ZTA utilizes which of the following to improve the network’s security posture?
- A . Micro-segmentation and encryption
- B . Compliance analytics and network communication
- C . Network communication and micro-segmentation
- D . Encryption and compliance analytics
A
Explanation:
A) Micro-segmentation and encryption Very Short Explanation = ZTA uses micro-segmentation to divide the network into smaller, isolated segments that can prevent unauthorized access and contain lateral movement. ZTA also uses encryption to protect data in transit and at rest from eavesdropping and tampering. Reference = 1, 2, 3, 4
Scenario: A multinational org uses ZTA to enhance security. They collaborate with third-party service providers for remote access to specific resources.
How can ZTA policies authenticate third-party users and devices for accessing resources?
- A . ZTA policies can implement robust encryption and secure access controls to prevent access to services from stolen devices, ensuring that only legitimate users can access mobile services.
- B . ZTA policies should prioritize securing remote users through technologies like virtual desktop infrastructure (VDI) and corporate cloud workstation resources to reduce the risk of lateral movement via compromised access controls.
- C . ZTA policies can be configured to authenticate third-party users and their devices, determining the necessary access privileges for resources while concealing all other assets to minimize the attack
surface. - D . ZTA policies should primarily educate users about secure practices and promote strong authentication for services accessed via mobile devices to prevent data compromise.
C
Explanation:
ZTA is based on the principle of never trusting any user or device by default, regardless of their location or ownership. ZTA policies can use various methods to verify the identity and context of third-party users and devices, such as tokens, certificates, multifactor authentication, device posture assessment, etc. ZTA policies can also enforce granular and dynamic access policies that grant the minimum necessary privileges to third-party users and devices for accessing specific resources, while hiding all other assets from their view. This reduces the attack surface and prevents unauthorized access and lateral movement within the network.
Which ZT tenet is based on the notion that malicious actors reside inside and outside the network?
- A . Assume breach
- B . Assume a hostile environment
- C . Scrutinize explicitly
- D . Requiring continuous monitoring
A
Explanation:
The ZT tenet of assume breach is based on the notion that malicious actors reside inside and outside the network, and that any user, device, or service can be compromised at any time. Therefore, ZT requires continuous verification and validation of all entities and transactions, and does not rely on implicit trust or perimeter-based defenses
During ZT planning, which of the following determines the scope of the target state definition? Select the best answer.
- A . Risk appetite
- B . Risk assessment
- C . Service level agreements
- D . Risk register
B
Explanation:
Risk assessment is the process of identifying, analyzing, and evaluating the risks that an organization faces in achieving its objectives. Risk assessment helps to determine the scope of the target state definition for ZT planning, as it identifies the critical assets, threats, vulnerabilities, and impacts that need to be addressed by ZT capabilities and activities. Risk assessment also helps to prioritize and align the ZT planning with the organization’s risk appetite and tolerance levels.
Of the following options, which risk/threat does SDP mitigate by mandating micro-segmentation and implementing least privilege?
- A . Identification and authentication failures
- B . Injection
- C . Security logging and monitoring failures
- D . Broken access control
D
Explanation:
SDP mitigates the risk of broken access control by mandating micro-segmentation and implementing least privilege. Micro-segmentation divides the network into smaller, isolated segments that can prevent unauthorized access and contain lateral movement. Least privilege grants the minimum necessary access to users and devices for specific resources, while hiding all other assets from their view. This reduces the attack surface and prevents attackers from exploiting weak or misconfigured access controls
What should an organization’s data and asset classification be based on?
- A . Location of data
- B . History of data
- C . Sensitivity of data
- D . Recovery of data
C
Explanation:
Data and asset classification should be based on the sensitivity of data, which is the degree to which the data requires protection from unauthorized access, modification, or disclosure. Data sensitivity is determined by the potential impact of data loss, theft, or corruption on the organization, its customers, and its partners. Data sensitivity can also be influenced by legal, regulatory, and contractual obligations.
Reference =
Certificate of Competence in Zero Trust (CCZT) prepkit, page 10, section 2.1.1
Identify and protect sensitive business data with Zero Trust, section 1
Secure data with Zero Trust, section 1
SP 800-207, Zero Trust Architecture, page 9, section 3.2.1
Which security tools or capabilities can be utilized to automate the response to security events and incidents?
- A . Single packet authorization (SPA)
- B . Security orchestration, automation, and response (SOAR)
- C . Multi-factor authentication (MFA)
- D . Security information and event management (SIEM)
B
Explanation:
SOAR is a collection of software programs developed to bolster an organization’s cybersecurity posture. SOAR tools can automate the response to security events and incidents by executing predefined workflows or playbooks, which can include tasks such as alert triage, threat detection, containment, mitigation, and remediation. SOAR tools can also orchestrate the integration of various security tools and data sources, and provide centralized dashboards and reporting for security operations.
Reference =
Certificate of Competence in Zero Trust (CCZT) prepkit, page 23, section 3.2.2 Security Orchestration, Automation and Response (SOAR) – Gartner
Security Automation: Tools, Process and Best Practices – Cynet, section “What are the different types of security automation tools?”
Introduction to automation in Microsoft Sentinel
Network architects should consider__________ before selecting an SDP model.
- A . leadership buy-in
- B . gateways
- C . their use case
- D . cost
C
Explanation:
Different SDP deployment models have different advantages and disadvantages depending on the organization’s use case, such as the type of resources to be protected, the location of the clients and servers, the network topology, the scalability, the performance, and the security requirements.
Network architects should consider their use case before selecting an SDP model that best suits their needs and goals.
Reference =
Certificate of Competence in Zero Trust (CCZT) prepkit, page 21, section 3.1.2
6 SDP Deployment Models to Achieve Zero Trust | CSA, section “Deployment Models Explained” Software-Defined Perimeter (SDP) and Zero Trust | CSA, page 7, section 3.1 Why SDP Matters in Zero Trust | SonicWall, section “SDP Deployment Models”
Which component in a ZTA is responsible for deciding whether to grant access to a resource?
- A . The policy enforcement point (PEP)
- B . The policy administrator (PA)
- C . The policy engine (PE)
- D . The policy component
C
Explanation:
The policy engine (PE) is the component in a ZTA that is responsible for deciding whether to grant access to a resource. The PE evaluates the policies and the contextual data collected from various sources, such as the user identity, the device posture, the network location, the resource attributes, and the environmental factors, and then generates an access decision. The PE communicates the access decision to the policy enforcement point (PEP), which enforces the decision on the resource.
Reference =
Certificate of Competence in Zero Trust (CCZT) prepkit, page 14, section 2.2.2 What Is Zero Trust Architecture (ZTA)? – F5, section “Policy Engine”
What is Zero Trust Architecture (ZTA)? | NextLabs, section “Core Components” [SP 800-207, Zero Trust Architecture], page 11, section 3.3.1
What is the function of the rule-based security policies configured on the policy decision point (PDP)?
- A . Define rules that specify how information can flow
- B . Define rules that specify multi-factor authentication (MFA) requirements
- C . Define rules that map roles to users
- D . Define rules that control the entitlements to assets
D
Explanation:
Rule-based security policies are a type of attribute-based access control (ABAC) policies that define rules that control the entitlements to assets, such as data, applications, or devices, based on the attributes of the subjects, objects, and environment. The policy decision point (PDP) is the component in a zero trust architecture (ZTA) that evaluates the rule-based security policies and generates an access decision for each request.
Reference =
Certificate of Competence in Zero Trust (CCZT) prepkit, page 14, section 2.2.2 A Zero Trust Policy Model | SpringerLink, section “Rule-Based Policies”
Zero Trust architecture: a paradigm shift in cybersecurity – PwC, section “Security policy and control framework”
To respond quickly to changes while implementing ZT Strategy, an organization requires a mindset and culture of
- A . learning and growth.
- B . continuous risk evaluation and policy adjustment.
- C . continuous process improvement.
- D . project governance.
B
Explanation:
To respond quickly to changes while implementing ZT Strategy, an organization requires a mindset and culture of continuous risk evaluation and policy adjustment. This means that the organization should constantly monitor the threat landscape, assess the security posture, and update the policies and controls accordingly to maintain a high level of protection and resilience. The organization should also embrace feedback, learning, and improvement as part of the ZT journey.
Reference =
Certificate of Competence in Zero Trust (CCZT) prepkit, page 7, section 1.3
Cultivating a Zero Trust mindset – AWS Prescriptive Guidance, section “Continuous learning and improvement”
Zero Trust architecture: a paradigm shift in cybersecurity – PwC, section “Continuous monitoring and improvement”
What is one of the key purposes of leveraging visibility & analytics capabilities in a ZTA?
- A . Automatically granting access to all requested applications and data.
- B . Ensuring device compatibility with legacy applications.
- C . Enhancing network performance for faster data access.
- D . Continually evaluating user behavior against a baseline to identify unusual actions.
D
Explanation:
One of the key purposes of leveraging visibility & analytics capabilities in a ZTA is to continually evaluate user behavior against a baseline to identify unusual actions. This helps to detect and respond to potential threats, anomalies, and deviations from the normal patterns of user activity.
Visibility & analytics capabilities also enable the collection and analysis of telemetry data across all the core pillars of ZTA, such as user, device, network, application, and data, and provide insights for policy enforcement and improvement.
Reference =
Certificate of Competence in Zero Trust (CCZT) prepkit, page 15, section 2.2.3
Zero Trust for Government Networks: 4 Steps You Need to Know, section “Continuously verify trust with visibility & analytics”
The role of visibility and analytics in zero trust architectures, section “The basic NIST tenets of this approach include”
What is Zero Trust Architecture (ZTA)? | NextLabs, section “With real-time access control, users are reliably verified and authenticated before each session”
The following list describes the SDP onboarding process/procedure.
What is the third step? 1. SDP controllers are brought online first. 2. Accepting hosts are enlisted as SDP gateways that connect to and authenticate with the SDP controller. 3.
- A . Initiating hosts are then onboarded and authenticated by the SDP gateway
- B . Clients on the initiating hosts are then onboarded and
authenticated by the SDP controller - C . SDP gateway is brought online
- D . Finally, SDP controllers are then brought online
A
Explanation:
The third step in the SDP onboarding process is to onboard and authenticate the initiating hosts, which are the clients that request access to the protected resources. The initiating hosts connect to and authenticate with the SDP gateway, which acts as an accepting host and a proxy for the protected resources. The SDP gateway verifies the identity and posture of the initiating hosts and grants them access to the resources based on the policies defined by the SDP controller.
Reference =
Certificate of Competence in Zero Trust (CCZT) prepkit, page 21, section 3.1.2
6 SDP Deployment Models to Achieve Zero Trust | CSA, section “Deployment Models Explained” Software-Defined Perimeter (SDP) and Zero Trust | CSA, page 7, section 3.1
Which of the following is a common activity in the scope, priority, and business case steps of ZT planning?
- A . Determine the organization’s current state
- B . Prioritize protect surfaces
- C . Develop a target architecture
- D . Identify business and service owners
A
Explanation:
A common activity in the scope, priority, and business case steps of ZT planning is to determine the organization’s current state. This involves assessing the existing security posture, architecture, policies, processes, and capabilities of the organization, as well as identifying the key stakeholders, business drivers, and goals for the ZT initiative. Determining the current state helps to establish a baseline, identify gaps and risks, and define the scope and priority of the ZT transformation.
Reference =
Zero Trust Planning – Cloud Security Alliance, section “Scope, Priority, & Business Case”
The Zero Trust Journey: 4 Phases of Implementation – SEI Blog, section “First Phase: Prepare”
Within the context of risk management, what are the essential components of an organization’s ongoing risk analysis?
- A . Gap analysis, security policies, and migration
- B . Assessment frequency, metrics, and data
- C . Log scoping, log sources, and anomalies
- D . Incident management, change management, and compliance
B
Explanation:
The essential components of an organization’s ongoing risk analysis are assessment frequency, metrics, and data. Assessment frequency refers to how often the organization conducts risk assessments to monitor and measure the effectiveness of the zero trust architecture and policies.
Metrics refer to the quantitative and qualitative indicators that are used to evaluate the security posture, performance, and compliance of the zero trust architecture. Data refers to the information that is collected, analyzed, and reported from various sources, such as telemetry, logs, audits, and feedback, to support risk analysis and decision making.
Reference =
Zero Trust Planning – Cloud Security Alliance, section “Monitor & Measure”
How to improve risk management using Zero Trust architecture | Microsoft Security Blog, section “Monitoring and reporting”
Zero Trust Adoption: Managing Risk with Cybersecurity Engineering and Adaptive Risk Assessment – SEI Blog, section “Continuous Monitoring and Improvement”
ZTA reduces management overhead by applying a consistent access model throughout the environment for all assets.
What can be said about ZTA models in terms of access decisions?
- A . The traffic of the access workflow must contain all the parameters for the policy decision points.
- B . The traffic of the access workflow must contain all the parameters for the policy enforcement points.
- C . Each access request is handled just-in-time by the policy decision points.
- D . Access revocation data will be passed from the policy decision points to the policy enforcement points.
C
Explanation:
ZTA models in terms of access decisions are based on the principle of “never trust, always verify”, which means that each access request is handled just-in-time by the policy decision points. The policy decision points are the components in a ZTA that evaluate the policies and the contextual data collected from various sources, such as the user identity, the device posture, the network location, the resource attributes, and the environmental factors, and then generate an access decision. The access decision is communicated to the policy enforcement points, which enforce the decision on the resource. This way, ZTA models apply a consistent access model throughout the environment for all assets, regardless of their location, type, or ownership.
Reference =
Certificate of Competence in Zero Trust (CCZT) prepkit, page 14, section 2.2.2 What Is Zero Trust Architecture (ZTA)? – F5, section “Policy Engine”
Zero trust security model – Wikipedia, section “What Is Zero Trust Architecture?” Zero Trust Maturity Model | CISA, section “Zero trust security model”
To successfully implement ZT security, two crucial processes must be planned and aligned with existing access procedures that the ZT implementation might impact.
What are these two processes?
- A . Incident and response management
- B . Training and awareness programs
- C . Vulnerability disclosure and patching management
- D . Business continuity planning (BCP) and disaster recovery (DR)
D
Explanation:
Business Continuity Planning (BCP) and Disaster Recovery (DR) are two key processes that need to be considered in the implementation of Zero Trust security. These processes ensure that the organization can maintain critical business operations and recover quickly in the event of security incidents or disasters.
In a ZTA, the logical combination of both the policy engine (PE) and policy administrator (PA) is called
- A . policy decision point (PDP)
- B . role-based access
- C . policy enforcement point (PEP)
- D . data access policy
A
Explanation:
In a ZTA, the logical combination of both the policy engine (PE) and policy administrator (PA) is called the policy decision point (PDP). The PE is the component that evaluates the policies and the contextual data collected from various sources and generates an access decision. The PA is the component that establishes or terminates the communication between a subject and a resource based on the access decision. The PDP communicates with the policy enforcement point (PEP), which enforces the access decision on the resource.
Reference =
Certificate of Competence in Zero Trust (CCZT) prepkit, page 14, section 2.2.2
Zero Trust Architecture Project – NIST Computer Security Resource Center, slide 9
What Is a Zero Trust Security Framework? | Votiro, section “The Policy Engine and Policy Administrator”
Zero Trust Frameworks Architecture Guide – Cisco, page 4, section “Policy Decision Point”
To ensure a successful ZT effort, it is important to
- A . engage finance regularly so they understand the effort and do not cancel the project
- B . keep the effort focused within IT to avoid any distractions
- C . engage stakeholders across the organization and at all levels, including functional areas
- D . minimize communication with the business units to avoid "scope creep"
C
Explanation:
To ensure a successful ZT effort, it is important to engage stakeholders across the organization and at all levels, including functional areas. This helps to align the ZT vision and goals with the business priorities and needs, gain buy-in and support from the leadership and the users, and foster a culture of collaboration and trust. Engaging stakeholders also enables the identification and mapping of the critical assets, workflows, and dependencies, as well as the communication and feedback mechanisms for the ZT transformation.
Reference =
Certificate of Competence in Zero Trust (CCZT) prepkit, page 7, section 1.3
Zero Trust Planning – Cloud Security Alliance, section “Scope, Priority, & Business Case”
The ‘Zero Trust’ Model in Cybersecurity: Towards understanding and …, section “3.1 Ensuring buy-in across the organization with tangible impact”
Of the following, which option is a prerequisite action to understand the organization’s protect surface clearly?
- A . Data and asset classification
- B . Threat intelligence capability and monitoring
- C . Gap analysis of the organization’s threat landscape
- D . To have the latest risk register for controls implementation
A
Explanation:
Data and asset classification is a prerequisite action to understand the organization’s protect surface clearly because it helps to identify the most critical and sensitive data and assets that need to be protected by Zero Trust principles. Data and asset classification also helps to define the appropriate policies and controls for different levels of data and asset sensitivity.
Reference = Certificate of Competence in Zero Trust (CCZT) – Cloud Security Alliance, Zero Trust Training (ZTT) – Module 2: Data and Asset Classification
before it causes actual damage.