Question 160 of 1,152
General Security ConceptshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is zero trust, because the proposed access model continuously evaluates access rather than trusting a device solely because it is on the VPN. This aligns with the core zero trust principle of “never trust, always verify,” where every request—regardless of network location—must be authenticated and authorized based on real-time conditions like device posture and user identity. On the Security+ SY0-701 exam, this concept often appears in scenario-based questions contrasting zero trust with least privilege; the common trap is confusing the two, since least privilege focuses on limiting permissions to only what’s needed, while zero trust eliminates implicit trust from network location. Remember the key difference: zero trust is about *who* and *how* you verify access continuously, whereas least privilege is about *what* access you grant. A helpful memory tip is “Zero trust checks the door every time; least privilege limits what’s inside the room.”

SY0-701 General Security Concepts Practice Question

This SY0-701 practice question tests your understanding of general security concepts. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Current access model:
- Any laptop on the corporate VPN can reach 10.8.40.15:443.
- The VPN checks device compliance only when the tunnel is created.
- After login, the session remains valid for 12 hours.
- Users can access the finance app from any managed or unmanaged device once connected.

Security proposal:
- Reevaluate device posture before each sensitive transaction.
- Grant only application-specific access, not subnet-wide access.
- Require MFA again if device risk changes during the session.

Based on the exhibit, which security principle is the proposed access model most aligned with?

Question 1hardmultiple choice
Full question →

Exhibit

Current access model:
- Any laptop on the corporate VPN can reach 10.8.40.15:443.
- The VPN checks device compliance only when the tunnel is created.
- After login, the session remains valid for 12 hours.
- Users can access the finance app from any managed or unmanaged device once connected.

Security proposal:
- Reevaluate device posture before each sensitive transaction.
- Grant only application-specific access, not subnet-wide access.
- Require MFA again if device risk changes during the session.

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Zero trust, because access is continuously evaluated instead of trusted just because the device is on the VPN.

The proposed access model aligns with Zero Trust because it continuously evaluates access based on real-time conditions (e.g., device posture, user identity) rather than implicitly trusting the VPN connection. In Zero Trust, network location alone is insufficient for granting access; every request is authenticated and authorized regardless of the source. This contrasts with traditional perimeter-based models where VPN access implies trust.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Least privilege, because users are being limited to only the finance application they need.

    Why it's wrong here

    Least privilege is part of the proposal, but it does not fully capture the repeated trust checks and dynamic access decisions. The exhibit emphasizes that device posture, session risk, and authentication state are continuously reconsidered. That behavior goes beyond simple permission reduction and reflects an architecture that assumes no implicit trust from network location or initial login.

  • Zero trust, because access is continuously evaluated instead of trusted just because the device is on the VPN.

    Why this is correct

    Zero trust is the best answer because the proposal removes implicit trust based on VPN membership or internal network location. Instead, access is evaluated repeatedly using device posture, MFA, and transaction context. That means the environment assumes every request may be risky until verified, which is the core idea behind zero trust architecture and conditional access.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Defense in depth, because the company is adding multiple security layers around the finance app.

    Why it's wrong here

    Defense in depth does involve multiple layers, and this design certainly uses them. However, the central idea in the exhibit is not just layering controls; it is refusing to trust the session simply because it started on a managed network. The repeated validation and per-request access decisions are what make zero trust the better fit.

  • Need-to-know, because users should only see the finance data required for their jobs.

    Why it's wrong here

    Need-to-know limits information exposure, but the proposal is focused on when and how access is granted, especially after device risk changes. The issue is not just data visibility; it is the assumption of trust after VPN login. Continuous revalidation of identity and device state is a zero trust concept, not merely a need-to-know rule.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates confuse Zero Trust with least privilege or need-to-know, but Zero Trust specifically addresses the assumption of implicit trust based on network location (e.g., VPN), which is the key differentiator in this scenario.

Detailed technical explanation

How to think about this question

Zero Trust architectures often leverage the NIST SP 800-207 framework, which mandates that all resources be accessed via a policy decision point (PDP) that evaluates attributes like device health, user role, and geolocation. In practice, this is implemented with micro-segmentation and identity-aware proxies (e.g., Zscaler, Cloudflare Access) that enforce per-session authentication, even for users already on a VPN. A subtle behavior is that Zero Trust can still use VPNs for transport, but the VPN itself is not trusted—access decisions are made at the application layer, not the network layer.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security analyst at a medium-sized enterprise encounters this scenario during an investigation or architecture review. The correct answer reflects best practice for the specific threat or control described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Security exam questions test whether you can match controls to threats in context — not just recall definitions.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SY0-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SY0-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SY0-701 question test?

General Security Concepts — This question tests General Security Concepts — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Zero trust, because access is continuously evaluated instead of trusted just because the device is on the VPN. — The proposed access model aligns with Zero Trust because it continuously evaluates access based on real-time conditions (e.g., device posture, user identity) rather than implicitly trusting the VPN connection. In Zero Trust, network location alone is insufficient for granting access; every request is authenticated and authorized regardless of the source. This contrasts with traditional perimeter-based models where VPN access implies trust.

What should I do if I get this SY0-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.