Correct Answer: A

ZTA planning can improve the developer experience by streamlining access provisioning to deployment environments. This means that developers can access the resources and services they need to deploy their applications in a fast and secure manner, without having to go through complex and manual processes. ZTA planning can also help to automate and orchestrate the access provisioning using dynamic and granular policies based on the context and attributes of the developers, devices, and applications. References: Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 10: ZTA Planning and Implementation

Correct Answer: A

Verified Answer= A. Micro-segmentation and encryptionVery Short Explanation= ZTA uses micro-segmentation to divide the network into smaller, isolated segments that can prevent unauthorized access and contain lateral movement. ZTA also uses encryption to protect data in transit and at rest from eavesdropping and tampering.References=1,2,3,4

Correct Answer: A

ZT project implementation requires prioritization as part of the overall ZT project planning activities. One area to consider is prioritization based on risks, which means that the organization should identify and assess the potential threats,

vulnerabilities, and impacts that could affect its assets, operations, and reputation, and prioritize the ZT initiatives that address the most critical and urgent risks. Prioritization based on risks helps to align the ZT project with the business

objectives and needs, and optimize the use of resources and time.

References:

Zero Trust Planning - Cloud Security Alliance, section "Scope, Priority, and Business Case"

The Zero Trust Journey: 4 Phases of Implementation - SEI Blog, section "Second Phase: Assess"

Planning for a Zero Trust Architecture: A Planning Guide for Federal ..., section "Gap Analysis"

Correct Answer: B

Business continuity and disaster recovery are the activities of the ZT implementation preparation phase that ensure the resiliency of the organization's operations in the event of disruption. Business continuity refers to the process of

maintaining or restoring the essential functions of the organization during and after a crisis, such as a natural disaster, a cyberattack, or a pandemic. Disaster recovery refers to the process of recovering the IT systems, data, and infrastructure

that support the business continuity. ZT implementation requires planning and testing the business continuity and disaster recovery strategies and procedures, as well as aligning them with the ZT policies and controls.

References:

Zero Trust Planning - Cloud Security Alliance, section "Monitor and Measure" Zero Trust architecture: a paradigm shift in cybersecurity - PwC, section "Continuous monitoring and improvement"

Zero Trust Implementation, section "Outline Zero Trust Architecture (ZTA) implementation steps"

Correct Answer: A

SDP features, like multi-factor authentication (MFA), mutual transport layer security (mTLS), and device fingerprinting, protect against phishing attacks by verifying the identity and authenticity of both the user and the device before granting access to a resource. Phishing attacks are attempts to trick users into revealing their credentials or other sensitive information by impersonating a legitimate entity or service1. SDP features can prevent phishing attacks by: MFA: MFA is a security mechanism that requires a user to provide more than one piece of evidence to prove their identity, such as a password, a one-time code, a biometric factor, or a physical token2. MFA can protect against phishing attacks by making it harder for attackers to access a resource even if they manage to obtain the user's password or other credentials2. mTLS: mTLS is a security protocol that enables mutual authentication and encryption between two parties, such as a client and a server3. mTLS can protect against phishing attacks by ensuring that both the client and the server have valid and trusted certificates, and by preventing attackers from intercepting or modifying the communication between them3. Device fingerprinting: Device fingerprinting is a technique that identifies and verifies a device based on its unique characteristics, such as its operating system, browser, IP address, or hardware configuration4. Device fingerprinting can protect against phishing attacks by allowing only authorized devices to access a resource, and by detecting any anomalies or changes in the device's attributes that may indicate a compromise4. References: What is Phishing? | How to Identify and Prevent Phishing Attacks | Cloudflare What is Multi-Factor Authentication (MFA)? | Cloudflare What is Mutual TLS (mTLS)? | Cloudflare What is Device Fingerprinting? | Cloudflare

Correct Answer: B

ZTA using enhanced identity governance is an approach to ZTA that strongly emphasizes proper governance of access privileges and entitlements for specific assets. This approach focuses on managing the identity lifecycle, enforcing granular and dynamic policies, and auditing and monitoring access activities. ZTA using enhanced identity governance helps to ensure that only authorized and verified entities can access the protected assets based on the principle of least privilege and the context of the request. References: Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 5: Enhanced Identity Governance

Correct Answer: D

Rule-based security policies are a type of attribute-based access control (ABAC) policies that define rules that control the entitlements to assets, such as data, applications, or devices, based on the attributes of the subjects, objects, and

environment. The policy decision point (PDP) is the component in a zero trust architecture (ZTA) that evaluates the rule-based security policies and generates an access decision for each request.

References:

Certificate of Competence in Zero Trust (CCZT) prepkit, page 14, section 2.2.2 A Zero Trust Policy Model | SpringerLink, section "Rule-Based Policies" Zero Trust architecture: a paradigm shift in cybersecurity - PwC, section "Security policy

and control framework"

Correct Answer: D

SPA is a security protocol that prevents device impersonation attacks in a ZTA by hiding the network infrastructure from unauthorized and unauthenticated users. SPA uses a single encrypted packet to convey the user's identity and request access to a resource. The SPA packet must be digitally signed and authenticated by the SPA server before granting access. This ensures that only authorized devices can send valid SPA packets and prevents spoofing, replay, or brute-force attacks12.

References:

Zero Trust: Single Packet Authorization | Passive authorization Single Packet Authorization | Linux Journal

Correct Answer: D

One of the key purposes of leveraging visibility and analytics capabilities in a ZTA is to continually evaluate user behavior against a baseline to identify unusual actions. This helps to detect and respond to potential threats, anomalies, and

deviations from the normal patterns of user activity. Visibility and analytics capabilities also enable the collection and analysis of telemetry data across all the core pillars of ZTA, such as user, device, network, application, and data, and provide

insights for policy enforcement and improvement.

References:

Certificate of Competence in Zero Trust (CCZT) prepkit, page 15, section 2.2.3 Zero Trust for Government Networks: 4 Steps You Need to Know, section "Continuously verify trust with visibility and analytics" The role of visibility and analytics in

zero trust architectures, section "The basic NIST tenets of this approach include"

What is Zero Trust Architecture (ZTA)? | NextLabs, section "With real-time access control, users are reliably verified and authenticated before each session"

Correct Answer: C

Asset owners are the ones who will determine valid users, roles, and privileges for accessing data as part of data governance. Asset owners are responsible for defining the data classification, sensitivity, and ownership of the data assets they own. They also have the authority to grant or revoke access to the data assets based on the business needs and the Zero Trust policies. References: Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 2: Data and Asset Classification