Quiz — Chapter 39: Zero Trust Implementation¶

Quiz Instructions

15 questions covering Zero Trust Architecture pillars, maturity models, implementation patterns, and vendor technologies.

Questions¶

1. The foundational principle of Zero Trust Architecture is:

[ ] A. Encrypt all data at rest and in transit
[ ] B. "Never trust, always verify" — no implicit trust based on network location or prior authentication
[ ] C. Block all external access and allow only internal traffic
[ ] D. Require MFA for all privileged accounts

Answer: B

"Never trust, always verify" is ZTA's core principle. Traditional perimeter security grants implicit trust to internal network traffic. ZTA treats every request as potentially hostile regardless of source network — continuous verification required.

2. NIST SP 800-207 defines Zero Trust Architecture around which three core components?

[ ] A. Firewall, IDS, SIEM
[ ] B. Policy Engine, Policy Administrator, Policy Enforcement Point
[ ] C. Identity Provider, VPN, EDR
[ ] D. CASB, DLP, PAM

Answer: B

NIST 800-207 ZTA logical components: Policy Engine (makes trust decisions), Policy Administrator (executes decisions — grants/revokes access), Policy Enforcement Point (enforces decisions at the resource). All access flows through this triad.

3. Which of the five ZT pillars is considered the primary control plane in most enterprise ZTA deployments?

[ ] A. Devices
[ ] B. Networks
[ ] C. Identity
[ ] D. Applications

Answer: C

Identity is the new perimeter in ZTA. CISA's ZT maturity model places Identity at the center — strong identity (MFA, risk-based auth, PAM) is the foundation all other pillars build upon. Without verified identity, device posture and network controls are insufficient.

4. Microsegmentation in ZTA differs from traditional VLAN segmentation because:

[ ] A. Microsegmentation only works in cloud environments
[ ] B. Microsegmentation enforces policies at the workload/application level (East-West) rather than network-boundary level only
[ ] C. VLANs are more secure than microsegmentation
[ ] D. Microsegmentation requires replacing all network hardware

Answer: B

Microsegmentation uses software-defined policies to isolate workloads from each other (East-West traffic), not just perimeter (North-South). Even if an attacker gains network access, lateral movement is blocked by workload-level policy enforcement.

5. Continuous validation in ZTA means:

[ ] A. Running penetration tests continuously
[ ] B. Re-evaluating trust at every access request based on real-time signals (device health, user risk score, location, behavior)
[ ] C. Rotating all credentials every hour
[ ] D. Scanning the network for vulnerabilities continuously

Answer: B

Continuous validation means trust is not granted once at login but evaluated per-request using dynamic signals: device compliance posture, user risk score from UEBA, geographic anomalies, time of access. Trust degrades as signals worsen.

6. [SCENARIO] Your organization has deployed ZTA Identity pillar controls (MFA, conditional access). An attacker compromises an employee's phone (MFA token) and laptop (device certificate). They authenticate successfully.

Which ZTA control would catch this that pure identity controls missed?

[ ] A. Stronger password policy
[ ] B. UEBA/behavioral analytics detecting anomalous activity pattern from the "verified" session
[ ] C. Additional MFA factors
[ ] D. Network firewall rules

Answer: B

UEBA detects behavioral anomalies even with valid credentials + device. If the attacker's behavior deviates from the user's baseline (data access pattern, typing speed, application usage), risk score elevates and session is challenged or terminated. ZTA's "assume breach" design accounts for credential compromise.

7. The CISA Zero Trust Maturity Model defines how many maturity levels for each pillar?

[ ] A. 3 (Basic, Intermediate, Advanced)
[ ] B. 4 (Initial, Advanced, Optimal, Mature)
[ ] C. 5 (Traditional, Initial, Advanced, Optimal, and cross-pillar)
[ ] D. 2 (Compliant, Non-compliant)

Answer: A

CISA ZT Maturity Model (2023 v2.0) defines Traditional → Initial → Advanced → Optimal — effectively 4 stages, but the description is "Traditional + 3 maturity levels." The document names them across 5 pillars (Identity, Devices, Networks, Applications, Data).

8. Software-Defined Perimeter (SDP) implements ZTA network controls by:

[ ] A. Replacing all physical firewalls with cloud NAT
[ ] B. Making all resources dark (invisible) to unauthenticated users — resources only become accessible after identity and device verification
[ ] C. Using VPN tunnels for all traffic
[ ] D. Blocking all non-HTTPS traffic at the perimeter

Answer: B

SDP makes resources dark — no open ports, no DNS responses to unauthenticated requestors. Only after cryptographic identity verification does the controller create an ephemeral, encrypted tunnel to the specific resource. Eliminates port scanning and lateral movement via network exposure.

9. In a ZTA deployment, Privileged Access Workstations (PAWs) address which specific threat?

[ ] A. Phishing via email clients
[ ] B. Credential theft from admin workstations via malware on multi-use devices
[ ] C. Insider threats from malicious admins
[ ] D. Supply chain attacks on software dependencies

Answer: B

PAWs are hardened, dedicated workstations used only for privileged admin tasks — no email, no web browsing, no general use. This prevents credential theft via keyloggers or malware on standard workstations that admins also use for privileged operations.

10. [SCENARIO] Your CISO wants to implement ZTA. The network team proposes starting with network microsegmentation. The identity team proposes starting with MFA enforcement + conditional access.

Which starting point delivers the higher immediate security ROI and why?

[ ] A. Network microsegmentation — stops lateral movement immediately
[ ] B. Identity controls (MFA + conditional access) — 99.9% of account compromise attacks are blocked by MFA; identity is the primary attack surface
[ ] C. Both equally — implement simultaneously
[ ] D. Neither — start with data classification

Answer: B

Identity controls first — Microsoft's data shows MFA blocks 99.9% of automated attacks. Identity is ZTA's primary control plane. Network microsegmentation (A) provides value but requires significant infrastructure changes; identity controls deploy in days with higher immediate ROI.

11. Just-In-Time (JIT) access in ZTA means:

[ ] A. Granting access as fast as possible to improve user productivity
[ ] B. Provisioning privileged access only when needed, for a defined time window, and revoking automatically after
[ ] C. Pre-approving all access requests for speed
[ ] D. Caching authentication tokens for faster re-authentication

Answer: B

JIT access eliminates standing privileges — the primary target for privilege escalation. Users request access, it's approved for a defined window (1 hour, 4 hours), and automatically expires. Reduces attack surface to zero when access is not needed.

12. Which ZTA technology provides device health attestation to the Policy Engine?

[ ] A. SIEM
[ ] B. Mobile Device Management (MDM) / Endpoint Detection and Response (EDR) with compliance signals
[ ] C. Network Access Control (NAC) with 802.1X
[ ] D. Web Application Firewall (WAF)

??? success "Answer: B MDM/EDR** provides real-time device health signals: patch level, disk encryption status, antivirus state, jailbreak detection. These feed the Policy Engine's device trust score. 802.1X (C) is network-layer only and doesn't provide application-level posture.

13. The concept of "implicit trust zones" in traditional network architecture is eliminated in ZTA by:

[ ] A. Removing all network segmentation
[ ] B. Enforcing explicit, identity and context-aware authorization for every access request regardless of source network segment
[ ] C. Encrypting all internal network traffic
[ ] D. Requiring VPN for all internal access

Answer: B

Implicit trust zones (trusted internal network, untrusted internet) are the core flaw of perimeter security. ZTA eliminates the concept — internal network traffic gets the same scrutiny as external. "Trusted internal" status grants nothing without explicit verification.

14. [SCENARIO] After deploying ZTA controls, a red team demonstrates they can still exfiltrate data by: authenticating as a legitimate user → accessing authorized SharePoint → downloading files → uploading to personal OneDrive (authorized by company policy).

Which ZTA control closes this gap?

[ ] A. Blocking all cloud storage
[ ] B. CASB with DLP policies that detect and block data exfiltration even through authorized cloud applications
[ ] C. More restrictive MFA
[ ] D. User awareness training

Answer: B

CASB + DLP addresses the Data pillar of ZTA. Access was legitimate; the problem is unauthorized data movement through authorized channels. CASB can enforce DLP policies on cloud-to-cloud transfers and block sensitive data uploads to personal accounts even from company devices.

15. The primary metric to demonstrate ZTA program maturity progress to a CISO is:

[ ] A. Number of firewalls replaced
[ ] B. Percentage reduction in implicit trust — measured by: % of resources requiring explicit policy authorization, % of privileged access using JIT, % of devices with posture assessment
[ ] C. Number of security products deployed
[ ] D. Reduction in help desk tickets for password resets

Answer: B

ZTA maturity metrics measure the elimination of implicit trust: coverage of policy enforcement, JIT adoption rate, device attestation coverage, and lateral movement surface reduction. These demonstrate business-aligned security outcomes rather than technology deployment counts.

Score Interpretation¶

Score	Level
13–15	Expert — ZTA architect ready
10–12	Proficient — strong ZT implementation knowledge
7–9	Developing — review NIST 800-207 and CISA ZT Maturity Model
<7	Foundational — revisit Chapter 39 fully

Key References: NIST SP 800-207, CISA ZT Maturity Model v2.0, DISA ZT Reference Architecture, Microsoft ZT Deployment Guide