Chapter 6 Β· Quiz

Zero Trust Quiz

Test your knowledge of Zero Trust architecture and components.

πŸ“‹ Instructions: Answer all questions, then click Grade Quiz to see your results.
1. What is the core principle of the Zero Trust security model?
βœ… C β€” Zero Trust's core principle is "never trust, always verify." No user or device is trusted by default, whether inside or outside the network perimeter. Every access request requires authentication, authorization, and continuous validation.
2. Which network plane is responsible for processing and forwarding actual data traffic β€” frames, packets, NAT, and encryption β€” in real time?
βœ… D β€” The Data Plane handles the actual movement of network traffic: frames, packets, NAT translation, trunking, and encryption. The Control Plane manages how the Data Plane behaves (routing tables, firewall rules, session policies).
3. A user attempts to access a protected resource. Which Zero Trust component evaluates the request against policies and makes the grant, deny, or revoke decision?
βœ… C β€” The Policy Engine (part of the PDP) evaluates access requests against policies and contextual information. It acts as the "judge" β€” making grant/deny/revoke decisions. The Policy Administrator then communicates those decisions to the PEP. The PEP enforces them.
4. Adaptive Identity differs from standard Multi-Factor Authentication (MFA) in that it:
βœ… D β€” Adaptive Identity evaluates multiple risk indicators (location, device health, IP reputation, time of day, relationship to org) and dynamically adjusts requirements. A low-risk login may only need a password; a high-risk login triggers MFA automatically. Standard MFA always requires 2+ factors regardless of context.
5. How does Zero Trust architecture prevent lateral movement after an attacker gains initial access to a network?
βœ… B β€” Zero Trust prevents lateral movement by requiring re-verification for every resource access, not just at the perimeter. An attacker who compromises one system cannot automatically move to others β€” every lateral hop requires new authentication and authorization, limiting breach impact.
6. Matching: Match each Zero Trust component to its correct role.

COMPONENT

Policy Enforcement Point (PEP)
Policy Decision Point (PDP)
Policy Administrator
Adaptive Identity

ROLE

The GATEKEEPER β€” all traffic passes through it; allows, monitors, and terminates connections
The JUDGE β€” evaluates policies and context to make access decisions (contains Policy Engine + Policy Admin)
The MESSENGER β€” generates access tokens and communicates decisions to the PEP
Context-aware auth that evaluates risk indicators and dynamically adjusts verification requirements
7. Analysis: A company implements Zero Trust only at the network perimeter β€” external users are verified, but once inside, all internal traffic is trusted automatically. What critical Zero Trust requirement is missing, and what attack does this leave the organization vulnerable to?
Missing Requirement: Continuous, granular verification of all internal traffic. Zero Trust requires that EVERY access request β€” including lateral movement between internal systems β€” be authenticated and authorized, not just perimeter entry.

Resulting Vulnerability: Lateral Movement. If an attacker compromises one internal system (e.g., via phishing or a supply chain attack), they can freely move between internal systems, escalate privileges, and reach high-value assets. This is exactly the perimeter security model that Zero Trust was designed to replace. The missing control is per-resource PEP enforcement and per-request Policy Engine evaluation for all internal access, not just external.
8. Evaluation: A CISO argues: "Zero Trust is all-or-nothing β€” unless you implement it perfectly across every system simultaneously, it provides no security benefit." Evaluate this claim. Is Zero Trust an all-or-nothing proposition? Support your answer with reasoning about implementation approaches.
Disagree β€” Zero Trust is NOT all-or-nothing.

Zero Trust is a framework and philosophy that can be implemented incrementally. Each phase of implementation provides measurable security improvement:

β€’ Phase 1: Implement strong identity verification (MFA, adaptive identity) β€” immediately reduces credential-based attacks
β€’ Phase 2: Add device health validation β€” reduces risk from unmanaged endpoints
β€’ Phase 3: Apply micro-segmentation to the most critical assets first β€” limits lateral movement in the highest-risk areas
β€’ Phase 4: Extend PEP/PDP coverage incrementally across remaining resources

The security improvement at each phase is real and valuable, even without complete implementation. The CISO's "all-or-nothing" claim reflects a common misconception. In practice, Google's BeyondCorp and NIST SP 800-207 both describe phased Zero Trust adoption as the standard approach.