SecuritySecurity+CISSP

Zero Trust Architecture Explained for Security+ and CISSP

The old security model assumed that anything inside the corporate network could be trusted. Connect to the office VPN and you are on the inside, and the inside is safe. That model collapsed when attackers proved they could get inside, when remote work dissolved the network perimeter, and when cloud infrastructure scattered resources across the internet. Zero Trust replaces the perimeter model with a single principle: never trust, always verify. Every request for access is authenticated and authorized regardless of where it originates, who is asking, or what device they are using.

7 min

3 sections · 6 exam key points

5 practice questions

Core principles of Zero Trust

Zero Trust starts from the assumption that the network is already compromised. An attacker could be inside the firewall, an employee's laptop could be infected, a legitimate account could be stolen. Given that assumption, the right response is to verify every access request as if it comes from an untrusted source, every time.

The three foundational tenets are: verify explicitly (always authenticate and authorize based on all available data points, including identity, location, device health, and behavior), use least privilege (give access only to exactly what is needed for the task at hand, nothing more), and assume breach (design systems so that when a breach occurs, the attacker's movement is limited and the damage is contained).

Micro-segmentation is a key technical implementation. Instead of one large trusted zone, networks are divided into many small segments. Each workload, application, or service communicates only with the specific other resources it legitimately needs. If an attacker compromises one segment, they cannot move laterally to others without triggering authentication and authorization checks at every boundary.

Identity as the new perimeter

In Zero Trust, identity becomes the primary access control mechanism. The network location of a request matters far less than the verified identity of the user, the health of the device they are using, and whether that combination makes sense given context. A request from a verified identity on a compliant device in a normal location carries more trust than a request from the same identity on an unknown device from an unusual country at 3 AM.

Continuous verification is the mechanism that enforces this. Rather than authenticating once at login and trusting the session indefinitely, Zero Trust systems continuously evaluate risk signals throughout a session. Anomalous behavior, like suddenly downloading large volumes of data, can trigger step-up authentication or session termination without waiting for the session to expire naturally.

Strong authentication, particularly phishing-resistant MFA using hardware tokens or passkeys, is a prerequisite for Zero Trust. If identity is the new perimeter, that perimeter is only as strong as the authentication protecting it.

How to choose the correct answer

Zero Trust vs perimeter security: perimeter = trusted inside, untrusted outside. Zero Trust = no implicit trust regardless of location, continuous verification for every access request.

Key Zero Trust controls: identity-based access, device health checks, least privilege, micro-segmentation, continuous monitoring.

Scenario: employee connects from home and accesses internal resources through a VPN, no additional checks. This is perimeter-based, not Zero Trust. Zero Trust would verify identity, device health, and behavioral context for every resource request, regardless of VPN status.

Software Defined Perimeter (SDP) and Identity-Aware Proxy are Zero Trust implementations that replace traditional VPN: only authenticated, authorized users can see and access specific resources. Resources are invisible to everyone else.

Key exam facts — Security+ / CISSP

Zero Trust principle: never trust, always verify. No implicit trust based on network location.
Three tenets: verify explicitly, use least privilege, assume breach.
Micro-segmentation: divide network into small zones so lateral movement requires re-authentication.
Identity is the primary access control mechanism, not network location.
Continuous verification: risk is re-evaluated throughout a session, not just at login.
SDP/Identity-Aware Proxy: Zero Trust alternatives to VPN.

Common exam traps

Zero Trust means no one is ever trusted.

Zero Trust means trust is never assumed based on network location alone. Access is granted based on verified identity, device posture, and context. Trust is earned through verification, not assumed based on being inside the firewall.

VPN provides Zero Trust security.

Traditional VPN grants broad network access once connected, which is the opposite of Zero Trust. Zero Trust provides per-resource access based on continuous verification. An SDP or identity-aware proxy is a Zero Trust-aligned alternative to VPN.

Zero Trust is a product you can buy and deploy.

Zero Trust is an architecture and philosophy, not a product. Implementing it requires changes across identity, devices, network segmentation, and application access. Many vendors sell Zero Trust-branded products, but none delivers the full architecture by itself.

Practice questions — Zero Trust

These questions are representative of what you will see on Security+, CISSP exams. The correct answer and explanation are shown immediately below each question.

Q1.A company's security policy states that all employees must re-authenticate before accessing sensitive HR data, even if they are already logged into the corporate network. Which Zero Trust principle does this reflect?

A.Assume breach only

B.Verify explicitly with continuous authentication based on resource sensitivity

C.Use legacy perimeter security for internal resources

D.Trust all traffic originating inside the corporate network

Explanation: Zero Trust's 'verify explicitly' principle requires authentication and authorization based on all available signals — including the sensitivity of the resource being accessed. Re-authenticating before accessing sensitive data reflects that internal network location alone is not sufficient trust. This is distinct from the perimeter model where being 'inside' grants broad access.

Q2.Which technology is described as a Zero Trust alternative to traditional VPN?

A.SSL/TLS tunnel

B.Software Defined Perimeter (SDP) / Identity-Aware Proxy

C.IPsec VPN with split tunneling

D.Network Access Control (NAC)

Explanation: Software Defined Perimeter (SDP) and Identity-Aware Proxy are Zero Trust implementations where resources are invisible to unauthorized users. Access is granted per-resource based on verified identity and device posture, rather than granting broad network access after VPN connection. Traditional VPN grants network-level access once connected, which violates least privilege.

Q3.An attacker compromises a server in a data center that uses micro-segmentation. The attacker attempts to connect to a database server on the same physical network. What does micro-segmentation do?

A.Routes all traffic through a central firewall for inspection

B.Requires the attacker to authenticate and be authorized for each segment boundary, limiting lateral movement

C.Encrypts all traffic between servers to prevent reading data in transit

D.Blocks all east-west traffic between servers

Explanation: Micro-segmentation divides the network into small zones where each workload can only communicate with specifically authorized destinations. An attacker who compromises one server must overcome separate authentication and authorization at each segment boundary to move laterally. This limits the blast radius of a compromise.

Q4.A security architect is evaluating whether a solution aligns with Zero Trust. The solution authenticates users at login and then allows unrestricted access to all internal resources for the duration of their session. Does this align with Zero Trust?

A.Yes, because users are authenticated before getting access

B.No, because Zero Trust requires continuous verification and least-privilege access to individual resources

C.Yes, if the authentication uses MFA

D.No, but only because it lacks encryption

Explanation: Zero Trust requires continuous verification, not just authentication at login. The described solution is the perimeter/castle-and-moat model: once inside, everything is trusted. Zero Trust would require re-verification for each resource based on identity, device health, and context, and would grant access only to specifically authorized resources.

Q5.Which Zero Trust tenet is reflected when an administrator is granted access to a specific server for a limited time window to perform a maintenance task, then has that access automatically removed?

A.Assume breach

B.Verify explicitly

C.Use least privilege with just-in-time access

D.Micro-segmentation

Explanation: Least privilege in Zero Trust goes beyond minimal permissions — it includes just-in-time (JIT) access, where elevated privileges are granted for specific tasks and durations, then revoked automatically. This minimizes the window during which compromised credentials could be exploited. Just-enough-access (JEA) is a related concept.

Frequently asked questions — Zero Trust

What does 'never trust, always verify' mean in Zero Trust?

It means no access request is automatically trusted based on network location, device type, or time of day. Every request — whether from inside the corporate network or from a home office — must be authenticated and authorized based on current signals: verified user identity, device health/compliance status, location context, and the specific resource being requested. Passing a VPN check is not sufficient.

Is Zero Trust a product or an architecture?

Zero Trust is an architecture and security philosophy, not a product. Implementing Zero Trust requires coordinating multiple technologies: strong identity (MFA, SSO), device management (MDM/EDR), network segmentation (micro-segmentation, SDP), application access controls (identity-aware proxies), and continuous monitoring. Many vendors label products as 'Zero Trust' but no single product implements the full architecture.

What is the difference between Zero Trust and a traditional perimeter security model?

Traditional perimeter security assumes everything inside the network boundary (firewall, VPN) can be trusted. Once you're 'inside', you have broad access. Zero Trust eliminates the concept of a trusted network zone. Access is granted per-resource based on continuous verification of identity, device health, and context — regardless of whether the request originates inside or outside the corporate network.

How is Zero Trust tested on Security+ and CISSP?

Security+ tests the core principles (never trust/always verify, least privilege, assume breach), the distinction from perimeter security, micro-segmentation, and Zero Trust implementation technologies like SDP and identity-aware proxies. CISSP goes deeper on Zero Trust architectures, identity as the control plane, continuous monitoring requirements, and how Zero Trust applies to cloud and hybrid environments.

What is micro-segmentation in Zero Trust?

Micro-segmentation divides a network into small, isolated zones where each workload, application, or service can only communicate with specifically authorized destinations. Unlike traditional network segments (VLANs) that might contain hundreds of servers, micro-segments can be as small as a single workload. If an attacker compromises one segment, they face authentication and authorization barriers at every boundary they try to cross, limiting lateral movement.

Practice this topic

Security+practice questions

Test yourself on Zero Trust

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime