SkarpSkarp

Chapter 4 of 25

Change Management and Cryptographic Building Blocks

See how disciplined change management and core cryptographic tools like encryption and PKI work together to keep evolving systems secure without breaking availability.

27 min readen

Big Picture: Change Management + Crypto in SY0-701

Why This Module Matters

Systems change constantly: patches, new features, cloud moves. Every change can impact confidentiality, integrity, and availability. Change management and cryptography help keep evolving systems secure.

Two Big Themes

We connect two Security+ pillars: 1) change management, the disciplined process for planning and controlling changes, and 2) core cryptographic tools like encryption and PKI.

SY0-701 Context

These topics appear mainly in General Security Concepts, Security Architecture, and Security Operations. Many questions mix change decisions with cryptographic choices.

Your Targets

You will outline change management steps, distinguish symmetric vs asymmetric encryption, explain data at rest vs in transit protection, describe PKI, and map crypto to VPN, TLS, and email scenarios.

Structured Change Management: Steps and Security Impact

What Is Change Management?

Change management is a formal process for modifying production systems in a controlled, traceable way. It supports governance, risk, and compliance and reduces misconfigurations.

Core Lifecycle (1–3)

1) Request/initiation: submit a change ticket with justification. 2) Impact and risk assessment: analyze CIA, dependencies, rollback. 3) Approval: CAB or approvers accept, reject, or ask for more info.

Core Lifecycle (4–5)

4) Planning and scheduling: define steps, roles, maintenance window, rollback plan. 5) Testing: apply the change in a test environment and validate function and security.

Core Lifecycle (6–7)

6) Implementation: execute during the window, monitor closely. 7) Validation and review: confirm success, update docs, record lessons learned, and close the ticket.

Security Benefits

Change management acts as a managerial and directive control, improving audit trails, supporting forensics, and aligning with zero trust by avoiding uncontrolled, risky changes.

Example: Rolling Out Stronger TLS Without Breaking Availability

Scenario Setup

Your company wants to disable old TLS and weak ciphers on its public website. Goal: better confidentiality and integrity for data in transit, without breaking customer access.

Request and Assessment

A change ticket proposes enforcing TLS 1.2+. Assessment weighs benefits vs risks: stronger crypto vs potential breakage for legacy clients and dependencies like load balancers.

Approval and Testing

The CAB approves but demands testing and rollback. In staging, admins disable old TLS, test clients, and run TLS scanners, documenting how to revert if errors spike.

Implementation and Validation

During a maintenance window, they apply the config, monitor errors, then verify that only TLS 1.2+ works. Logs and tickets are reviewed and documentation updated.

Encryption Basics: Core Cryptographic Solution

What Is Encryption?

Encryption transforms readable plaintext into unreadable ciphertext using a mathematical algorithm and a key, so only parties with the correct key can recover the original data.

Algorithms and Keys

Algorithms (ciphers) like AES or RSA define the math. Keys are secret values controlling encryption and decryption. Strong, random keys are critical for security.

Security Properties

Encryption mainly protects confidentiality. Other cryptographic tools like hashes, MACs, and digital signatures provide integrity and authenticity.

Where It Applies

We encrypt data at rest (disks, databases, backups) and data in transit (TLS, VPNs, wireless). Beware the exam trap: encoding is not encryption because it uses no secret key.

Symmetric vs Asymmetric Encryption: High-Level Comparison

Symmetric Encryption

Symmetric encryption uses the same key to encrypt and decrypt. It is fast and ideal for bulk data (for example, AES for VPN tunnels or disk encryption), but key distribution is challenging.

Asymmetric Encryption

Asymmetric encryption uses a public/private key pair. It is slower but supports key exchange, digital signatures, and certificate-based authentication. Think RSA and ECC.

Hybrid Approach

Most real systems use hybrid encryption: asymmetric methods exchange a symmetric session key, then symmetric ciphers encrypt the bulk data efficiently.

Exam Clues

Large data and speed needs point to symmetric. Mentions of public keys, certificates, or signatures point to asymmetric. Recognizing this pattern is frequently tested.

Data at Rest vs Data in Transit: How Encryption Protects CIA

Data at Rest

Data at rest is stored on disks, databases, and backups. Encryption here (for example, full-disk AES) mainly protects confidentiality if devices or storage are stolen or misused.

Data in Transit

Data in transit moves across networks: web, email, VPN, Wi-Fi. TLS and VPN protocols encrypt it to prevent eavesdropping and MITM, providing confidentiality and integrity.

Matching Solutions

Use disk or database encryption for at rest, and TLS or VPNs for in transit. Many secure architectures require both protections at the same time.

Exam Pitfalls

Do not assume encrypting storage automatically protects network traffic, or vice versa. Also remember that modern "SSL" references usually mean TLS in practice.

Public Key Infrastructure (PKI) and Certificates

What Is PKI?

PKI is the system of roles, policies, and technologies used to create, manage, distribute, use, store, and revoke digital certificates and public keys.

Core Components

Key parts include Certificate Authorities (CAs), optional Registration Authorities (RAs), certificates (often X.509), and repositories that publish certificates and revocation data.

Certificate Lifecycle

Lifecycle steps: 1) enrollment/CSR, 2) identity verification, 3) issuance, 4) distribution and use, 5) renewal, 6) revocation via CRLs or OCSP.

Why PKI Matters

PKI underpins TLS, VPNs, code signing, and email security by binding public keys to identities and enabling clients to trust servers, users, and code.

Thought Exercise: Planning a Certificate Renewal Change

You are the security analyst for an organization whose main customer portal uses HTTPS with a certificate that expires in 10 days. The portal is mission-critical.

Use this exercise to connect PKI with change management.

Mentally walk through these prompts (you can jot down bullet points):

  1. Identify the risk
  • What happens if the certificate expires? How does that affect confidentiality, integrity, and availability?
  • Which Security+ domains are touched (hint: Security Architecture and Security Operations)?
  1. Plan the change
  • What steps do you include in the change request (CR) to renew the certificate?
  • Who needs to approve it (operations, security, application owners)?
  1. Technical actions
  • List the technical steps: generating a CSR, submitting to the CA, installing the new certificate, updating any intermediate certificates, and verifying the chain.
  • How will you test the new certificate before fully going live?
  1. Timing and rollback
  • When do you schedule the change to minimize impact?
  • What is your rollback plan if clients start showing errors after installation?
  1. Monitoring and documentation
  • What logs and metrics will you watch right after the change?
  • How will you update inventory and documentation so the next renewal is not a last-minute emergency?

After thinking it through, compare your outline to the standard change lifecycle: request, risk assessment, approval, planning, testing, implementation, validation, and review. Notice how certificate lifecycle events naturally become change management events.

Quiz 1: Change Management and Encryption Fundamentals

Answer this question to check your understanding of change management and crypto basics.

An organization wants to migrate its internal web app from HTTP to HTTPS using TLS, but must avoid downtime. Which option BEST describes how this should be handled?

  1. Enable TLS directly on the production server during business hours and troubleshoot issues as they appear.
  2. Submit a change request, test TLS in a staging environment, schedule implementation in a maintenance window, and have a rollback plan.
  3. Install a self-signed certificate on the production server without notifying users, then later replace it with a CA-signed certificate.
  4. Only enable TLS on the load balancer without involving change management, because it is a security improvement.
Show Answer

Answer: B) Submit a change request, test TLS in a staging environment, schedule implementation in a maintenance window, and have a rollback plan.

Option B describes a formal change management process: submit a change request, test in staging, schedule a maintenance window, and define rollback. This balances improved security (TLS) with availability and auditability. A is risky and unplanned, C introduces trust issues and multiple untracked changes, and D bypasses change management even though it alters production behavior.

Quiz 2: Symmetric vs Asymmetric and Data States

Answer this question to reinforce your understanding of encryption types and data states.

A Security+ candidate is designing a solution to securely back up large database files to cloud storage and also protect web traffic to a public site. Which combination of technologies is MOST appropriate?

  1. Use RSA for encrypting database backups and AES for HTTPS web traffic.
  2. Use AES-based encryption for database backups and TLS (using a certificate from a trusted CA) for web traffic.
  3. Use hashing for database backups and ECC for web traffic.
  4. Use Base64 encoding for database backups and SSL 3.0 for web traffic.
Show Answer

Answer: B) Use AES-based encryption for database backups and TLS (using a certificate from a trusted CA) for web traffic.

Option B is correct: AES (symmetric) is efficient for large data at rest (backups), and TLS with a CA-signed certificate protects data in transit for web traffic. Option A reverses typical roles (RSA is inefficient for large files). C uses hashing, which does not provide confidentiality, and D uses encoding (no confidentiality) and an obsolete, insecure SSL version.

Key Term Flashcards: Change Management and Crypto

Flip through these cards (mentally or on paper) to reinforce essential terms before moving on.

Change management
A formal, documented process for proposing, assessing, approving, planning, testing, implementing, and reviewing modifications to systems and services in a controlled, auditable way.
Change Advisory Board (CAB)
A group of stakeholders (for example, security, operations, business owners) that reviews and approves or rejects proposed changes based on risk, impact, and business needs.
Encryption
The process of transforming readable plaintext into unreadable ciphertext using a mathematical algorithm and a key so that only authorized parties with the correct key can recover the original data.
Symmetric encryption
A type of encryption that uses the same key for both encryption and decryption, offering high performance and suitability for bulk data but requiring secure key distribution.
Asymmetric encryption
A type of encryption that uses a public/private key pair, enabling functions like key exchange, digital signatures, and certificate-based authentication but with higher computational cost.
Data at rest
Data stored on physical or virtual media such as disks, SSDs, databases, or backups, typically protected using disk, volume, or database encryption to maintain confidentiality.
Data in transit
Data moving across networks, such as web traffic, email, or VPN tunnels, typically protected using protocols like TLS or IPsec to maintain confidentiality and integrity.
Public Key Infrastructure (PKI)
The system of roles, policies, hardware, software, and procedures used to create, manage, distribute, use, store, and revoke digital certificates and public keys.
Certificate Authority (CA)
The trusted PKI component that issues and digitally signs certificates, binding public keys to identities such as domains, users, or devices.
Certificate Revocation List (CRL)
A list published by a CA that identifies certificates that have been revoked before their expiration date and should no longer be trusted.
Online Certificate Status Protocol (OCSP)
A protocol used by clients to query a responder in real time for the revocation status of a specific certificate, providing more timely status than periodic CRLs.

Mapping SY0-701 Scenarios: VPNs, TLS, and Email Security

VPN Crypto Mapping

VPNs protect data in transit. They use symmetric encryption (for example, AES) for bulk traffic, asymmetric methods for key exchange, and often certificates from PKI for authentication.

TLS for Web and APIs

With TLS, servers present CA-signed certificates. Asymmetric crypto authenticates the server and exchanges keys, then symmetric session keys encrypt the actual HTTP or API data.

Secure Email

Secure email uses digital signatures for integrity and authenticity, and encryption for confidentiality. It typically combines symmetric keys with recipients’ public keys and PKI or web-of-trust.

Exam Checklist

In questions, identify data at rest vs in transit, note symmetric vs asymmetric roles, and look for where PKI supplies identity and trust. This mapping often reveals the right option.

Key Terms

SY0-701
SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.
integrity
The CIA triad property that ensures information is accurate, complete, and has not been altered in an unauthorized way.
accounting
An AAA function that tracks and records user or system activities for auditing and reporting.
encryption
The process of transforming readable plaintext into unreadable ciphertext using a mathematical algorithm and a key so that only authorized parties with the correct key can recover the original data.
zero trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
availability
The CIA triad property that ensures information and resources are accessible to authorized users when needed.
data at rest
Data stored on physical or virtual media such as disks, SSDs, databases, or backups, typically protected using disk, volume, or database encryption to maintain confidentiality.
authorization
An AAA function that determines what an authenticated user, device, or system is allowed to do.
authentication
An AAA function that verifies the identity of a user, device, or system.
confidentiality
The CIA triad property that ensures information is not disclosed to unauthorized individuals, entities, or processes.
data in transit
Data moving across networks, such as web traffic, email, or VPN tunnels, typically protected using protocols like TLS or IPsec to maintain confidentiality and integrity.
CompTIA Security+
CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.
change management
A formal, documented process for proposing, assessing, approving, planning, testing, implementing, and reviewing modifications to systems and services in a controlled, auditable way.
hybrid environment
A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
symmetric encryption
A type of encryption that uses the same key for both encryption and decryption, offering high performance and suitability for bulk data but requiring secure key distribution.
asymmetric encryption
A type of encryption that uses a public/private key pair, enabling functions like key exchange, digital signatures, and certificate-based authentication but with higher computational cost.
Certificate Authority (CA)
The trusted PKI component that issues and digitally signs certificates, binding public keys to identities such as domains, users, or devices.
Change Advisory Board (CAB)
A group of stakeholders that reviews and approves or rejects proposed changes based on risk, impact, and business needs.
Public Key Infrastructure (PKI)
The system of roles, policies, hardware, software, and procedures used to create, manage, distribute, use, store, and revoke digital certificates and public keys.
governance, risk, and compliance
Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.
Certificate Revocation List (CRL)
A list published by a CA that identifies certificates that have been revoked before their expiration date and should no longer be trusted.
Online Certificate Status Protocol (OCSP)
A protocol used by clients to query a responder in real time for the revocation status of a specific certificate, providing more timely status than periodic CRLs.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself