1. D
SABSA is specifically designed for security architecture and provides a framework that directly aligns security controls with business objectives through its risk-driven, business-focused approach. While NIST CSF is valuable for cybersecurity programs, TOGAF focuses on enterprise architecture broadly, and Zachman is an enterprise architecture framework—SABSA is purpose-built for security architecture aligned with business needs.

2. B
Zero-trust architecture is fundamentally based on the principle of “never trust, always verify,” requiring continuous verification of all users and devices regardless of their location. This approach eliminates the concept of implicit trust for internal network traffic and replaces perimeter-based security models with continuous authentication and authorization.

3. B
Defense-in-depth implements multiple layers of security controls so that if one layer fails, additional layers continue to provide protection. This architectural approach ensures that no single point of failure can compromise the entire security posture, providing redundancy and resilience against various attack vectors.

4. A
Service mesh architecture with mutual TLS provides the most appropriate solution for microsegmentation in containerized environments, offering fine-grained service-to-service communication controls, encryption, and identity verification. Traditional VLAN segmentation is not suitable for the dynamic nature of containerized workloads.

5. C
Threat modeling and attack tree analysis provide systematic methods for identifying potential attack paths, understanding attacker motivations, and analyzing how security controls can be bypassed. This approach is more comprehensive than checklists or vulnerability scanning for architectural review purposes.

6. B
Rate limiting prevents API abuse through excessive requests, while OAuth 2.0 provides robust authentication and authorization. This combination addresses both availability and access control concerns, which are critical for API security. SSL/TLS alone doesn’t prevent abuse, and IP whitelisting is insufficient in dynamic environments.

7. B
Security domains establish logical or physical boundaries where specific security requirements and controls apply based on the sensitivity and criticality of assets within those domains. This enables appropriate security measures to be applied based on risk levels and business requirements.

8. C
Transparent data encryption (TDE) with key rotation provides encryption at the database level without requiring application changes, offering a good balance between security and performance. It protects data at rest while minimizing performance impact and maintains operational flexibility through key rotation.

9. B
DevSecOps principles require security to be integrated continuously throughout all stages of the development pipeline, from design through deployment. This “shift-left” approach ensures security issues are identified and remediated early, reducing costs and improving overall security posture.

10. B
Zero Trust Network Access with multi-factor authentication provides the most secure and scalable approach by verifying identity and device posture before granting access, implementing least-privilege access, and eliminating implicit trust. Traditional VPNs provide broader network access and don’t scale well with modern security requirements.

11. B
SIEM systems provide centralized collection, correlation, and real-time analysis of security events from multiple sources, enabling threat detection, incident response, and compliance reporting. This centralized visibility is essential for effective security operations in complex environments.

12. C
A hybrid DLP approach combining network, endpoint, and cloud-based DLP provides comprehensive coverage for data protection across all potential exfiltration vectors. Data can leave an organization through multiple channels, so protection must be implemented at all control points.

13. C
Fail-safe defaults ensure that when a system experiences a failure, it defaults to a secure state (typically denying access rather than granting it). This principle prevents security failures from creating vulnerabilities and maintains security even during system malfunctions.

14. C
Attribute-Based Access Control (ABAC) provides the most flexibility for dynamic environments by making access decisions based on attributes of users, resources, and environmental conditions. This is more adaptable than traditional RBAC for complex, changing environments while providing fine-grained control.

15. B
In SDN architectures, the centralized controller manages the entire network, making it a critical single point of failure. Compromise of the controller could allow an attacker to reconfigure the entire network, making its security the primary architectural concern.

16. B
Separate databases per tenant with encryption provides the strongest isolation and security for multi-tenant SaaS applications. This approach prevents data leakage between tenants and provides clear security boundaries, though it requires more resources than shared database approaches.

17. B
Network Access Control (NAC) authenticates and authorizes devices before granting network access, ensuring that only compliant, authorized devices can connect to the network. This prevents unauthorized or non-compliant devices from accessing network resources.

18. B
Secure enclaves provide hardware-based protection for sensitive data, encryption protects data at rest and in transit, and certificate pinning prevents man-in-the-middle attacks. This comprehensive approach addresses multiple mobile security threats effectively.

19. B
Integration of threat intelligence feeds with SIEM enables the SOC to correlate internal events with external threat indicators, improving detection of sophisticated attacks. This combination provides context-aware threat detection that standalone tools cannot achieve.

20. B
Security by design means incorporating security considerations from the initial architecture and design phase, rather than adding security as an afterthought. This approach is more effective and cost-efficient than retrofitting security controls later.

21. D
While blockchain provides auditability, secure file transfer protocol with comprehensive logging provides better practical security for most inter-organizational data sharing scenarios. It offers encryption in transit, access controls, and detailed audit trails without the complexity of blockchain.

22. B
AI/ML systems face unique threats including adversarial attacks that manipulate model behavior, data poisoning that corrupts training data, and privacy concerns around sensitive training data. These risks require specific security controls beyond traditional application security.

23. B
Ensuring backup data is encrypted and stored securely off-site is critical for disaster recovery security. Backups often contain sensitive data and must be protected from unauthorized access, while off-site storage ensures availability during site-wide disasters.

24. B
Mutual TLS with service mesh provides strong service-to-service authentication and encryption in microservices architectures. It establishes trust between services, encrypts communication, and can be centrally managed through the service mesh control plane.

25. B
Session recording and just-in-time access provisioning are critical PAM capabilities that enable monitoring of privileged activities and minimize the window of exposure for elevated access. These controls help prevent and detect privileged account abuse.

26. C
IoT devices require network segmentation to limit attack surface, device identity management for authentication, and secure boot to ensure only trusted firmware runs. This comprehensive approach addresses the unique security challenges of IoT at scale.

27. B
Security zones group assets with similar security requirements, allowing appropriate controls to be applied consistently. This architectural pattern simplifies security management and ensures that controls are commensurate with asset sensitivity and risk.

28. B
Private or permissioned blockchains with encryption and access controls provide confidentiality while maintaining blockchain benefits. Public blockchains are transparent by design and inappropriate for confidential enterprise data without additional security layers.

29. B
A separate vendor network segment with strict access controls and monitoring implements least privilege and segregation principles while enabling necessary vendor access. This approach limits vendor access to only required systems and provides visibility into vendor activities.

30. B
Data classification identifies the sensitivity level of data so that appropriate security controls can be applied based on risk and regulatory requirements. This ensures that resources are focused on protecting the most sensitive data.

31. B
Pod security policies (or their successors) and runtime security monitoring are essential for container security, enforcing security standards and detecting anomalous behavior. Running containers as root or using untrusted images creates significant security risks.

32. B
Automated configuration management with version control ensures consistent, secure configurations across the enterprise while enabling rapid remediation of security issues. Security baselines define the required security settings that should be maintained.