitors" is Layer 1. "The hypervisor protects guest VMs from each other" is Layer 4. "The application validates input" is Layer 5.

When you read a scenario, identify the layer(s) in play. The appropriate control will almost always live at the same layer as the threat. Applying Layer 6 (data classification) to a Layer 4 (hypervisor escape) threat gets you a wrong answer.

Putting it together

A Domain 3 question I pulled from our audit:

"A cloud customer runs multiple tenants on shared infrastructure. One tenant attempts to read another tenant's memory through a side-channel attack. Which control most directly mitigates this?"

Walk the models:

What is being protected? Confidentiality between tenants (Bell-LaPadula territory, but the question is about cloud, not classified systems).
What layer? Layer 4 — runtime, specifically hypervisor-level isolation.
What control at Layer 4 mitigates side-channel? Process isolation, hypervisor hardening, dedicated hosts (which raise Layer 1 and Layer 4 isolation), or constant-time cryptography (which prevents timing side-channels at Layer 5).

The "best" answer depends on the exact distractors, but the model-driven walk narrows the options instantly.

What to study

If you are weak on Domain 3, prioritize:

The four main security models. Memorize the rules; practice applying them. 2 evenings.
Crypto lifecycle. Not algorithms — lifecycle. 1 evening.
The stack model. Practice identifying the layer of any Domain 3 question. 1 evening.
100 Domain-3-only scenario questions. Drill them until the layer and model identification is automatic.

That five-evening plan has lifted Domain 3 scores by 10+ points for every CISSP retaker I have coached in the last two years. Domain 3 is not harder content than the other domains. It rewards structure more than any other domain, and the structure is what most study guides skip.

CISSP Domain 3 Security Architecture

Practice what you just read

Pruvos has 28,000+ exam-grade questions across 73 certifications.

Every question tagged by trap type. Free tier works without signup.

Browse certifications →