Security+ Study GuideCompTIA Security+ SY0-701

Zero Trust vs Defence in Depth: What Security+ Expects You to Know

The differences between zero trust architecture and defence-in-depth strategy, why both appear on Security+ SY0-701, and how exam questions frame each concept.

4 min read
5 sections
Courseiva Study Hub
JA

Reviewed by Johnson Ajibi, MSc IT Security

12+ years in network and security engineering · Founder, JTNetSolutions Limited & Courseiva

Quick answer

The differences between zero trust architecture and defence-in-depth strategy, why both appear on Security+ SY0-701, and how exam questions frame each concept.

Zero Trust vs Defence in Depth: What Security+ Expects You to Know

Both Zero Trust and Defence in Depth are core security strategies tested on the CompTIA Security+ SY0-701 exam. Understanding their differences, overlaps, and how exam questions frame each concept is critical for passing. This post breaks down both models with concrete examples and exam-focused insights.

Defence in Depth: Layers of Protection

Defence in Depth (DiD) is a traditional security model that relies on multiple layers of defense. The idea is that if one layer fails, another catches the threat. Layers include physical controls, network segmentation, endpoint protection, access controls, and administrative policies.

Example: A typical DiD implementation for a web server:

  • Physical security: Locked server room with badge access.
  • Network: Firewall at the perimeter (ACLs blocking ports 22, 443 only), IDS/IPS (Snort rules to detect SQL injection).
  • Host: HIDS (OSSEC monitoring file integrity), antivirus (ClamAV), host firewall (iptables).
  • Application: Input validation, parameterized queries.
  • Data: Encryption at rest (AES-256) and in transit (TLS 1.3).
  • Administrative: Principle of least privilege, separation of duties.

The strength is redundancy. A misconfigured firewall won't expose the server if the host firewall and application controls are intact.

Zero Trust: Never Trust, Always Verify

Zero Trust (ZT) assumes no implicit trust based on network location. Every access request must be authenticated, authorized, and encrypted. It's not a single product but a framework built on three pillars: verify explicitly, use least privilege, and assume breach.

Key components:

  • Microsegmentation: Divide network into small zones (e.g., using VLANs or SDN). Traffic between zones requires explicit policy.
  • Identity-aware proxies: BeyondCorp-style, where access is granted based on user identity and device posture, not IP address.
  • Continuous monitoring: Log every access attempt (e.g., using Syslog to SIEM).

Example: A Zero Trust architecture for remote access:

  • User requests access to internal app via a ZTNA (Zero Trust Network Access) gateway.
  • Gateway checks: user authentication (SAML via Okta), device compliance (CrowdStrike endpoint check), and context (time, location).
  • If passed, a per-session encrypted tunnel is established (e.g., WireGuard) to only the specific app, not the entire network.
  • Session is logged and re-evaluated periodically.

Key Differences for the Exam

Aspect Defence in Depth Zero Trust
Trust model Trust but verify (inside network trusted) Never trust, always verify
Network Perimeter-based, internal segmentation Microsegmentation, no implicit trust
Focus Layered controls Identity and context-based access
Example Firewall + AV + IDS ZTNA + MFA + device posture check

Security+ SY0-701 expects you to know that DiD is about multiple layers, while ZT is about eliminating implicit trust. They are complementary: DiD can be implemented within a ZT framework.

Exam Tips: What to Watch For

  • Scenario questions: You'll be given a scenario and asked which model best addresses a specific risk. For example: "A company wants to ensure that a compromised internal device cannot access the entire network." Answer: Zero Trust (microsegmentation).
  • Identify components: Know that DiD includes administrative, technical, and physical controls. ZT includes identity provider, policy engine, and policy enforcement point (PEP).
  • Ports and protocols: Not asked directly for these models, but ZT often uses TLS (443), RADIUS (1812/1813), or SAML (via HTTP). DiD might involve SNMP (161) for monitoring or SSH (22) for secure admin.
  • Common distractors: "Defence in Depth replaces Zero Trust" (false; they can coexist). "Zero Trust means no firewalls" (false; firewalls are used for microsegmentation).

Conclusion

Both models are essential for Security+ SY0-701. Defence in Depth provides layered resilience; Zero Trust addresses modern threats where perimeter is obsolete. Exam questions will test your ability to apply each concept to real-world scenarios. Focus on understanding the "why" behind each model.

Ready to test your knowledge? Try our free practice questions covering Zero Trust and Defence in Depth scenarios — available at [example.com/practice].

Practise Security+ questions

Original exam-style practice questions with detailed, explained answers. Track your weak topics and review missed questions before exam day.

Courseiva provides free IT certification practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics. Explore related practice questions for Cisco, CompTIA, Microsoft Azure, AWS, and other certification exams.