Exercises: Zero Trust Architecture

These exercises move from the tenets to design judgment. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — attempt every problem before you read one.

A recurring task type here is Find the implicit trust: given a design, locate where network location is silently being used as a proxy for trust. Train that reflex; it is the core diagnostic of this chapter.

Part A — Tenets and vocabulary ⭐

1.† List the seven tenets of zero trust from NIST SP 800-207 in your own words. For each, write one sentence naming the perimeter-model failure it addresses.

2. Define each term and state how it differs from the next: policy engine, policy administrator, policy enforcement point. Which two together form the policy decision point?

3. Distinguish zero trust (the principle) from zero trust architecture (ZTA). One was introduced in Chapter 3; this chapter owns the other. Give a one-sentence definition of each.

4.† Define implicit trust zone and give two real examples of one (one on-premises, one remote-access). Explain why each is the natural habitat of lateral movement.

5. In one sentence each, define device posture, context-aware access, and least-privilege session. Then state which of the three signals (identity / device / context) each most closely relates to.

6. What does continuous verification mean, and why is checking device posture only at login a violation of it? Reference the relevant tenet by number.

7. Define software-defined perimeter (SDP) and explain the "dark network" property: what can an unauthorized attacker not do that they could do against a VPN-exposed internal service?

Part B — Find the implicit trust ⭐⭐

8.† A company describes its remote access: "Employees connect to the corporate VPN with a username, password, and a push notification. Once connected, they can reach all internal applications." Identify the implicit trust zone, name the specific tenet(s) violated, and describe the blast radius of one phished credential.

9. An architecture diagram shows a "DMZ firewall" and an "internal firewall," with a note: "Servers inside the internal zone communicate freely with one another." Find the implicit trust. What single zero-trust control most directly removes it, and what would a compromise of one internal server reach before versus after that control?

10.† A SaaS-forward startup boasts it has "no internal network — everything is in the cloud, accessed over the internet with SSO." A new engineer argues this means they are "already zero trust." Find the hidden assumptions: name two ways this setup could still rely on implicit trust despite having no on-prem LAN.

11. A team adds MFA to its VPN and announces "we've gone zero trust." Explain precisely what they have and have not improved, in terms of the three signals and lateral movement. Is the claim justified?

Part C — Evaluate an access request ⭐⭐

12.† Meridian's policy for the core-banking admin console requires: identity in core-admins, a managed device passing posture, in-country location, business hours, and risk score below 50. For each request below, give the verdict (GRANT / STEP-UP / DENY) and the deciding signal: - (a) user in core-admins, managed healthy device, in-country, 14:00, risk 12 - (b) user in core-admins, personal unmanaged device, in-country, 14:00, risk 12 - (c) user in core-admins, managed healthy device, in-country, 02:30, risk 12 - (d) user not in core-admins, managed healthy device, in-country, 14:00, risk 12 - (e) user in core-admins, managed healthy device, in-country, 14:00, risk 80

13. Trace the policy_decision(subject, resource, context) function from the Project Checkpoint by hand for a request where the subject is in the required group, the device is managed and healthy, the location is not in the allowed list, and the risk score is below threshold. State the exact returned tuple and explain why STEP-UP rather than DENY.

14.† A request arrives with valid, phishing-resistant credentials and is denied. Write three distinct, plausible zero-trust reasons for the denial, one per signal where possible, and explain why "the credentials were valid" does not entitle the request to access.

15. Design a context-aware policy (in words or pseudocode) for a read-only reporting dashboard (low sensitivity) versus a wire-approval app (crown jewel). Show how the two policies should differ across device requirements, allowed locations/hours, and step-up thresholds, and justify why the scrutiny scales with resource value.

Part D — ZTNA, PDP/PEP, and microsegmentation ⭐⭐

16.† Draw (ASCII is fine) the ZTNA access flow for a user opening an internal app: number every step, and mark at which steps the identity, device, and context signals are evaluated and where the least-privilege session is established. Then mark which single step the legacy-VPN model omits entirely.

17. Build the ZTNA-versus-VPN comparison table for at least six dimensions (what you get on connection, trust model, lateral movement, resource visibility, device posture, blast radius of a stolen credential). For each row, state which is better for the defender and why.

18.† Three internal workloads — web1, app1, db1 — should communicate as: web1→app1 on 443, app1→db1 on 5432, and nothing else. Write the microsegmentation policy (allow rules, default-deny). Then state what a compromise of web1 can reach under your policy versus under a flat internal zone.

19. Explain why a denied east-west flow under microsegmentation is a high-value detection signal, whereas the same host-to-host traffic in a flat network produced no signal. Connect this to the SIEM and detection program you built in Part V (reference the relevant chapter numbers from the chapter text).

20. A cloud environment changes workload IP addresses constantly as instances scale up and down. Why is identity-based microsegmentation (policy written in terms of workload identity) more robust here than IP-based rules? What attack does identity-based policy resist that an IP allow-list does not?

Part E — Plan a ZT migration ⭐⭐–⭐⭐⭐

21.† Meridian's CISO asks you to sequence a three-year zero-trust program. Put these four workstreams in order and justify the dependency for each transition: (i) microsegment the cardholder data environment; (ii) phishing-resistant MFA for all staff and entitlement cleanup; (iii) replace the remote-access VPN with ZTNA; (iv) enroll all endpoints and build a device-posture pipeline.

22. Your manager wants to "start with microsegmentation because that's where lateral movement happens." Write a three-to-five-sentence response explaining why identity should come first, and what specifically tends to go wrong when microsegmentation is attempted on a flat network with weak identity.

23.† Meridian's core-banking mainframe cannot support modern identity protocols or run a posture agent. Describe a pragmatic zero-trust treatment for it that does not require rewriting it. Which phase of the roadmap does this fall in, and which controls substitute for the capabilities the system lacks?

24. Design it. Given these requirements — a 1,800-person bank, hybrid (on-prem + AWS + M365), a flat internal LAN, a remote-access VPN, partial MFA, crown jewels = CDE/AD/core-banking — produce a one-page target zero-trust architecture: list the components (IdP, PDP/PEP/ZTNA broker, MDM/posture, microsegmentation targets), map them to the CISA maturity pillars, and mark what gets done first.

25. Write the board framing. In one short paragraph, explain Meridian's zero-trust program to the board without promising a finish line. Frame it as phased, independently-valuable risk reduction tied to a maturity model, and name the metric you would report each quarter (preview of Chapter 36).

26. ⭐⭐⭐ Map each of the five CISA maturity pillars (Identity, Devices, Networks, Applications & Workloads, Data) to the prior chapters of this book that build the relevant controls. Argue, in a page, why "zero trust is not a new program but the architecture that ties the existing program together."

Part F — Respond to this / harden it ⭐⭐

27.† Respond to this incident. Your ZTNA logs show a user's session was granted, then torn down eleven minutes later by the policy administrator with reason device_posture_failed: EDR detection. Walk through what zero trust just did, what you (the SOC) should do next, and how this outcome differs from what would have happened with a VPN. Reference continuous verification.

28. Harden it. A ZTNA policy reads: allow group=employees to ALL internal apps if MFA passed. Critique this policy against the tenets — it passes identity but fails several others — and rewrite it to respect per-session least privilege, device posture, and context for a specific sensitive app.

29.† Analyze this log. Given this (illustrative) policy-decision log (documentation values), state for each line whether the decision looks correct and what it tells a hunter:

10:02  user=okafor  app=loan-orig   device=managed,healthy  loc=in-country  -> GRANT
10:04  user=okafor  app=wire-approve device=managed,healthy  loc=in-country  -> GRANT
10:09  user=okafor  app=core-admin   device=managed,healthy  loc=in-country  -> DENY (not in core-admins)
10:11  user=okafor  app=core-admin   device=managed,healthy  loc=in-country  -> DENY (not in core-admins)
10:12  user=okafor  app=core-admin   device=managed,healthy  loc=in-country  -> DENY (not in core-admins)

(a) What pattern in lines 3–5 should concern you? (b) Why is it good that these denials exist as log lines at all (compare to a flat network)? (c) What control produced the telemetry, and what would you hunt for next?

30. Harden it. An architect proposes checking device posture once at session establishment "to avoid the overhead of re-checking." Explain the security hole this creates (rebuilding a mini implicit trust zone inside each session) and propose a continuous-verification design that re-evaluates posture on a sensible schedule and on key events.

Part G — CTF-style challenge ⭐⭐⭐

31.† The "zero-trust" appliance that isn't. A vendor demo shows: users authenticate to a sleek portal with MFA, then are dropped onto a "secure access network" from which they can reach any internal application, with all traffic encrypted. The vendor calls it "zero trust in a box." Identify every way this product fails the seven tenets despite its marketing, decide whether it is useful (it may be — as a component), and write the two follow-up questions you would ask the vendor to expose what it does not do. (Hint: the encryption and MFA are real; the problem is what happens after authentication.)

Part H — Interleaved & forward-looking ⭐⭐

32. (Interleaved with Chapters 16–18.) Explain why zero trust treats orphaned and over-privileged accounts (Chapter 18) as direct security holes rather than mere hygiene problems. What does an over-privileged account become in a system that grants access based on verified identity?

33. (Interleaved with Chapter 7.) You learned default-deny firewall rules in Chapter 7. Show how the same default-deny principle appears in (a) a ZTNA broker's treatment of unauthorized users and (b) microsegmentation between workloads. Why is default-deny the unifying logic of zero trust?

34. ⭐⭐⭐ (Forward-looking to Chapter 33.) Chapter 33 covers operational technology, where many devices cannot be patched, cannot run agents, and cannot use modern identity. Predict which two zero-trust instincts from this chapter transfer best to OT, and which one breaks down hardest. Write half a page.

35. ⭐⭐⭐ Open reflection. The chapter argues "trust based on network location is the vulnerability." Find an analogy outside computing — a physical building, an airport, a financial system — where a boundary that once conferred trust has been undermined, and describe what the "zero-trust" equivalent would look like there. What does that domain do (or fail to do) that security could learn from?

Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group, a lab, or your instructor.