CCZT Online Practice Questions and Answers

Correct Answer: D

The protect surface in a ZTA is the collection of sensitive data, assets, applications, and services (DAAS) that require protection from threats1. One benefit of the protect surface in a ZTA for an organization implementing controls is that it allows the controls to be moved closer to the asset and minimize risk. This means that instead of relying on a single perimeter or boundary to protect the entire network, ZTA enables granular and dynamic controlsthat are applied at or near the DAAS components, based on the principle of least privilege2. This reduces the attack surface and the potential impact of a breach, as well as improves the visibility and agility of the security posture3. References: Zero Trust Architecture | NIST Zero Trust Architecture Explained: A Step-by-Step Approach - Comparitech What is Zero Trust Architecture (ZTA)? - CrowdStrike

Correct Answer: A

In a ZTA, the logical combination of both the policy engine (PE) and policy administrator (PA) is called the policy decision point (PDP). The PE is the component that evaluates the policies and the contextual data collected from various

sources and generates an access decision. The PA is the component that establishes or terminates the communication between a subject and a resource based on the access decision. The PDP communicates with the policy enforcement

point (PEP), which enforces the access decision on the resource.

References:

Certificate of Competence in Zero Trust (CCZT) prepkit, page 14, section 2.2.2 Zero Trust Architecture Project - NIST Computer Security Resource Center, slide 9 What Is a Zero Trust Security Framework? | Votiro, section "The Policy Engine

and Policy Administrator"

Zero Trust Frameworks Architecture Guide - Cisco, page 4, section "Policy Decision Point"

Correct Answer: B

Data sources are the ZT element that provide information that providers can use to keep policies dynamically updated. Data sources are the inputs that feed the policy engine and the policy administrator with the relevant data and context about the entities, resources, transactions, and environment in the ZTA. Data sources help to inform the policy decisionsand actions based on the current state and conditions of the ZTA. Data sources can include identity providers, device management systems, threat intelligence feeds, network monitoring tools, etc. References: Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 3: ZTA Architecture and Components

Correct Answer: A

ZTA planning can improve the developer experience by streamlining access provisioning to deployment environments. This means that developers can access the resources and services they need to deploy their applications in a fast and secure manner, without having to go through complex and manual processes. ZTA planning can also help to automate and orchestrate the access provisioning using dynamic and granular policies based on the context and attributes of the developers, devices, and applications. References: Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 10: ZTA Planning and Implementation

Correct Answer: A

Verified Answer= A. Micro-segmentation and encryptionVery Short Explanation= ZTA uses micro-segmentation to divide the network into smaller, isolated segments that can prevent unauthorized access and contain lateral movement. ZTA also uses encryption to protect data in transit and at rest from eavesdropping and tampering.References=1,2,3,4

Correct Answer: A

A common activity in the scope, priority, and business case steps of ZT planning is to determine the organization's current state. This involves assessing the existing security posture, architecture, policies, processes, and capabilities of the

organization, as well as identifying the key stakeholders, business drivers, and goals for the ZT initiative. Determining the current state helps to establish a baseline, identify gaps and risks, and define the scope and priority of the ZT

transformation.

References:

Zero Trust Planning - Cloud Security Alliance, section "Scope, Priority, and Business Case"

The Zero Trust Journey: 4 Phases of Implementation - SEI Blog, section "First Phase: Prepare"

Correct Answer: D

Explanation: In a ZTA, automation and orchestration can increase security by using the following means: Infrastructure as code (laC): laC is a practice of managing and provisioning IT infrastructure through code, rather than manual processes or configuration tools1. laC can increase security by enabling consistent, repeatable, and scalable deployment of ZTA components, such as policies, gateways, firewalls, and micro- segments2. laC can also facilitate compliance, auditability, and change management, as well as reduce human errors and configuration drifts3. Identity lifecycle management: Identity lifecycle management is a process of managing the creation, modification, and deletion of user identities and their access rights throughout their lifecycle4. Identity lifecycle management can increase security by ensuring that users have the appropriate level of access to resources at any given time, based on the principle of least privilege5. Identity lifecycle management can also automate the provisioning and deprovisioning of user accounts, enforce strong authentication and authorization policies, and monitor and audit user activity and behavior6. References: What is Infrastructure as Code? | Cloudflare Zero Trust Architecture: Infrastructure as Code Infrastructure as Code: Security Best Practices What is Identity Lifecycle Management? | One Identity Zero Trust Architecture: Identity and Access Management Identity Lifecycle Management: A Zero Trust Security Strategy

Correct Answer: A

According to NIST, the key mechanisms for defining, managing, and enforcing policies in a ZTA are the policy decision point (PDP), the policy enforcement point (PEP), and the policy information point (PIP). The PDP is the component that

evaluates the policies and the contextual data collected from various sources and generates an access decision. The PEP isthe component that enforces the access decision on the resource. The PIP is the component that provides the

contextual data to the PDP, such as the user identity, the device posture, the network location, the resource attributes, and the environmental factors.

References:

Zero Trust Architecture Project - NIST Computer Security Resource Center, slide 9 What Is Zero Trust Architecture (ZTA)? - F5, section "Policy Engine" Zero Trust Frameworks Architecture Guide - Cisco, page 4, section "Policy Decision

Point"

Correct Answer: A

Single Packet Authorization (SPA) is a security protocol that allows a user to access a secure network without the need to enter a password or other credentials. Instead, it is an authentication protocol that uses a single packet ?an encrypted packet of data ?to convey a user's identity and request access1. A key concept of SPA is that the SPA packet must be digitally signed and authenticated by the SPA server before granting access to the user. This ensures that only authorized users can send valid SPA packets and prevents replay attacks, spoofing attacks, or brute-force attacks23. References: Zero Trust: Single Packet Authorization | Passive authorization Single Packet Authorization | Linux Journal Single Packet Authorization Explained | Appgate Whitepaper

Correct Answer: C

To ensure a successful ZT effort, it is important to engage stakeholders across the organization and at all levels, including functional areas. This helps to align the ZT vision and goals with the business priorities and needs, gain buy-in and

support from the leadership and the users, and foster a culture of collaboration and trust. Engaging stakeholders also enables the identification and mapping of the critical assets, workflows, and dependencies, as well as the communication

and feedback mechanisms for the ZT transformation.

References:

Certificate of Competence in Zero Trust (CCZT) prepkit, page 7, section 1.3 Zero Trust Planning - Cloud Security Alliance, section "Scope, Priority, and Business Case"

The `Zero Trust' Model in Cybersecurity: Towards understanding and ..., section "3.1 Ensuring buy-in across the organization with tangible impact"