Escrito por estudiantes que aprobaron Inmediatamente disponible después del pago Leer en línea o como PDF ¿Documento equivocado? Cámbialo gratis 4,6 TrustPilot
logo-home
Examen

WGU D488 SECURITY ARCHITECTURE EXAM – QUESTIONS AND ANSWERS | VERIFIED AND WELL DETAILED ANSWERS | PLUS RATIONALES | GUARANTEED PASS | LATEST EXAM UPDATE

Puntuación
-
Vendido
-
Páginas
56
Grado
A+
Subido en
12-06-2026
Escrito en
2025/2026

WGU D488 SECURITY ARCHITECTURE EXAM – QUESTIONS AND ANSWERS | VERIFIED AND WELL DETAILED ANSWERS | PLUS RATIONALES | GUARANTEED PASS | LATEST EXAM UPDATE

Institución
WGU D488
Grado
WGU D488

Vista previa del contenido

WGU D488 SECURITY ARCHITECTURE EXAM – QUESTIONS AND ANSWERS | VERIFIED AND WELL
DETAILED ANSWERS | PLUS RATIONALES | GUARANTEED PASS | LATEST EXAM UPDATE



*Core Domains:*
*• Enterprise Security Architecture Frameworks*
*• Trust Models and Cryptographic Systems*
*• Identity and Access Management (IAM) Architecture*
*• Network and Infrastructure Security Design*
*• Cloud and Hybrid Security Architecture*
*• Securing Emerging Technologies and IoT*
*• Governance, Risk Management, and Compliance (GRC)*
*• Security Assessment and Architecture Operations*

*Introduction*
*The purpose of this assessment is to evaluate advanced proficiency in designing, implementing, and managin
 




Section One: Questions 1–100
Question 1
An enterprise architect is designing an authentication system for a global financial firm with strict regulatory
requirements. The design requires that an identity provider (IdP) securely assert user identities to multiple
independent service providers (SPs) without sharing the users' actual credentials. Which of the following
protocols should the architect select as the primary framework for this architecture?
A. OpenID Connect (OIDC)
B. Security Assertion Markup Language (SAML) 2.0

,C. WS-Trust
D. Kerberos v5
🟢 B. Security Assertion Markup Language (SAML) 2.0
🔴 Explanation: SAML 2.0 is an XML-based open standard specifically designed for exchanging
authentication and authorization data between an identity provider and a service provider, making it ideal for
cross-domain single sign-on (SSO). While OIDC is also a federated identity protocol built on OAuth 2.0,
enterprise financial environments traditionally rely on SAML 2.0 for its robust assertion-signing capabilities and
deep integration with legacy enterprise systems. WS-Trust is an extension of WS-Security and is less common
for modern web-based service provider federation, and Kerberos is suited for internal domain authentication
rather than cross-domain, independent service provider federation.
Question 2
A security engineer must protect sensitive data stored in an infrastructure-as-a-service (IaaS) database
environment. The organization requires that data be unreadable on the physical storage media, even if an
attacker detaches the storage volume and attaches it to a malicious instance. Which cryptographic
architecture pattern best meets this requirement?
A. Application-layer encryption
B. Transport Layer Security (TLS)
C. Transparent Data Encryption (TDE)
D. Homomorphic encryption
🟢 C. Transparent Data Encryption (TDE)
🔴 Explanation: Transparent Data Encryption (TDE) operates at the database or storage level to encrypt data-
at-rest automatically, protecting the underlying physical media and database files from offline access or
volume detachment attacks. Application-layer encryption secures data before it reaches the database, which
is highly secure but requires significant code modification. TLS protects data-in-transit, not data-at-rest on the
storage media. Homomorphic encryption allows computation on encrypted data without decrypting it first,
which is computationally expensive and unnecessary for basic at-rest volume protection.
Question 3

,During a code review of a web application architecture, a reviewer notes that session identifiers are generated
using a standard linear congruential generator (LCG). Why does this pattern represent a severe architectural
vulnerability?
A. LCG algorithms are susceptible to collision attacks due to a short bit length.
B. Linear congruential generators are pseudo-random but predictable if sufficient outputs are observed.
C. LCG requires an external cryptographic hardware security module (HSM) to validate tokens.
D. The algorithm introduces excessive latency that causes denial-of-service vulnerabilities.
🟢 B. Linear congruential generators are pseudo-random but predictable if sufficient outputs are observed.
🔴 Explanation: Linear congruential generators (LCGs) are non-cryptographic pseudo-random number
generators (PRNGs). Because they rely on a linear relationship, an attacker who intercepts a sequence of
session IDs can mathematically deduce the internal state of the generator and predict past or future session
tokens, leading to session hijacking. Cryptographically secure PRNGs (CSPRNGs) must be used instead.
LCGs do not inherently suffer from high latency, nor do they require an HSM; their vulnerability is structural
predictability.
Question 4
A healthcare company is migrating its patient portal to a public cloud environment. To comply with HIPAA and
internal data governance policies, the security architecture must ensure that the cloud service provider (CSP)
has no visibility into the cryptographic keys used to encrypt the patient records. Which key management
model must be implemented?
A. Bring Your Own Key (BYOK) with CSP-managed storage
B. Hold Your Own Key (HYOK) utilizing an on-premises HSM
C. Cloud-native Key Management Service (KMS) default keys
D. Symmetric key distribution via Diffie-Hellman
🟢 B. Hold Your Own Key (HYOK) utilizing an on-premises HSM
🔴 Explanation: Hold Your Own Key (HYOK) keeps the cryptographic keys strictly within the organization's
physical control (such as an on-premises Hardware Security Module), ensuring the cloud provider never has
access to the raw key material or the ability to decrypt data independently. Bring Your Own Key (BYOK) allows
the organization to generate the keys, but imports them into the cloud provider's infrastructure, meaning the

, CSP still manages and could theoretically access the keys during cryptographic operations. Cloud-native
default keys give full management to the CSP, and Diffie-Hellman is a key agreement protocol for securing
communications channels rather than an at-rest key management model.
Question 5
An organization is deploying a zero-trust network architecture (ZTNA). When designing the policy enforcement
point (PEP) and policy decision point (PDP), where should the PEP be architecturally located to maximize
defensive posture?
A. Centrally within the corporate data center alongside the PDP
B. On the data plane directly in the path between the subject and the resource
C. Exclusively within the control plane to manage API routing
D. At the external internet gateway perimeter only
🟢 B. On the data plane directly in the path between the subject and the resource
🔴 Explanation: According to zero-trust architecture principles (such as NIST SP 800-207), the Policy
Enforcement Point (PEP) operates on the data plane to intercept, inspect, and handle traffic directly between
a subject and an enterprise resource based on commands from the Policy Decision Point (PDP). The PDP
makes the decision on the control plane, while the PEP enforces it on the data plane. Placing the PEP only at
a central data center or external gateway breaks the zero-trust principle of granular micro-segmentation
across all resources.
Question 6
An enterprise architect is evaluating security frameworks to align IT security strategy with business objectives
while maintaining detailed technical checklists. The architect decides to use a top-down framework focused on
governance and business alignment alongside a technical security controls framework. Which combination
best fulfills this strategy?
A. COBIT and Center for Internet Security (CIS) Controls
B. SABSA and Zachman Framework
C. ISO/IEC 27001 and TOGAF
D. NIST SP 800-53 and Bell-LaPadula
🟢 A. COBIT and Center for Internet Security (CIS) Controls

Escuela, estudio y materia

Institución
WGU D488
Grado
WGU D488

Información del documento

Subido en
12 de junio de 2026
Número de páginas
56
Escrito en
2025/2026
Tipo
Examen
Contiene
Preguntas y respuestas

Temas

$23.49
Accede al documento completo:

¿Documento equivocado? Cámbialo gratis Dentro de los 14 días posteriores a la compra y antes de descargarlo, puedes elegir otro documento. Puedes gastar el importe de nuevo.
Escrito por estudiantes que aprobaron
Inmediatamente disponible después del pago
Leer en línea o como PDF

Conoce al vendedor

Seller avatar
Los indicadores de reputación están sujetos a la cantidad de artículos vendidos por una tarifa y las reseñas que ha recibido por esos documentos. Hay tres niveles: Bronce, Plata y Oro. Cuanto mayor reputación, más podrás confiar en la calidad del trabajo del vendedor.
tutorlorghon University Of Massachusetts
Seguir Necesitas iniciar sesión para seguir a otros usuarios o asignaturas
Vendido
749
Miembro desde
2 año
Número de seguidores
18
Documentos
5788
Última venta
3 días hace
TutorLORGHON

On this page you will find Nursing exams , testbank exams and case study among other many exams. We sell the best exams. Buy and have no regrets.

4.7

251 reseñas

5
208
4
25
3
8
2
4
1
6

Por qué los estudiantes eligen Stuvia

Creado por compañeros estudiantes, verificado por reseñas

Calidad en la que puedes confiar: escrito por estudiantes que aprobaron y evaluado por otros que han usado estos resúmenes.

¿No estás satisfecho? Elige otro documento

¡No te preocupes! Puedes elegir directamente otro documento que se ajuste mejor a lo que buscas.

Paga como quieras, empieza a estudiar al instante

Sin suscripción, sin compromisos. Paga como estés acostumbrado con tarjeta de crédito y descarga tu documento PDF inmediatamente.

Student with book image

“Comprado, descargado y aprobado. Así de fácil puede ser.”

Alisha Student

Preguntas frecuentes