Chapter 6 Β· Helper 3

Real-World Examples

Zero Trust in practice and exam scenarios.

Real-World

Google BeyondCorp β€” Enterprise Zero Trust

Google pioneered Zero Trust with BeyondCorp after the 2009 Operation Aurora attack. They eliminated VPN-based perimeter access and required every access request to be authenticated and authorized based on device posture, user identity, and request context. A Google employee can work from a coffee shop with the same security level as in the office β€” because access is never based on location. The device certificate, user identity, and request context are evaluated for every resource access.

Real-World

Adaptive Identity in Action

An employee normally logs into the corporate system from Chicago every weekday at 9 AM. Today, at 3 AM, a login attempt comes from an IP address registered in Russia on an unrecognized device. The adaptive identity system evaluates: wrong geography, wrong time, unregistered device = high risk score. The Policy Engine denies access and triggers an alert. The next morning, the employee (who's still in Chicago) logs in normally β€” same credentials, low risk context, access granted. Same password, very different outcome.

Exam Scenario

PEP vs. PDP β€” Who Does What?

Exam question: "In a Zero Trust architecture, which component MAKES the decision about whether to grant or deny access?"

Key rule: PEP = gatekeeper (enforces). Policy Engine = judge (decides). Policy Admin = messenger (communicates decision to PEP).

Real-World

Department Security Zones

A financial institution divides its network into zones: Internet (Untrusted), DMZ, Corporate (Trusted), Finance, HR, IT Admin, and Data Center (Internal). Rules: Internet β†’ Corporate is denied. Corporate β†’ Finance requires Finance role authorization from PDP. Finance β†’ HR is denied (no business reason). IT Admin β†’ Data Center is allowed after device cert verification and MFA. This zone-based approach limits lateral movement β€” even an attacker inside the Corporate zone cannot reach Finance without passing the PEP verification.

Exam Scenario

Is Zero Trust "All or Nothing"?

Can an organization implement Zero Trust incrementally, or must it be deployed all at once?

Incremental implementation is not only possible but recommended. Organizations typically start with their most sensitive data and highest-risk access paths. Phase 1 might be securing privileged access. Phase 2: microsegmenting the network. Phase 3: deploying adaptive identity for all users. Full Zero Trust maturity takes years β€” but each phase meaningfully reduces risk.