SY0-501 · Question #70
SY0-501 Question #70: Real Exam Question with Answer & Explanation
The correct answer is B: Recommend classifying each application into like security groups and segmenting the groups. When competing requirements exist between network segmentation and administrative convenience, security administrators should classify applications by security group and segment accordingly, balancing both security and operational needs.
Question
A security engineer is faced with competing requirements from the networking group and database administrators. The database administrators would like ten application servers on the same subnet for ease of administration, whereas the networking group would like to segment all applications from one another. Which of the following should the security administrator do to rectify this issue?
Options
- ARecommend performing a security assessment on each application, and only segment the
- BRecommend classifying each application into like security groups and segmenting the groups
- CRecommend segmenting each application, as it is the most secure approach
- DRecommend that only applications with minimal security features should be segmented to
Explanation
When competing requirements exist between network segmentation and administrative convenience, security administrators should classify applications by security group and segment accordingly, balancing both security and operational needs.
Common mistakes.
- A. Segmenting only applications that fail a security assessment is reactive rather than proactive and ignores the principle that all applications should be evaluated for placement within a security architecture regardless of individual vulnerabilities.
- C. While segmenting every application individually is the most secure theoretical approach, it completely disregards the database administrators' legitimate operational requirements and fails to balance competing business needs, which is a core responsibility of a security administrator.
- D. Segmenting only applications with minimal security features inverts sound security logic - applications with fewer built-in security controls are higher risk and may warrant segmentation, but this criterion alone is insufficient and inconsistent as a segmentation policy.
Concept tested. Network segmentation using security group classification
Reference. https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
Community Discussion
No community discussion yet for this question.