0 / 16 flipped
Zero Trust
Tap to reveal
Security model: never trust, always verify. No user/device trusted by default regardless of location. Every access requires authentication, authorization, and validation.
Data Plane
Tap to reveal
Processes and forwards actual network traffic: frames, packets, NAT, trunking, encryption. WHERE data moves in real time.
Control Plane
Tap to reveal
Manages the data plane's behavior. Defines policies, routing tables, firewall rules, session tables. WHERE configuration happens.
Adaptive Identity
Tap to reveal
Context-aware authentication. Evaluates multiple risk indicators (location, device, IP, time, relationship to org) to dynamically adjust verification requirements.
Policy Enforcement Point (PEP)
Tap to reveal
The GATEKEEPER. All traffic passes through it. Allows, monitors, and terminates connections based on instructions from the PDP. Can be multiple components.
Policy Decision Point (PDP)
Tap to reveal
The DECISION MAKER. Contains Policy Engine + Policy Administrator. Evaluates access requests and determines grant/deny/revoke.
Policy Engine
Tap to reveal
Part of PDP. Evaluates access requests against policies and context. Makes grant/deny/revoke decisions. The JUDGE of the system.
Policy Administrator
Tap to reveal
Part of PDP. Takes Policy Engine's decision, generates access tokens/credentials, communicates with PEP. The MESSENGER between judge and gatekeeper.
Security Zone
Tap to reveal
Logical network segment with defined trust level. Examples: Trusted, Untrusted, Internal, department zones. Traffic between zones governed by explicit policies.
Lateral Movement
Tap to reveal
Attacker moving between systems after gaining initial access. Traditional perimeter allows it freely. Zero Trust restricts it β every hop requires re-verification.
Threat Scope Reduction
Tap to reveal
Zero Trust goal: limit number of entry points and attack paths. Fewer entry points = smaller attack surface = reduced breach impact.
Implicit Trust
Tap to reveal
Some zone relationships allow traffic under verified conditions (e.g., Trusted β Internal). Doesn't mean no verification β means the zone relationship permits access when verified.
What makes ZT different from perimeter security?
Tap to reveal
Perimeter trusts internal traffic automatically. Zero Trust verifies EVERY access request regardless of whether the request originates from inside or outside the network.
Can PEP be multiple components?
Tap to reveal
Yes. The PEP is often a combination of firewalls, access gateways, identity management systems, and other components working together as a unified enforcement layer.
Adaptive Identity vs. MFA
Tap to reveal
MFA = always requires 2+ factors. Adaptive Identity = evaluates risk context and MAY require MFA only when risk is elevated. Low-risk login = password sufficient. High-risk = triggers MFA automatically.
Policy-Driven Access Control
Tap to reveal
Combines adaptive identity with predefined security rules to make consistent, dynamic access decisions. Access is never arbitrary β always based on policy evaluation.