WGU D488 SECURITY ARCHITECTURE EXAM – QUESTIONS AND ANSWERS | VERIFIED AND WELL
DETAILED ANSWERS | PLUS RATIONALES | GUARANTEED PASS | LATEST EXAM UPDATE
*Core Domains:*
*• Enterprise Security Architecture Frameworks*
*• Trust Models and Cryptographic Systems*
*• Identity and Access Management (IAM) Architecture*
*• Network and Infrastructure Security Design*
*• Cloud and Hybrid Security Architecture*
*• Securing Emerging Technologies and IoT*
*• Governance, Risk Management, and Compliance (GRC)*
*• Security Assessment and Architecture Operations*
*Introduction*
*The purpose of this assessment is to evaluate advanced proficiency in designing, implementing, and managin
Section One: Questions 1–100
Question 1
An enterprise architect is designing an authentication system for a global financial firm with strict regulatory
requirements. The design requires that an identity provider (IdP) securely assert user identities to multiple
independent service providers (SPs) without sharing the users' actual credentials. Which of the following
protocols should the architect select as the primary framework for this architecture?
A. OpenID Connect (OIDC)
B. Security Assertion Markup Language (SAML) 2.0
,C. WS-Trust
D. Kerberos v5
🟢 B. Security Assertion Markup Language (SAML) 2.0
🔴 Explanation: SAML 2.0 is an XML-based open standard specifically designed for exchanging
authentication and authorization data between an identity provider and a service provider, making it ideal for
cross-domain single sign-on (SSO). While OIDC is also a federated identity protocol built on OAuth 2.0,
enterprise financial environments traditionally rely on SAML 2.0 for its robust assertion-signing capabilities and
deep integration with legacy enterprise systems. WS-Trust is an extension of WS-Security and is less common
for modern web-based service provider federation, and Kerberos is suited for internal domain authentication
rather than cross-domain, independent service provider federation.
Question 2
A security engineer must protect sensitive data stored in an infrastructure-as-a-service (IaaS) database
environment. The organization requires that data be unreadable on the physical storage media, even if an
attacker detaches the storage volume and attaches it to a malicious instance. Which cryptographic
architecture pattern best meets this requirement?
A. Application-layer encryption
B. Transport Layer Security (TLS)
C. Transparent Data Encryption (TDE)
D. Homomorphic encryption
🟢 C. Transparent Data Encryption (TDE)
🔴 Explanation: Transparent Data Encryption (TDE) operates at the database or storage level to encrypt data-
at-rest automatically, protecting the underlying physical media and database files from offline access or
volume detachment attacks. Application-layer encryption secures data before it reaches the database, which
is highly secure but requires significant code modification. TLS protects data-in-transit, not data-at-rest on the
storage media. Homomorphic encryption allows computation on encrypted data without decrypting it first,
which is computationally expensive and unnecessary for basic at-rest volume protection.
Question 3
,During a code review of a web application architecture, a reviewer notes that session identifiers are generated
using a standard linear congruential generator (LCG). Why does this pattern represent a severe architectural
vulnerability?
A. LCG algorithms are susceptible to collision attacks due to a short bit length.
B. Linear congruential generators are pseudo-random but predictable if sufficient outputs are observed.
C. LCG requires an external cryptographic hardware security module (HSM) to validate tokens.
D. The algorithm introduces excessive latency that causes denial-of-service vulnerabilities.
🟢 B. Linear congruential generators are pseudo-random but predictable if sufficient outputs are observed.
🔴 Explanation: Linear congruential generators (LCGs) are non-cryptographic pseudo-random number
generators (PRNGs). Because they rely on a linear relationship, an attacker who intercepts a sequence of
session IDs can mathematically deduce the internal state of the generator and predict past or future session
tokens, leading to session hijacking. Cryptographically secure PRNGs (CSPRNGs) must be used instead.
LCGs do not inherently suffer from high latency, nor do they require an HSM; their vulnerability is structural
predictability.
Question 4
A healthcare company is migrating its patient portal to a public cloud environment. To comply with HIPAA and
internal data governance policies, the security architecture must ensure that the cloud service provider (CSP)
has no visibility into the cryptographic keys used to encrypt the patient records. Which key management
model must be implemented?
A. Bring Your Own Key (BYOK) with CSP-managed storage
B. Hold Your Own Key (HYOK) utilizing an on-premises HSM
C. Cloud-native Key Management Service (KMS) default keys
D. Symmetric key distribution via Diffie-Hellman
🟢 B. Hold Your Own Key (HYOK) utilizing an on-premises HSM
🔴 Explanation: Hold Your Own Key (HYOK) keeps the cryptographic keys strictly within the organization's
physical control (such as an on-premises Hardware Security Module), ensuring the cloud provider never has
access to the raw key material or the ability to decrypt data independently. Bring Your Own Key (BYOK) allows
the organization to generate the keys, but imports them into the cloud provider's infrastructure, meaning the
, CSP still manages and could theoretically access the keys during cryptographic operations. Cloud-native
default keys give full management to the CSP, and Diffie-Hellman is a key agreement protocol for securing
communications channels rather than an at-rest key management model.
Question 5
An organization is deploying a zero-trust network architecture (ZTNA). When designing the policy enforcement
point (PEP) and policy decision point (PDP), where should the PEP be architecturally located to maximize
defensive posture?
A. Centrally within the corporate data center alongside the PDP
B. On the data plane directly in the path between the subject and the resource
C. Exclusively within the control plane to manage API routing
D. At the external internet gateway perimeter only
🟢 B. On the data plane directly in the path between the subject and the resource
🔴 Explanation: According to zero-trust architecture principles (such as NIST SP 800-207), the Policy
Enforcement Point (PEP) operates on the data plane to intercept, inspect, and handle traffic directly between
a subject and an enterprise resource based on commands from the Policy Decision Point (PDP). The PDP
makes the decision on the control plane, while the PEP enforces it on the data plane. Placing the PEP only at
a central data center or external gateway breaks the zero-trust principle of granular micro-segmentation
across all resources.
Question 6
An enterprise architect is evaluating security frameworks to align IT security strategy with business objectives
while maintaining detailed technical checklists. The architect decides to use a top-down framework focused on
governance and business alignment alongside a technical security controls framework. Which combination
best fulfills this strategy?
A. COBIT and Center for Internet Security (CIS) Controls
B. SABSA and Zachman Framework
C. ISO/IEC 27001 and TOGAF
D. NIST SP 800-53 and Bell-LaPadula
🟢 A. COBIT and Center for Internet Security (CIS) Controls
DETAILED ANSWERS | PLUS RATIONALES | GUARANTEED PASS | LATEST EXAM UPDATE
*Core Domains:*
*• Enterprise Security Architecture Frameworks*
*• Trust Models and Cryptographic Systems*
*• Identity and Access Management (IAM) Architecture*
*• Network and Infrastructure Security Design*
*• Cloud and Hybrid Security Architecture*
*• Securing Emerging Technologies and IoT*
*• Governance, Risk Management, and Compliance (GRC)*
*• Security Assessment and Architecture Operations*
*Introduction*
*The purpose of this assessment is to evaluate advanced proficiency in designing, implementing, and managin
Section One: Questions 1–100
Question 1
An enterprise architect is designing an authentication system for a global financial firm with strict regulatory
requirements. The design requires that an identity provider (IdP) securely assert user identities to multiple
independent service providers (SPs) without sharing the users' actual credentials. Which of the following
protocols should the architect select as the primary framework for this architecture?
A. OpenID Connect (OIDC)
B. Security Assertion Markup Language (SAML) 2.0
,C. WS-Trust
D. Kerberos v5
🟢 B. Security Assertion Markup Language (SAML) 2.0
🔴 Explanation: SAML 2.0 is an XML-based open standard specifically designed for exchanging
authentication and authorization data between an identity provider and a service provider, making it ideal for
cross-domain single sign-on (SSO). While OIDC is also a federated identity protocol built on OAuth 2.0,
enterprise financial environments traditionally rely on SAML 2.0 for its robust assertion-signing capabilities and
deep integration with legacy enterprise systems. WS-Trust is an extension of WS-Security and is less common
for modern web-based service provider federation, and Kerberos is suited for internal domain authentication
rather than cross-domain, independent service provider federation.
Question 2
A security engineer must protect sensitive data stored in an infrastructure-as-a-service (IaaS) database
environment. The organization requires that data be unreadable on the physical storage media, even if an
attacker detaches the storage volume and attaches it to a malicious instance. Which cryptographic
architecture pattern best meets this requirement?
A. Application-layer encryption
B. Transport Layer Security (TLS)
C. Transparent Data Encryption (TDE)
D. Homomorphic encryption
🟢 C. Transparent Data Encryption (TDE)
🔴 Explanation: Transparent Data Encryption (TDE) operates at the database or storage level to encrypt data-
at-rest automatically, protecting the underlying physical media and database files from offline access or
volume detachment attacks. Application-layer encryption secures data before it reaches the database, which
is highly secure but requires significant code modification. TLS protects data-in-transit, not data-at-rest on the
storage media. Homomorphic encryption allows computation on encrypted data without decrypting it first,
which is computationally expensive and unnecessary for basic at-rest volume protection.
Question 3
,During a code review of a web application architecture, a reviewer notes that session identifiers are generated
using a standard linear congruential generator (LCG). Why does this pattern represent a severe architectural
vulnerability?
A. LCG algorithms are susceptible to collision attacks due to a short bit length.
B. Linear congruential generators are pseudo-random but predictable if sufficient outputs are observed.
C. LCG requires an external cryptographic hardware security module (HSM) to validate tokens.
D. The algorithm introduces excessive latency that causes denial-of-service vulnerabilities.
🟢 B. Linear congruential generators are pseudo-random but predictable if sufficient outputs are observed.
🔴 Explanation: Linear congruential generators (LCGs) are non-cryptographic pseudo-random number
generators (PRNGs). Because they rely on a linear relationship, an attacker who intercepts a sequence of
session IDs can mathematically deduce the internal state of the generator and predict past or future session
tokens, leading to session hijacking. Cryptographically secure PRNGs (CSPRNGs) must be used instead.
LCGs do not inherently suffer from high latency, nor do they require an HSM; their vulnerability is structural
predictability.
Question 4
A healthcare company is migrating its patient portal to a public cloud environment. To comply with HIPAA and
internal data governance policies, the security architecture must ensure that the cloud service provider (CSP)
has no visibility into the cryptographic keys used to encrypt the patient records. Which key management
model must be implemented?
A. Bring Your Own Key (BYOK) with CSP-managed storage
B. Hold Your Own Key (HYOK) utilizing an on-premises HSM
C. Cloud-native Key Management Service (KMS) default keys
D. Symmetric key distribution via Diffie-Hellman
🟢 B. Hold Your Own Key (HYOK) utilizing an on-premises HSM
🔴 Explanation: Hold Your Own Key (HYOK) keeps the cryptographic keys strictly within the organization's
physical control (such as an on-premises Hardware Security Module), ensuring the cloud provider never has
access to the raw key material or the ability to decrypt data independently. Bring Your Own Key (BYOK) allows
the organization to generate the keys, but imports them into the cloud provider's infrastructure, meaning the
, CSP still manages and could theoretically access the keys during cryptographic operations. Cloud-native
default keys give full management to the CSP, and Diffie-Hellman is a key agreement protocol for securing
communications channels rather than an at-rest key management model.
Question 5
An organization is deploying a zero-trust network architecture (ZTNA). When designing the policy enforcement
point (PEP) and policy decision point (PDP), where should the PEP be architecturally located to maximize
defensive posture?
A. Centrally within the corporate data center alongside the PDP
B. On the data plane directly in the path between the subject and the resource
C. Exclusively within the control plane to manage API routing
D. At the external internet gateway perimeter only
🟢 B. On the data plane directly in the path between the subject and the resource
🔴 Explanation: According to zero-trust architecture principles (such as NIST SP 800-207), the Policy
Enforcement Point (PEP) operates on the data plane to intercept, inspect, and handle traffic directly between
a subject and an enterprise resource based on commands from the Policy Decision Point (PDP). The PDP
makes the decision on the control plane, while the PEP enforces it on the data plane. Placing the PEP only at
a central data center or external gateway breaks the zero-trust principle of granular micro-segmentation
across all resources.
Question 6
An enterprise architect is evaluating security frameworks to align IT security strategy with business objectives
while maintaining detailed technical checklists. The architect decides to use a top-down framework focused on
governance and business alignment alongside a technical security controls framework. Which combination
best fulfills this strategy?
A. COBIT and Center for Internet Security (CIS) Controls
B. SABSA and Zachman Framework
C. ISO/IEC 27001 and TOGAF
D. NIST SP 800-53 and Bell-LaPadula
🟢 A. COBIT and Center for Internet Security (CIS) Controls
