The answer is zero trust, because the proposed access model continuously evaluates access rather than trusting a device solely because it is on the VPN. This aligns with the core zero trust principle of “never trust, always verify,” where every request—regardless of network location—must be authenticated and authorized based on real-time conditions like device posture and user identity. On the Security+ SY0-701 exam, this concept often appears in scenario-based questions contrasting zero trust with least privilege; the common trap is confusing the two, since least privilege focuses on limiting permissions to only what’s needed, while zero trust eliminates implicit trust from network location. Remember the key difference: zero trust is about *who* and *how* you verify access continuously, whereas least privilege is about *what* access you grant. A helpful memory tip is “Zero trust checks the door every time; least privilege limits what’s inside the room.”
SY0-701 General Security Concepts Practice Question
This SY0-701 practice question tests your understanding of general security concepts. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Current access model:
- Any laptop on the corporate VPN can reach 10.8.40.15:443.
- The VPN checks device compliance only when the tunnel is created.
- After login, the session remains valid for 12 hours.
- Users can access the finance app from any managed or unmanaged device once connected.
Security proposal:
- Reevaluate device posture before each sensitive transaction.
- Grant only application-specific access, not subnet-wide access.
- Require MFA again if device risk changes during the session.
Based on the exhibit, which security principle is the proposed access model most aligned with?
Current access model:
- Any laptop on the corporate VPN can reach 10.8.40.15:443.
- The VPN checks device compliance only when the tunnel is created.
- After login, the session remains valid for 12 hours.
- Users can access the finance app from any managed or unmanaged device once connected.
Security proposal:
- Reevaluate device posture before each sensitive transaction.
- Grant only application-specific access, not subnet-wide access.
- Require MFA again if device risk changes during the session.
A
Least privilege, because users are being limited to only the finance application they need.
Why wrong: Least privilege is part of the proposal, but it does not fully capture the repeated trust checks and dynamic access decisions. The exhibit emphasizes that device posture, session risk, and authentication state are continuously reconsidered. That behavior goes beyond simple permission reduction and reflects an architecture that assumes no implicit trust from network location or initial login.
B
Zero trust, because access is continuously evaluated instead of trusted just because the device is on the VPN.
Zero trust is the best answer because the proposal removes implicit trust based on VPN membership or internal network location. Instead, access is evaluated repeatedly using device posture, MFA, and transaction context. That means the environment assumes every request may be risky until verified, which is the core idea behind zero trust architecture and conditional access.
C
Defense in depth, because the company is adding multiple security layers around the finance app.
Why wrong: Defense in depth does involve multiple layers, and this design certainly uses them. However, the central idea in the exhibit is not just layering controls; it is refusing to trust the session simply because it started on a managed network. The repeated validation and per-request access decisions are what make zero trust the better fit.
D
Need-to-know, because users should only see the finance data required for their jobs.
Why wrong: Need-to-know limits information exposure, but the proposal is focused on when and how access is granted, especially after device risk changes. The issue is not just data visibility; it is the assumption of trust after VPN login. Continuous revalidation of identity and device state is a zero trust concept, not merely a need-to-know rule.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Zero trust, because access is continuously evaluated instead of trusted just because the device is on the VPN.
The proposed access model aligns with Zero Trust because it continuously evaluates access based on real-time conditions (e.g., device posture, user identity) rather than implicitly trusting the VPN connection. In Zero Trust, network location alone is insufficient for granting access; every request is authenticated and authorized regardless of the source. This contrasts with traditional perimeter-based models where VPN access implies trust.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
Least privilege, because users are being limited to only the finance application they need.
Why it's wrong here
Least privilege is part of the proposal, but it does not fully capture the repeated trust checks and dynamic access decisions. The exhibit emphasizes that device posture, session risk, and authentication state are continuously reconsidered. That behavior goes beyond simple permission reduction and reflects an architecture that assumes no implicit trust from network location or initial login.
✓
Zero trust, because access is continuously evaluated instead of trusted just because the device is on the VPN.
Why this is correct
Zero trust is the best answer because the proposal removes implicit trust based on VPN membership or internal network location. Instead, access is evaluated repeatedly using device posture, MFA, and transaction context. That means the environment assumes every request may be risky until verified, which is the core idea behind zero trust architecture and conditional access.
Related concept
Read the scenario before looking for a memorised answer.
✗
Defense in depth, because the company is adding multiple security layers around the finance app.
Why it's wrong here
Defense in depth does involve multiple layers, and this design certainly uses them. However, the central idea in the exhibit is not just layering controls; it is refusing to trust the session simply because it started on a managed network. The repeated validation and per-request access decisions are what make zero trust the better fit.
✗
Need-to-know, because users should only see the finance data required for their jobs.
Why it's wrong here
Need-to-know limits information exposure, but the proposal is focused on when and how access is granted, especially after device risk changes. The issue is not just data visibility; it is the assumption of trust after VPN login. Continuous revalidation of identity and device state is a zero trust concept, not merely a need-to-know rule.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates confuse Zero Trust with least privilege or need-to-know, but Zero Trust specifically addresses the assumption of implicit trust based on network location (e.g., VPN), which is the key differentiator in this scenario.
Detailed technical explanation
How to think about this question
Zero Trust architectures often leverage the NIST SP 800-207 framework, which mandates that all resources be accessed via a policy decision point (PDP) that evaluates attributes like device health, user role, and geolocation. In practice, this is implemented with micro-segmentation and identity-aware proxies (e.g., Zscaler, Cloudflare Access) that enforce per-session authentication, even for users already on a VPN. A subtle behavior is that Zero Trust can still use VPNs for transport, but the VPN itself is not trusted—access decisions are made at the application layer, not the network layer.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A security analyst at a medium-sized enterprise encounters this scenario during an investigation or architecture review. The correct answer reflects best practice for the specific threat or control described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Security exam questions test whether you can match controls to threats in context — not just recall definitions.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this SY0-701 question in full detail.
General Security Concepts — This question tests General Security Concepts — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Zero trust, because access is continuously evaluated instead of trusted just because the device is on the VPN. — The proposed access model aligns with Zero Trust because it continuously evaluates access based on real-time conditions (e.g., device posture, user identity) rather than implicitly trusting the VPN connection. In Zero Trust, network location alone is insufficient for granting access; every request is authenticated and authorized regardless of the source. This contrasts with traditional perimeter-based models where VPN access implies trust.
What should I do if I get this SY0-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.