π― Trick 1 β PEP vs. PDP: Which One Decides?
An exam question asks: "Which Zero Trust component evaluates the access request and determines whether to grant or deny access?" A student answers "Policy Enforcement Point." Is this correct?
The PEP is the GATEKEEPER β all traffic passes through it, but it doesn't decide anything on its own. The PDP (and its Policy Engine component) is the DECISION MAKER that evaluates requests. The PEP enforces whatever the PDP tells it to do.
Memory trick: PDP = Policy Decision Point β it DECIDES. PEP = Policy Enforcement Point β it ENFORCES. Decisions happen before enforcement.
π― Trick 2 β Data Plane vs. Control Plane Confusion
"A network engineer is updating firewall rules and routing tables to improve traffic flow." Which plane is this?
The Data Plane moves actual traffic (frames, packets) in real time. The Control Plane manages HOW the Data Plane behaves β that's where firewall rules, routing tables, and session policies live. If a human (or system) is configuring or defining how traffic should flow, that's Control Plane activity. If actual user data is flowing through the network, that's Data Plane activity.
Quick test: "Is data moving?" β Data Plane. "Is someone setting up rules?" β Control Plane.
π― Trick 3 β Zero Trust β No Trust Anywhere
A student reads "Zero Trust" and assumes the model means absolutely no trust relationships exist anywhere in the architecture β not even for verified, authenticated users. Is this interpretation correct?
Zero Trust allows access to verified, authenticated, and authorized users and devices. The "Zero" refers to eliminating the implicit, automatic trust that traditional perimeter models grant to anyone inside the network. After proper verification, a user CAN be trusted to access specific resources.
Some security zones even have implicit trust relationships (e.g., Trusted β Internal zone) β but this means the zone relationship permits access when verification succeeds, not that verification is bypassed. The key word is "automatic" trust without verification β that's what Zero Trust eliminates.
π― Trick 4 β Where Is the Policy Administrator?
An exam question lists: Policy Engine, Policy Administrator, Policy Enforcement Point, Policy Decision Point. A student is asked which two components make up the PDP. They answer "Policy Engine and Policy Enforcement Point." Is this correct?
The structure is:
β’ PDP (Policy Decision Point) = Policy Engine + Policy Administrator
β Policy Engine: evaluates requests, makes grant/deny/revoke decisions
β Policy Administrator: communicates decisions, generates tokens/credentials
β’ PEP (Policy Enforcement Point) = separate component entirely; enforces the PDP's decisions
The PEP is outside the PDP. Confusing PEP with Policy Administrator is a common exam trap because both involve "communicating" something β but their roles are very different.
π― Trick 5 β Adaptive Identity Is Not Just About Location
A question describes: "A system that grants access based on the user's geographic location." A student says this is a complete implementation of Adaptive Identity. Is it?
Adaptive Identity evaluates multiple factors simultaneously:
β’ Location (geographic, IP reputation)
β’ Device health (patched, managed, certificate-verified)
β’ Time of day (is this unusual login timing?)
β’ Relationship to organization (employee, contractor, partner)
β’ Behavioral patterns (is this login activity typical for this user?)
Using only location is a basic geo-restriction, not true Adaptive Identity. The adaptive part means combining multiple risk signals to dynamically determine the appropriate level of verification β not just checking one factor.
π― Performance Task β Design a Zero Trust Architecture
A healthcare organization currently uses a traditional perimeter security model. Remote physicians connect via VPN and once connected, can access any internal system. Design a Zero Trust replacement architecture. Identify: the role of the PEP, what the PDP evaluates, how adaptive identity applies, and what happens to lateral movement risk.
PDP Evaluation: When Dr. Smith requests access to patient records, the Policy Engine checks:
β’ Is Dr. Smith authenticated? (valid certificate + MFA)
β’ Is this device managed and patched? (device health check)
β’ Is this access pattern normal? (time, location, specialty)
β’ Does Dr. Smith's role permit access to this specific record type?
The Policy Administrator then communicates the grant decision and issues a time-limited access token to the PEP.
Adaptive Identity: A physician logging in from the hospital (known IP, managed device, normal hours) receives streamlined access. The same physician logging in from an unknown IP at 3 AM triggers elevated verification β MFA + supervisor notification.
Lateral Movement: Previously, a compromised physician credential gave access to all internal systems. With Zero Trust, a compromised credential only grants access to whatever that specific credential is authorized for β and only after passing device health checks. An attacker cannot pivot from the EHR to billing to imaging without separate authorization for each resource. Breach impact is dramatically limited.