This chapter covers Zero Trust Network Architecture, a security model that eliminates implicit trust and requires continuous verification of every access request. For the CompTIA Network+ N10-009 exam, Zero Trust appears under Domain 4.0 Network Security, specifically Objective 4.2 (Explain the importance of physical security and other security controls). Approximately 5-10% of exam questions touch on Zero Trust concepts, often as part of broader security architecture questions. Understanding Zero Trust is critical because it represents a paradigm shift from perimeter-based security to a data-centric, identity-driven model that modern enterprises are adopting.
Jump to a section
Zero Trust Architecture is like a high-security embassy in a hostile city. The embassy does not trust any person, vehicle, or device just because it is inside the embassy compound (the network). Every individual must present identification at every door, not just the main gate. The embassy has a central policy office (the policy engine) that maintains a list of approved personnel, their clearances, and current threat level. When an employee enters the lobby, the guard (policy enforcement point) checks the employee's badge and biometrics against the central database. The guard does not assume the employee is safe because they passed the first checkpoint; instead, the guard requests a real-time authorization token for each specific door they wish to enter. If the employee is cleared, the guard opens the door and logs the access. This process repeats for every internal door, every office, and every file cabinet. Inside the embassy, all communication is encrypted and monitored. If an employee's badge is stolen, the central policy office revokes that badge instantly, and the guard denies access at the next door. This mirrors Zero Trust because trust is never inherited from the network location; every access request is authenticated, authorized, and encrypted, regardless of whether the user is inside or outside the perimeter.
What is Zero Trust Network Architecture?
Zero Trust Network Architecture (ZTNA) is a security framework that assumes no user, device, or network is inherently trustworthy, regardless of its location relative to the network perimeter. The core principle is 'never trust, always verify.' This contrasts with traditional castle-and-moat security, where internal network access is implicitly trusted once a user is inside the corporate firewall.
ZTNA is defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-207, 'Zero Trust Architecture.' The document outlines seven core principles:
All data sources and computing services are considered resources.
All communication is secured regardless of network location.
Access to individual enterprise resources is granted on a per-session basis.
Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.
How Zero Trust Works Internally
Zero Trust operates through a logical architecture composed of three main components: - Policy Engine (PE): The brain that makes access decisions based on policy and external data sources (e.g., threat intelligence, identity management). - Policy Administrator (PA): Executes the decision by generating session tokens or credentials and communicating with the Policy Enforcement Point. - Policy Enforcement Point (PEP): The gateway that intercepts, inspects, and enforces policy on every request. This can be a software agent, a network device, or a cloud gateway.
When a user requests access to a resource, the PEP sends the request to the PA, which consults the PE. The PE evaluates the request against policy, considering attributes like:
User identity and role (e.g., via LDAP, Active Directory)
Device health (e.g., antivirus status, patch level)
Location (e.g., IP address, geolocation)
Time of day
Sensitivity of the resource
Behavioral anomalies (e.g., unusual access patterns)
If the PE grants access, the PA issues a temporary, session-specific token to the user's device. The PEP then allows the connection, often using micro-segmentation to restrict lateral movement. The connection is encrypted (typically TLS 1.3), and every packet is inspected.
Key Components, Values, Defaults, and Timers
NIST SP 800-207: The foundational reference for Zero Trust. It defines the logical components and deployment models.
Micro-segmentation: Divides the network into small, isolated zones. Each zone has its own security policies. Default deny is enforced between zones.
Least privilege access: Users and devices are granted only the permissions necessary to perform their tasks. No default access to any resource.
Continuous monitoring: All traffic is logged and analyzed. Anomalies trigger re-authentication or session termination.
Session timeouts: Access tokens have short lifetimes, often 15-30 minutes. After expiry, the user must re-authenticate.
Multi-factor authentication (MFA): Required for every session, not just initial login.
Device posture check: Before granting access, the device must meet security baselines (e.g., OS version, firewall enabled, disk encryption active).
Configuration and Verification Commands
While Zero Trust is a framework, many vendors implement it via software-defined perimeters (SDP) or cloud access security brokers (CASB). For example, using a Zero Trust platform like Zscaler or Cloudflare Access, configuration might involve:
# Example: Cloudflare Access policy configuration via API
curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/access/policies \
-H "Authorization: Bearer {token}" \
-d '{
"name": "Finance App Policy",
"decision": "allow",
"include": [{"email_domain": {"domain": "company.com"}}],
"require": [{"any": [
{"mfa": {}},
{"device_posture": {"integration_uid": "device-uuid"}}
]}]
}'Verification involves checking logs and session status:
# View access logs for a specific user
zcli logs access --email user@company.com
# Check active sessions
zcli sessions listInteraction with Related Technologies
Zero Trust integrates with: - Identity and Access Management (IAM): Provides user identity and roles. - Security Information and Event Management (SIEM): Feeds threat intelligence into the Policy Engine. - Endpoint Detection and Response (EDR): Provides device health and posture data. - Software-Defined Networking (SDN): Enables micro-segmentation by dynamically programming network policies. - TLS/SSL: Encrypts all communications between user and resource. - VPN: Traditional VPNs are often replaced by ZTNA because VPNs grant broad network access, violating the least privilege principle.
Exam-Relevant Details
N10-009 tests the conceptual understanding of Zero Trust, not vendor-specific implementations.
Be able to contrast Zero Trust with the traditional perimeter model.
Know the three core components (PE, PA, PEP) and their roles.
Understand that Zero Trust is not a single product but an architecture.
Recognize that micro-segmentation and least privilege are key enablers.
Common exam scenario: A company wants to reduce lateral movement after a breach; Zero Trust with micro-segmentation is the answer.
Trap: The exam may present a scenario where a firewall is placed at the network edge but internal traffic is unrestricted. This is NOT Zero Trust. The correct answer will involve per-request authentication and authorization.
Numbers: NIST SP 800-207 is the standard. Session tokens last minutes, not hours. MFA is required every time.
Advanced: Policy Engine Decision Process
The PE uses a trust algorithm that combines multiple attributes into a confidence score. For example:
Trust Score = (Identity Confidence * 0.4) + (Device Health * 0.3) + (Behavioral Score * 0.2) + (Location Score * 0.1)If the trust score exceeds a threshold (e.g., 75), access is granted. If below, additional authentication is required or access is denied. This dynamic scoring allows for adaptive policies.
Deployment Models
NIST SP 800-207 describes three deployment models: 1. Agent-based: A software agent on the device enforces policy. 2. Gateway-based: A network gateway (e.g., reverse proxy) intercepts traffic. 3. Hybrid: Combination of both.
For N10-009, you should know that Zero Trust can be implemented on-premises, in the cloud, or hybrid, and that it does not rely on network location.
Common Misconfigurations
Overly permissive policies: Granting access to an entire subnet instead of specific resources. This breaks micro-segmentation.
Long session timeouts: Tokens lasting hours defeat the purpose of continuous verification.
Ignoring device posture: Allowing access from outdated or compromised devices.
Not logging and monitoring: Without analytics, you cannot detect anomalies.
Summary
Zero Trust is a fundamental shift from 'trust but verify' to 'never trust, always verify.' It requires strong identity management, device health checks, micro-segmentation, and continuous monitoring. For the exam, focus on the principles and components, not vendor products.
User Requests Resource Access
A user on a device attempts to access a protected application or data. The request is intercepted by the Policy Enforcement Point (PEP), which could be a software agent on the device, a cloud gateway, or a network appliance. The PEP does not forward the request until it receives authorization. The PEP captures attributes: user identity, device IP, device health status, time, and requested resource. The PEP then sends an authorization request to the Policy Administrator (PA). At this stage, no trust is assumed; the user is not yet allowed to communicate with the resource.
Policy Engine Evaluates Request
The PA forwards the request to the Policy Engine (PE). The PE evaluates the request against a dynamic policy that includes identity, device posture, location, and behavioral analytics. For example, the PE checks if the user has MFA enabled, if the device's antivirus is up-to-date, and if the request comes from a known IP range. The PE may also query external systems like a SIEM for threat intelligence. The PE computes a trust score. If the score meets the threshold, the PE grants access; otherwise, it denies or requests additional authentication. The decision is sent back to the PA.
Policy Administrator Issues Token
If the PE approves, the PA generates a temporary, session-specific token. The token is cryptographically signed and includes attributes like user ID, resource ID, expiration time (typically 15-30 minutes), and allowed actions. The PA sends this token to the user's device via the PEP. The token is unique to this session and cannot be reused for other resources. The PA also configures the PEP to allow traffic matching the token. For example, the PEP opens a specific port for the user's IP for the duration of the session. The PA logs the authorization event.
PEP Allows Encrypted Connection
The user's device presents the token to the PEP. The PEP validates the token's signature and expiration. If valid, the PEP establishes an encrypted tunnel (e.g., TLS 1.3) between the device and the resource. The PEP enforces micro-segmentation by allowing only the specific resource requested, not the entire subnet. All traffic through the tunnel is inspected for anomalies. The PEP logs all packets for auditing. The connection is now active, but the PEP continuously monitors the session for policy violations.
Continuous Monitoring and Re-Authentication
The PEP and PA continuously monitor the session. If the user's behavior changes (e.g., accessing unusual files), the PEP may trigger a re-authentication. The token expires after the timeout, requiring a new authorization request. If the device posture changes (e.g., antivirus disabled), the PE can revoke the session mid-stream. The PEP terminates the connection and alerts the security team. This continuous verification ensures that even if a token is stolen, the attacker cannot maintain access indefinitely.
Enterprise Scenario 1: Remote Workforce Access
A global financial services firm with 10,000 remote employees previously used a VPN to grant access to internal applications. After a breach where an attacker used stolen VPN credentials to move laterally, the firm adopted a Zero Trust architecture using a cloud-based SDP. They deployed an agent on every corporate laptop that checks device posture (OS patches, disk encryption, firewall status). The agent intercepts all application requests and sends them to a cloud gateway (PEP). The gateway authenticates via Azure AD and requires MFA for every session. The policy engine evaluates device health, user role, and geolocation. For example, a finance manager accessing the ERP system from a coffee shop in a high-risk country must also pass a biometric step. The company reduced lateral movement by 95% and eliminated VPN infrastructure. Misconfiguration: Initially, they set session timeouts to 8 hours to reduce user friction, but this led to token theft. They reduced it to 30 minutes with automatic re-authentication.
Enterprise Scenario 2: Multi-Cloud Environment
A media streaming company runs workloads on AWS, Azure, and on-premises. They need to allow developers to access production databases only during specific maintenance windows and only from approved jump boxes. They implemented Zero Trust using a gateway-based model with a reverse proxy. The policy engine integrates with their internal IAM and CMDB. When a developer requests SSH access to a database, the PEP (a load balancer) intercepts the request. The PE checks if the developer is on-call, if the request is within the maintenance window, and if the source IP matches a jump box. Access is granted for 15 minutes with a one-time SSH key. All commands are logged. This prevents unauthorized access even from within the corporate network. Common pitfall: Engineers often try to use traditional network ACLs, but they are too static; Zero Trust policies are dynamic and session-specific.
Performance and Scale Considerations
Zero Trust introduces latency due to per-request authentication. To mitigate, policies are cached at the PEP for a short time (e.g., 60 seconds). For high-throughput applications (e.g., video streaming), the PEP must be able to handle millions of concurrent sessions. Cloud-based SDPs auto-scale, but on-premises gateways require careful capacity planning. Misconfigured timeouts can cause excessive re-authentication, degrading user experience. Best practice: Use adaptive policies that reduce friction for low-risk requests (e.g., internal network) and increase for high-risk.
Exactly What N10-009 Tests on Zero Trust
The exam focuses on conceptual understanding under Objective 4.2 (Explain the importance of physical security and other security controls). Zero Trust is listed under 'other security controls' alongside concepts like segmentation and least privilege. Expect 1-3 questions that ask you to identify Zero Trust characteristics or contrast it with traditional security.
Common Wrong Answers and Why Candidates Choose Them
'Zero Trust means no passwords.' Candidates confuse Zero Trust with passwordless authentication. Reality: Zero Trust uses MFA, which may include passwords, but the core is continuous verification, not elimination of passwords.
'Zero Trust is a firewall.' Candidates think of a next-gen firewall as a Zero Trust solution. Reality: Firewalls are part of a defense-in-depth strategy, but Zero Trust is an architecture that goes beyond network perimeters.
'Zero Trust trusts internal users once authenticated.' This is the traditional model. In Zero Trust, even authenticated users are re-verified for every resource.
'Zero Trust requires a VPN.' Actually, Zero Trust often replaces VPNs because VPNs grant broad network access.
Specific Numbers and Terms That Appear on the Exam
NIST SP 800-207: The standard document.
Micro-segmentation: The technique of dividing the network into small zones.
Least privilege: Granting minimal access.
Policy Engine (PE): Makes decisions.
Policy Enforcement Point (PEP): Enforces decisions.
Continuous monitoring: Always watching.
Session-based access: Tokens per session.
Edge Cases and Exceptions
Legacy systems: Zero Trust can be hard to implement with applications that don't support modern authentication. The exam may ask about compensating controls like an API gateway.
BYOD: Devices not managed by the enterprise require agentless Zero Trust via browser-based access.
Internal threats: Zero Trust is effective against internal threats because it does not trust any user implicitly.
How to Eliminate Wrong Answers
If the answer says 'trust after authentication,' it's wrong. Zero Trust requires continuous verification.
If the answer mentions 'network perimeter,' it's likely traditional security, not Zero Trust.
If the answer says 'implicit trust for internal users,' eliminate it.
Look for keywords: per-session, micro-segmentation, least privilege, dynamic policy.
Zero Trust architecture is defined by NIST SP 800-207.
Core principle: 'never trust, always verify' – no implicit trust based on network location.
Three main components: Policy Engine (PE), Policy Administrator (PA), Policy Enforcement Point (PEP).
Access is granted per session with short-lived tokens (15-30 minutes typical).
Micro-segmentation isolates resources to prevent lateral movement.
Continuous monitoring and re-authentication are required throughout the session.
Zero Trust replaces VPNs by providing application-level access instead of network-level access.
Multi-factor authentication (MFA) is required for every session, not just initial login.
Device posture checks (e.g., antivirus, patch level) are part of the access decision.
Zero Trust is an architecture, not a single product – it integrates IAM, EDR, SIEM, and SDN.
These come up on the exam all the time. Here's how to tell them apart.
Traditional Perimeter Security
Trusts users once inside the network
Relies on network location for access decisions
Broad network access via VPN or VLAN
Static firewall rules based on IP/port
Assumes internal network is safe
Zero Trust Architecture
Never trusts any user or device by default
Access decisions based on identity, device, and context
Per-session, least-privilege access to specific resources
Dynamic policy engine with continuous evaluation
Assumes network is hostile, internal and external
Mistake
Zero Trust means no trust at all, so users can't access anything.
Correct
Zero Trust does not eliminate access; it eliminates implicit trust. Access is granted after verification, not before. Users still access resources, but only after proving identity and meeting policy requirements.
Mistake
Zero Trust is a single product you can buy.
Correct
Zero Trust is an architectural framework, not a product. It requires multiple technologies (IAM, MFA, micro-segmentation, monitoring) working together. Vendors offer Zero Trust solutions, but they are implementations of the framework.
Mistake
Zero Trust only applies to cloud environments.
Correct
Zero Trust can be implemented on-premises, in the cloud, or hybrid. The principles apply regardless of location. NIST SP 800-207 covers various deployment models including on-premises data centers.
Mistake
Zero Trust is the same as network segmentation.
Correct
Network segmentation is a component of Zero Trust, but Zero Trust is broader. It includes identity, device health, and continuous monitoring. Segmentation alone without per-request authentication is not Zero Trust.
Mistake
Zero Trust eliminates the need for firewalls.
Correct
Firewalls can still be used as part of a defense-in-depth strategy, but they are not the primary enforcement point. In Zero Trust, the PEP (which could be a firewall) enforces policy, but the decision is made by the PE.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Zero Trust is a security model that trusts no one by default, even if they are inside the corporate network. Every access request must be authenticated, authorized, and encrypted. Think of it as a building where you need to show ID at every door, not just the front entrance. For the exam, remember it eliminates implicit trust and uses continuous verification.
Traditional security trusts users once they are inside the network (castle-and-moat). Zero Trust assumes the network is always hostile and verifies every request regardless of location. The exam contrasts these: perimeter security uses firewalls at the edge, while Zero Trust uses micro-segmentation and per-session access.
The three main components are: Policy Engine (PE) that makes access decisions, Policy Administrator (PA) that issues tokens, and Policy Enforcement Point (PEP) that enforces policies. Know these for the exam – they appear in NIST SP 800-207.
No, Zero Trust often replaces VPNs. VPNs grant broad network access, which violates the least privilege principle. Zero Trust provides application-level access via encrypted tunnels. The exam may test this distinction.
Micro-segmentation divides the network into small, isolated zones. Each zone has its own security policies, and traffic between zones is denied by default. This prevents lateral movement if an attacker breaches one zone. It's a key exam concept.
Before granting access, the Policy Engine checks the device's posture: OS version, antivirus status, disk encryption, etc. If the device is compromised, access is denied or restricted. This is part of the continuous monitoring requirement.
The PEP intercepts all access requests and enforces the decision from the Policy Administrator. It can be a software agent, a cloud gateway, or a network appliance. It logs all traffic and can terminate sessions if policy is violated.
You've just covered Zero Trust Network Architecture — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?