Quiz: Zero Trust Architecture
Twenty-five self-check questions: multiple choice, true/false-with-justification, and short answer. Several are tagged with the certification domain they map to: [Sec+] (CompTIA Security+) and [CISSP] ((ISC)² CISSP). Answers and one-line explanations are at the end in Answer Key; a "topics to review by question" map follows. Try to justify every answer before checking.
Multiple choice
1. [Sec+] The core principle of zero trust is best summarized as: - A) Trust the internal network, verify the external network. - B) Never trust, always verify — trust is never granted by network location and never permanent. - C) Encrypt all data at rest and in transit. - D) Require a VPN for all remote access.
2. [Sec+][CISSP] The canonical, vendor-neutral standard that defines zero trust architecture is: - A) NIST SP 800-53 - B) NIST SP 800-61 - C) NIST SP 800-207 - D) ISO/IEC 27001
3. An implicit trust zone is: - A) A network segment protected by a next-gen firewall. - B) A region where an entity, once inside, is granted broad access without further per-request verification because it is presumed trustworthy by location. - C) The encrypted tunnel established by a VPN. - D) A list of trusted IP addresses maintained by the firewall.
4. [CISSP] In the NIST SP 800-207 model, which component makes the access decision? - A) Policy enforcement point (PEP) - B) Policy administrator (PA) - C) Policy engine (PE) - D) Identity provider (IdP)
5. [CISSP] Which component executes the decision by establishing or tearing down the session and configuring the enforcement point? - A) Policy engine (PE) - B) Policy administrator (PA) - C) Policy enforcement point (PEP) - D) Secure web gateway
6. [Sec+] The three signals that a mature zero-trust decision blends are: - A) IP address, port, and protocol - B) Identity, device posture, and context - C) Firewall, IDS, and antivirus - D) Confidentiality, integrity, and availability
7. Device posture refers to: - A) The physical orientation of a server in a rack. - B) The measured security state of a device (patch level, encryption, EDR health, management status) used as an input to the access decision. - C) A device's position in the network topology. - D) The number of devices a user is allowed to enroll.
8. [Sec+] ZTNA differs from a legacy remote-access VPN most fundamentally because ZTNA: - A) Uses stronger encryption than a VPN. - B) Grants access to a specific application after a per-request decision, never placing the user on the network at large. - C) Is always cheaper to operate. - D) Does not require authentication.
9. The software-defined perimeter (SDP) property that hides resources from unauthorized users means an attacker cannot: - A) Encrypt their traffic. - B) Authenticate with stolen credentials. - C) Scan for, discover, or directly reach the protected resource — it is invisible until authorized. - D) Use a different device.
10. [Sec+][CISSP] Microsegmentation differs from the perimeter segmentation of Part II because it: - A) Uses VLANs instead of subnets. - B) Draws default-deny policy boundaries around individual workloads, governing traffic within a zone, not just at its edge. - C) Requires a hardware firewall at every host. - D) Eliminates the need for identity controls.
11. A least-privilege session grants: - A) Permanent broad access once the user authenticates. - B) The minimum access needed for a specific task, time-bound and scoped to one resource, without propagating to other resources. - C) Administrative rights for convenience. - D) Access based solely on the user's role.
12. [CISSP] Continuous verification (a zero-trust tenet) means: - A) The user must re-enter their password every five minutes. - B) Authentication and authorization are an ongoing cycle — posture and context are re-evaluated during a session, and a session can be revoked mid-stream. - C) The SIEM continuously collects logs. - D) The firewall continuously updates its signatures.
13. [Sec+] Which is the most accurate statement about adding MFA to a VPN? - A) It makes the VPN a zero-trust solution. - B) It strengthens the identity signal at the front door but does not stop lateral movement after the user is placed on the network. - C) It eliminates the need for device posture checks. - D) It hides internal resources behind a software-defined perimeter.
14. Which control most directly contains east-west (workload-to-workload) lateral movement? - A) A stronger password policy - B) Microsegmentation with default-deny between workloads - C) A faster VPN - D) Full-disk encryption
15. [CISSP] The maturity model that rates an organization's zero-trust progress across pillars (Identity, Devices, Networks, Applications & Workloads, Data) is published by: - A) NIST, as SP 800-207 - B) CISA, as the Zero Trust Maturity Model - C) ISO, as 27001 - D) PCI Security Standards Council
True / False — justify your answer
16. [Sec+] True or False: In a zero-trust architecture, a request from inside the corporate data center is trusted more than a request from the public internet. Justify.
17. True or False: Valid, phishing-resistant credentials are sufficient to be granted access to any resource in a zero-trust model. Justify.
18. [CISSP] True or False: Zero trust is a product an organization can purchase and deploy to achieve the seven tenets at once. Justify.
19. True or False: Under microsegmentation, a denied workload-to-workload flow is a useful detection signal. Justify, contrasting with a flat network.
20. True or False: The correct first phase of a zero-trust migration is microsegmenting the internal network, because that is where lateral movement happens. Justify.
Short answer
21. [Sec+] State three of the seven NIST SP 800-207 tenets and, for each, name the perimeter-model failure it addresses.
22. Explain why "trust based on network location is the vulnerability" — connect it to how a single phished credential becomes a full breach in a perimeter model but a contained incident in zero trust.
23. [CISSP] Walk a single access request through the PE, PA, and PEP. State what each does and why the arrangement prevents the subject from reaching the resource directly.
24. A loan officer with valid credentials and a healthy managed device is stepped up (challenged for more) when requesting a sensitive app at 3 a.m. from a foreign country. Which signal triggered this, and why is a dynamic decision better than a static role-based allow?
25. [Sec+][CISSP] Give the recommended dependency order for a zero-trust roadmap (identity, device, ZTNA, microsegmentation) and justify why each step must precede the next.
Answer Key
Click to reveal answers and explanations
1. **B** — Zero trust grants no trust by location and no permanent trust; every request is verified. 2. **C** — NIST SP 800-207, *Zero Trust Architecture* (2020), is the canonical vendor-neutral standard. (800-53 = controls catalog; 800-61 = incident response; 27001 = an ISMS standard.) 3. **B** — An implicit trust zone grants broad access by presumed-trustworthy *location*, with no per-request verification; it is where lateral movement lives. 4. **C** — The policy engine (PE) makes the grant/deny decision using the signals. 5. **B** — The policy administrator (PA) executes the PE's decision: it sets up/tears down the session and configures the PEP. (PE decides, PA acts, PEP enforces in the data path.) 6. **B** — Identity (who), device posture (the endpoint's health), and context (circumstances) are the three signals that replace network location. 7. **B** — Device posture is the measured security state of the device, used as an access-decision input. 8. **B** — ZTNA brokers access to one application per request and never places the user on the network — the defining difference from a VPN, and what blocks lateral movement. 9. **C** — SDP hides resources; unauthorized users cannot scan, discover, or reach them at all. 10. **B** — Microsegmentation default-denies between individual workloads, governing traffic *inside* a zone, unlike edge-only perimeter segmentation. 11. **B** — A least-privilege session is minimal, time-bound, scoped to one resource, non-propagating. 12. **B** — Continuous verification re-evaluates authN/authZ, posture, and context during a session and can revoke it; it is not a periodic password re-prompt. 13. **B** — MFA strengthens the identity signal but changes nothing after the user is on the flat network; lateral movement remains. 14. **B** — Microsegmentation with default-deny contains east-west lateral movement. 15. **B** — CISA publishes the Zero Trust Maturity Model (pillars + maturity stages); NIST SP 800-207 is the architecture, not the maturity yardstick. 16. **False** — Tenet 2: all communication is secured regardless of location; internal traffic earns no extra trust. Treating internal as trusted is the implicit trust zone zero trust removes. 17. **False** — Identity is necessary but not sufficient; the request is still evaluated against device posture and context, and access is per-session/least-privilege. Valid credentials on an unmanaged device or in a risky context can be denied. 18. **False** — 800-207 describes an architecture and tenets, not a SKU; real zero trust integrates identity, device, network, and policy over years. A single product can be a component, not the whole. 19. **True** — Because every inter-workload flow is governed by explicit allow/deny policy, a denied flow is traffic policy says should never happen — a high-signal IoC. A flat network permitted such traffic by default and produced no signal, so the pivot was invisible. 20. **False** — Identity must come first; you cannot make trustworthy per-request decisions (or safely impose default-deny) without strong identity and device signals. Microsegmenting a flat network with weak identity tends to break production and discredit the program. 21. *Any three, e.g.:* Tenet 2 (secure all comms regardless of location) addresses the trusted-interior failure; Tenet 3 (per-session least privilege) addresses "one credential reaches everything"; Tenet 5 (measure asset posture) addresses compromised devices keeping their access; Tenet 7 (collect everything) addresses invisible lateral movement. 22. In a perimeter model, location confers trust, so a phished credential plus VPN access deposits the attacker into an implicit trust zone with broad, unverified reach — one credential becomes the whole interior. In zero trust there is no trusted interior: each resource re-verifies identity, device, and context per request and grants only a least-privilege session, so the stolen credential reaches only what it is explicitly allowed, now, on a healthy device — a contained incident. Location-based trust is the property that turns the foothold into a breach, hence "the vulnerability." 23. The PE evaluates the request against policy using identity, device, and context signals and decides grant/deny/conditional. The PA executes that decision: it establishes or tears down the session and configures the PEP with exactly the authorized path/credentials. The PEP sits in the data path and allows only the granted session, blocking everything else. Because the subject's only route to the resource is through a PEP that opens solely PA-authorized sessions, the subject can never reach the resource directly — there is no implicit trust zone. 24. The **context** signal (impossible-travel location + off-hours, likely a high computed risk score) triggered the step-up, even though identity and device passed. A dynamic decision is better than a static role-based allow because risk is not constant: the same authorized user/device is far riskier at 3 a.m. from a foreign country, and a static "this role may access this app" rule cannot express that, while context-aware (ABAC-style) policy can. 25. Order: (1) identity foundation (phishing-resistant MFA, entitlement cleanup); (2) device posture (enrollment + posture pipeline); (3) ZTNA for applications (broker, replace VPN); (4) microsegment crown jewels. Each must precede the next by dependency: device-gating needs trustworthy identity; trustworthy brokered app access needs both identity and device signals; aggressive east-west segmentation is the riskiest to production and is only safe once the identity/device/app foundation supports it. Sequencing this way also front-loads risk reduction and keeps each phase independently valuable.Topics to review by question
| Questions | Topic | Section |
|---|---|---|
| 1, 16, 22 | Zero-trust principle; death of location-based trust | 32.1 |
| 2, 18, 21 | NIST SP 800-207 and the seven tenets | 32.2 |
| 3, 17, 22 | Implicit trust zone; identity necessary-not-sufficient | 32.1, 32.3 |
| 6, 7, 24 | The three signals; device posture; context-aware access | 32.3 |
| 4, 5, 23 | Policy engine / administrator / enforcement point | 32.4 |
| 8, 9, 13 | ZTNA vs VPN; software-defined perimeter | 32.4 |
| 10, 14, 19 | Microsegmentation; east-west containment; detection | 32.5 |
| 11, 12 | Least-privilege session; continuous verification | 32.2, 32.3 |
| 15, 20, 25 | CISA maturity model; roadmap sequencing | 32.6 |