Zero trust is one of the more recent topics added to the Security+ objectives and appears with increasing frequency. The exam tests the core principles, the components, and when you would recommend zero trust over a traditional perimeter model.
The Core Principle
The zero trust model operates on one premise: never trust, always verify.
Traditional security assumed that users and devices inside the network perimeter were trustworthy. Once someone was inside the firewall, they had broad access. Zero trust eliminates this implicit trust. Every user, device, and network request is verified regardless of where it originates — inside or outside the network.
The Three Pillars of Zero Trust
Identity verification — Every user and device must authenticate before gaining access. Multi-factor authentication (MFA) is foundational. Identity is the new perimeter.
Least privilege access — Users and applications receive only the permissions they need for the specific task they are performing. Access is granted per session, not as a standing permission.
Microsegmentation — The network is divided into small zones. Even after authentication, lateral movement between segments requires additional verification. This limits the blast radius of a breach.
Key Components
Policy Decision Point (PDP) — The brain of zero trust. Evaluates access requests against policies and decides whether to grant access.
Policy Enforcement Point (PEP) — The gateway that enforces the PDP's decision. Located between the user and the resource.
Continuous validation — Zero trust does not authenticate once and then trust forever. Sessions are continuously re-evaluated based on device health, location, behaviour, and risk signals.
Zero Trust vs Traditional Perimeter Security
| Traditional | Zero Trust |
|---|---|
| Trust inside the network | Verify everything regardless of location |
| Wide internal network access | Microsegmented, least privilege |
| VPN provides access to everything | Per-application access only |
| Authenticate once at the perimeter | Continuous authentication |
Exam scenario: "An organisation is concerned that a compromised internal account would allow an attacker to move laterally across all systems. Which security model would best address this?"
The answer is zero trust, specifically because of microsegmentation and least privilege — a compromised account can only access what it is authorised to access per the zero trust policy.
Zero Trust and Remote Work
The shift to remote work broke the traditional perimeter model. Users access resources from personal devices, home networks, and cloud services — none of which are inside the corporate perimeter.
Zero trust is the exam answer when:
- The organisation has remote workers accessing cloud resources
- Users access applications from unmanaged devices
- The question mentions eliminating VPN dependency while maintaining security
- The scenario emphasises that internal and external users should be treated the same way
SASE and Zero Trust
SASE (Secure Access Service Edge) is a cloud-delivered security framework that combines zero trust network access (ZTNA) with network security functions like CASB, SWG, and FWaaS. The exam sometimes asks which technology combines zero trust with cloud-delivered security — the answer is SASE.
The Exam Trap
Candidates sometimes confuse zero trust with MFA alone. MFA is a component of zero trust, but zero trust is broader — it includes microsegmentation, continuous validation, and least privilege. If a question describes implementing MFA and asks what security model this represents, MFA alone does not constitute zero trust.
"Which principle states that users should only be given access to the resources they need?" — Least privilege (also a zero trust principle, but the specific answer here is least privilege).
Practice Security+ zero trust and access control questions to build confidence with the terminology.
Zero Trust vs Perimeter Security — The Specific Exam Question Pattern
The exam will give you a scenario and ask whether it describes zero trust or traditional perimeter security. Here is the exact wording pattern to watch for.
Traditional perimeter model language in exam questions: "...users inside the corporate network have access to all internal resources," "...the firewall separates trusted internal from untrusted external," "...VPN provides full network access once connected," "...once authenticated to the domain, users can access any file server."
Zero trust language in exam questions: "...all users must authenticate regardless of location," "...access is granted per application, not per network," "...device health is verified before each session," "...users cannot move laterally between systems without re-authentication," "...the company eliminated its VPN and adopted per-app access."
The specific exam trap: A question describes a company where remote employees connect via VPN and can access everything on the internal network once connected. It asks which security model they are using. The answer is traditional perimeter — VPN full network access is explicitly not zero trust. Zero trust would grant access only to the specific applications the user needs, not the whole network.
ZTNA vs Traditional VPN
Traditional VPN: Creates an encrypted tunnel to the corporate network. Once connected, the user is logically "inside" the perimeter. They can reach any resource the network permits — often everything on the internal IP range. This is the "network-level access" model.
ZTNA (Zero Trust Network Access): Grants access only to specific applications, not the entire network. The user never gets visibility into or access to the full network. Each application access is evaluated independently based on identity, device health, location, and other signals. The network itself is invisible to the user.
Why ZTNA is better for remote work: With VPN, a compromised remote device has full internal network access — lateral movement is trivial. With ZTNA, a compromised device can only reach the specific apps it was authorised for. The blast radius of a compromise is dramatically limited.
Exam comparison:
| Traditional VPN | ZTNA |
|---|---|
| Network-level access | Application-level access |
| Trust once connected | Verify every session |
| Full internal network visible | Only authorized apps accessible |
| Hard to limit lateral movement | Lateral movement prevented by design |
The exam question: "An organisation wants to replace their VPN with a solution that grants access only to specific applications based on user identity and device health." The answer is ZTNA.
Conditional Access Policies — The Azure AD Implementation
Conditional access is the practical implementation of zero trust access control in Microsoft environments. It evaluates signals about the user, device, and session and decides whether to grant access, require MFA, or block.
Signals evaluated:
- User identity and group membership
- Device compliance (is this device managed and compliant with policy?)
- Location (is the user in a trusted location or unusual geography?)
- Application being accessed (different policies for high-sensitivity apps)
- Sign-in risk (is this session flagged as suspicious by Microsoft's risk engine?)
Policy outcomes:
- Grant access
- Grant access with conditions (require MFA, require compliant device)
- Block access entirely
Exam-relevant detail: Conditional access policies implement "never trust, always verify" at the authentication layer. A user on a managed, compliant device in the office may get seamless access. The same user on a personal unmanaged device from an unusual location may face MFA challenges or be blocked from sensitive applications. This is contextual access control — a core zero trust concept.
Software-Defined Perimeter
SDP is an architecture that makes network infrastructure invisible to unauthorised users. In a traditional network, any device that connects to the network can attempt to reach any IP address (even if authentication is required). In SDP, the network resources are not even visible until the client is verified.
How SDP works: The client first contacts a controller (the SDP controller), which verifies identity, device posture, and policy. Only after successful verification does the controller direct the client to the specific gateway that provides access to the specific resource. To an attacker scanning the network, there is nothing to find — the gateways and resources are invisible.
SDP in exam context: When a question describes an architecture where resources are "hidden from unauthorised users" or "not visible on the network before authentication," that is SDP. It often appears alongside ZTNA questions because the goals are similar.
Zero Trust Architecture Exam Scenario
Scenario: Meridian Financial has 800 employees who moved to fully remote work. Previously, all employees connected to a VPN and had access to all internal servers. The security team found that three separate ransomware incidents over 18 months all involved lateral movement from an initially compromised endpoint. The CISO wants to implement a security architecture where compromising a single endpoint cannot lead to broad network access.
What should the security team implement?
A) Stronger VPN authentication with hardware tokens B) Network segmentation using VLANs across all internal subnets C) Zero trust network access with per-application access control and continuous device health verification D) Enhanced endpoint antivirus on all remote devices
Correct answer: C
Why A is wrong: Stronger VPN authentication still grants network-level access once authenticated. The problem is what happens after authentication — a compromised endpoint with valid credentials still has broad internal access. Better authentication at the front door does not limit what an attacker can do once inside.
Why B is wrong: VLAN segmentation is a partial improvement — it limits lateral movement between segments. But within a segment, movement is still unrestricted. VLAN segmentation is a perimeter-model control, not a zero trust control. It also does not address remote access at all.
Why C is correct: ZTNA grants access per application based on continuous verification. A compromised endpoint has access only to the specific applications that device's credentials are authorised for — and that access is continuously re-evaluated. The lateral movement that enabled those three ransomware incidents requires network-level access that ZTNA specifically eliminates.
Why D is wrong: Endpoint antivirus reduces the chance of initial compromise but does nothing for the blast radius problem. Once an endpoint is compromised (which does still happen regardless of antivirus), the lateral movement problem remains if the network grants broad access.
Implementation Challenges — Why Legacy Systems Complicate Zero Trust
Zero trust is architecturally straightforward but operationally difficult. The primary obstacle in most organisations is legacy systems.
Legacy systems without modern authentication: A 15-year-old industrial control system or a custom line-of-business application may only support NTLM authentication or fixed service account credentials — it cannot participate in a modern identity-based access control scheme. Zero trust requires the ability to verify identity per request; systems that cannot do that create gaps.
Implicit trust dependencies: Many legacy applications assume they are running in a trusted internal network and communicate with each other without authentication. Microsegmenting these applications can break them because they were designed assuming every other internal system is trusted.
The practical approach: Organisations adopt zero trust incrementally. Start with identity and MFA (quick win, high impact). Then implement per-app ZTNA for external access. Then microsegment the network. Legacy systems often end up isolated in their own segment with stricter monitoring as a compensating control.
Exam context: A question asking "what is the biggest challenge to implementing zero trust in an organisation with 20-year-old legacy applications?" — the answer relates to legacy systems' inability to support modern authentication or the implicit trust assumptions baked into their design.