If you are studying Security+ architecture, do not memorize a pile of buzzwords and call it a day. The exam usually wants you to choose the safest design tradeoff from a messy scenario: isolate the risky thing, keep the business running, reduce blast radius, and avoid creating a worse problem while trying to look clever.
Fast answer: Security+ architecture questions are about matching controls to design goals. Segmentation limits movement. Redundancy improves availability. Zero trust reduces implicit trust. Secure baselines make systems consistent. Cloud shared responsibility tells you which part is yours to fix.
Use these practice questions to drill that decision-making pattern. Read the scenario, pick the best answer, then check why the other answers are weaker. That part matters more than the letter grade.
Quick architecture cheat sheet
| Scenario clue | Think about |
|---|---|
| One compromised workstation should not reach everything | Network segmentation, ACLs, least privilege |
| A service must survive hardware failure | Redundancy, failover, backups, resilience |
| Users work from anywhere | Zero trust, conditional access, device posture |
| Cloud storage was exposed | IAM, public access settings, shared responsibility |
| IoT or embedded devices are risky | Isolation, firmware updates, vendor support, monitoring |
| New server builds drift over time | Hardened images, secure baselines, configuration management |
If this feels too broad, pair it with the Security+ vulnerability management practice questions and the Security+ access control practice questions. Architecture is where those controls get arranged into a system.
Practice questions
1. Segmenting a payment system
A company has workstations, file servers, printers, and a small payment processing system on the same flat network. A help desk workstation gets infected with malware. Leadership wants to reduce the chance that a future workstation compromise can reach the payment system.
What is the best first architecture change?
A. Install antivirus on the payment servers
B. Move the payment system into a separate network segment with restricted access rules
C. Rename the payment servers so users cannot find them
D. Require longer passwords for all employees
Answer: B. Segmentation reduces blast radius. Antivirus and password policy may help, but they do not fix the flat-network design. Renaming servers is security theater with a haircut.
2. Choosing resilience for a critical app
A ticketing system runs on one virtual machine. When the host needs maintenance, the help desk loses access to open tickets. Management wants the system to stay available during routine host maintenance.
Which design best addresses the requirement?
A. Add a second administrator account
B. Put the VM on highly available infrastructure or create an active/passive failover design
C. Increase the VM’s disk size
D. Disable operating system updates
Answer: B. The problem is availability during host maintenance. A highly available or failover design addresses that directly. More disk and extra admin accounts do not keep the service running. Disabling updates just creates a future incident with extra paperwork.
3. Zero trust remote access
A company is replacing a traditional VPN. Users work from home, coffee shops, and customer sites. Security wants access decisions based on user identity, device health, location risk, and the specific app being accessed.
Which architecture fits best?
A. Zero trust network access
B. A larger flat VPN subnet
C. Shared local administrator passwords
D. Port forwarding from the firewall to internal apps
Answer: A. Zero trust network access is built around explicit access decisions instead of assuming everything on the VPN is trusted. A bigger VPN subnet makes the trust problem bigger. Port forwarding internal apps is how you summon pain.
4. Cloud shared responsibility
A team stores customer exports in a cloud object storage bucket. The provider’s infrastructure is patched and available, but the bucket was accidentally made public by the customer team.
Who is usually responsible for fixing that exposure?
A. The cloud provider only
B. The customer team that configured the bucket permissions
C. The internet service provider
D. The users who downloaded the files
Answer: B. In most shared responsibility models, the provider secures the underlying cloud infrastructure, while the customer secures identity, permissions, data configuration, and application choices. Exact details vary by service, but public bucket permissions are typically the customer’s responsibility.
5. Embedded device risk
A warehouse uses barcode scanners that run an old embedded operating system. The vendor still supports the devices, but patch windows are limited because shipping runs all day. The devices only need to talk to one inventory application.
What is the best practical risk reduction?
A. Put the scanners on the same network as finance workstations
B. Isolate the scanners on a restricted network and allow only required traffic to the inventory app
C. Disable all logging to save device resources
D. Give scanner users domain administrator rights
Answer: B. Embedded and IoT-style devices are often hard to manage like normal laptops. Isolation and tight allow rules reduce the damage if one is compromised. You still patch when possible, but segmentation is the architectural move.
6. Secure baseline drift
A company has ten admins building Windows servers manually. Some servers have old local accounts, inconsistent firewall rules, and different logging settings. The security team wants new servers to start secure and stay consistent.
Which control helps most?
A. A hardened server image plus configuration management
B. A spreadsheet asking admins to remember every setting
C. A monthly email reminder about security
D. A new naming convention for servers
Answer: A. Hardened images and configuration management reduce drift. A spreadsheet can document intent, but it does not enforce it. Naming conventions are useful for sanity, not baseline security.
7. Reducing lateral movement
An attacker compromises a normal user’s desktop. From there, they attempt to access admin shares, domain controllers, and database servers. The company wants to limit lateral movement after initial compromise.
Which combination is strongest?
A. Network segmentation, least privilege, and privileged access controls
B. More colorful desktop wallpapers
C. One shared admin account so responders can move faster
D. Letting all workstations talk to all servers for convenience
Answer: A. Lateral movement is controlled by reducing unnecessary paths and privileges. Segmentation limits network reach, least privilege limits account reach, and privileged access controls protect admin credentials.
8. Disaster recovery design
A small business backs up its file server to a USB drive that stays plugged into the same server. Ransomware encrypts the server and the attached backup drive. Leadership asks what architecture change would make backups more useful next time.
What should you recommend?
A. Keep at least one offline or immutable backup copy and test restores
B. Use a longer USB cable
C. Rename the backup folder
D. Stop taking backups because they failed once
Answer: A. Backups need separation from the thing they protect. Offline, immutable, or otherwise isolated backups reduce the chance that ransomware can destroy production data and backups in the same hit. Testing restores is the part everyone forgets until it is too late.
9. Secure network design for guests
A company wants guest Wi-Fi for visitors. Guests need internet only. They should not reach printers, file shares, domain controllers, or management interfaces.
What is the best design?
A. Put guests on the corporate LAN and ask them not to browse internal resources
B. Put guests on an isolated guest network with internet-only access
C. Give guests temporary domain admin accounts
D. Hide the corporate SSID and use the same password for both networks
Answer: B. Guest networks should be isolated. The key idea is not just a different Wi-Fi name; it is traffic separation and access control. If guests can still hit internal systems, the architecture is not doing its job.
10. Choosing a control for data sensitivity
A department wants to store sensitive HR files in a shared document platform. Only HR and a small legal group should access them. The files should also be protected if someone downloads a copy to a managed laptop.
Which design is best?
A. Store the files in a restricted location and apply encryption or information protection controls where available
B. Put the files in the company-wide folder because employees are trusted
C. Email the files around as attachments
D. Rely only on the folder name saying “private”
Answer: A. Access control handles who can reach the files. Encryption or information protection helps if copies leave the original location. A folder name is not a control. It is a label wearing a tiny hat.
How to study these questions
Architecture questions get easier when you ask three questions before looking at answers:
- What is the business goal? Availability, confidentiality, integrity, isolation, recovery, compliance, or safer access?
- What is the failure mode? Compromise, outage, misconfiguration, data exposure, account abuse, or uncontrolled change?
- Which answer changes the design? The right answer usually changes trust boundaries, access paths, redundancy, or management process.
Also watch for exam answers that sound technical but do not address the scenario. If the problem is a flat network, a password change may be useful but incomplete. If the problem is cloud permissions, buying a bigger firewall is probably not the move.
Mini lab ideas
You do not need a corporate budget to make this real. In a home lab or cloud free tier, you can practice architecture thinking by:
- Creating separate virtual networks for workstation, server, and guest traffic.
- Writing simple allow/deny rules between those networks.
- Building a hardened VM template, then comparing it to a manually built VM.
- Creating a test backup, deleting a file, and proving you can restore it.
- Documenting which cloud security settings are provider-managed versus customer-managed.
If you are also working on networking fundamentals, review the Network+ VLAN practice questions and Network+ routing practice questions. A lot of security architecture is just networking with consequences.
FAQ
Are Security+ architecture questions mostly memorization?
No. You need vocabulary, but the exam often tests whether you can apply the vocabulary to a scenario. Know what segmentation, zero trust, high availability, secure baselines, and shared responsibility actually do.
Should I study cloud security for this domain?
Yes. You do not need to become a cloud architect, but you should understand IAM, public exposure, encryption options, logging, network security groups, and the shared responsibility model.
What is the easiest way to spot the right answer?
Find the answer that directly reduces the stated risk without breaking the business requirement. If a service must stay available, choose resilience. If a risky device should not reach everything, choose isolation. If access is too broad, choose least privilege.
What should I study next?
For exam flow, rotate between architecture, access control, vulnerability management, and incident response. If you want a bigger cert roadmap, start with the best IT certifications guide and keep your study plan boring enough to finish.
Final take
Security+ architecture is not about designing a perfect enterprise from scratch. It is about making sane tradeoffs: isolate what is risky, protect what is sensitive, keep critical systems available, and make secure defaults easier than heroic manual work.
That is also good help desk and junior admin thinking. The person who can explain blast radius, failover, and least privilege in plain English is already more useful than the person who memorized one hundred acronyms and forgot why any of them exist.
If you are studying for Security+, save this page and redo the questions after a few days. If you can explain why the wrong answers are wrong, you are learning the architecture instead of just recognizing the answers.