SkarpChapter 3 of 27
Zero Trust and Fundamental Security Concepts in Modern Enterprises
Walk through the mindset shift from perimeter-based security to continuous verification, and see how zero trust and related principles reshape networks, identities, and policies.
From Castle Walls to Zero Trust
Why This Module Matters
You now connect your CIA/AAA foundations to one of the most important modern ideas in security: zero trust. It appears across multiple SY0-701 domains and underpins many architecture and access control questions.
Perimeter-Based Security
Historically, enterprises used a castle-and-moat model: strong firewalls at the edge, VPNs for remote users, and a mostly trusted internal network. The main goal: keep attackers out.
Enter Hybrid Environments
Today most organizations run in a hybrid environment: a mix of cloud, mobile, IoT, OT, and on-premises resources. Users connect from anywhere, and services live across data centers and SaaS.
Modern Definition of Zero Trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed. This directly challenges the old perimeter mindset.
Your Exam Lens
Throughout this module, ask: "What would a zero trust design do here?" That lens will help with SY0-701 questions on identity, segmentation, secure architecture, and operations.
Core Zero Trust Principles and Mindset
Zero Trust Is a Philosophy
Zero trust is not a single product. It is a design philosophy that shapes how you authenticate, authorize, and monitor users, devices, and traffic across the enterprise.
Never Trust, Always Verify
Zero trust rejects implicit trust based on network location or device type. Every access request must be authenticated, authorized, and evaluated against current context.
Least Privilege and Need-to-Know
Zero trust enforces least privilege (minimal permissions) and need-to-know (minimal data exposure) so users and services access only what is required for their roles or tasks.
Assume Breach
Design as if an attacker is already inside part of your environment. Focus on limiting lateral movement and reducing the blast radius of any compromise.
Continuous Verification and AAA
Zero trust requires continuous verification: strong, ongoing authentication, fine-grained authorization, and detailed accounting logs to support CIA and incident response.
Implicit vs Explicit Trust: What Changes?
Implicit Trust
Implicit trust ties trust to where you are: inside the LAN, on the VPN, or in the data center. Once inside, users and systems often have broad, unchecked access.
Problems with Implicit Trust
If one internal machine is compromised, an attacker can leverage inherited trust to move laterally, abuse insider access, and spread malware with little resistance.
Explicit Trust in Zero Trust
Explicit trust is earned per request. Each access is authenticated, authorized, and evaluated based on user identity, device identity, and current context.
Scoped and Time-Bound Access
Zero trust grants narrowly scoped, time-limited access: you may read one database for a task, but not scan the network or access unrelated systems.
Exam Signal
Phrases like "all internal hosts are trusted" signal implicit trust. Phrases like "access is evaluated per request using user and device identity" align with explicit trust and zero trust.
Least Privilege, Need-to-Know, and Just-in-Time Access
Least Privilege
Least privilege means giving users, processes, and services only the minimum permissions needed to perform their functions, and nothing extra that could be abused.
Need-to-Know
Need-to-know focuses on data. Users should access only the specific information required for their job or task, not all data in a system or database.
Just-in-Time (JIT) Access
JIT access grants elevated permissions only when needed and for a limited time, then automatically removes them, reducing risky standing privileges.
Zero Trust Reinforcement
Zero trust removes implicit trust; least privilege and need-to-know define the smallest allowed actions and data exposure per request. JIT further limits duration.
Exam Pitfalls
Least privilege is "enough access," not zero. VPN access alone does not equal least privilege. Service accounts also need least privilege and sometimes JIT controls.
Network Segmentation and Microsegmentation in Zero Trust
Network Segmentation
Network segmentation divides the network into separate segments or VLANs with controlled traffic between them using firewalls, ACLs, and routing rules.
Examples of Segmentation
Common segments include separate subnets for user PCs, servers, and guest Wi-Fi, plus a DMZ for public-facing systems like web servers and mail gateways.
Microsegmentation
Microsegmentation goes finer: policies at the workload or application level. You control which specific services or hosts can talk, often via host firewalls or SDN.
Zero Trust and Lateral Movement
Assuming breach, segmentation and microsegmentation limit lateral movement so a compromised host cannot freely reach other critical systems.
Exam Angle
When asked how to reduce compromise impact or align a design with zero trust, answers mentioning segmentation or microsegmentation are strong candidates.
Security Policies and Access Control Models in a Zero Trust World
Access Control Models and Zero Trust
Zero trust builds on traditional access control models, applying them more rigorously and dynamically rather than replacing them outright.
DAC and MAC
DAC lets owners control access (flexible but risky). MAC uses central labels and clearances (rigid but strong for need-to-know and least privilege).
RBAC
Role-Based Access Control grants permissions based on roles like "HR analyst". It is common and works well with zero trust when roles are well-designed and reviewed.
ABAC
Attribute-Based Access Control uses attributes (user, resource, environment) to make context-aware decisions, fitting closely with zero trust per-request evaluation.
Policy Characteristics
Zero trust policies are centrally defined, use conditions (MFA, device compliance, time, location), and support continuous monitoring and revocation.
Zero Trust in Hybrid Environments: Identity, Devices, and Data
Hybrid Environment Reminder
A hybrid environment mixes cloud, mobile, IoT, OT, and on-prem resources. Zero trust must cover this entire, diverse landscape.
Identity as the Perimeter
With users and apps everywhere, centralized identity and SSO, backed by MFA and conditional access, becomes the main control point in zero trust.
Device Trust and Posture
Zero trust distinguishes corporate-managed, BYOD, and unmanaged devices, using compliance checks and posture to decide allowed access levels.
Data-Centric Controls
Because data lives across SaaS, IaaS, and on-prem, zero trust classifies and protects data (encryption, DLP, labels) wherever it resides.
Monitoring and Exam Focus
Unified logging and analytics across on-prem and cloud detect compromised identities/devices. On the exam, hybrid scenarios test consistent policy and monitoring.
Comparing Designs: Perimeter vs Zero Trust in an Enterprise
Scenario Setup
A 500-person company uses on-prem AD and ERP, plus SaaS email. It has remote workers and contractors, a very typical hybrid enterprise.
Traditional Perimeter Design
Office users on the LAN and VPN users share broad access. File servers allow large groups like "All Employees". Internal firewalls are minimal.
Risks in the Old Design
A compromised VPN account or ransomware on one PC can reach many servers and broad file shares, exposing sensitive data and enabling lateral movement.
Zero Trust Redesign
Introduce SSO with MFA, network segmentation and microsegmentation, RBAC/ABAC for finance data, and JIT admin access. Centralize logging and anomaly alerts.
Exam Takeaway
In questions, favor designs that reduce implicit trust, restrict lateral movement with segmentation, and enforce strong, identity-based, context-aware access.
Thought Exercise: Spot the Implicit Trust
Work through this short exercise to train your zero trust instincts.
Imagine each statement describes a proposed control in an enterprise. For each one, decide:
- Does it rely on implicit trust (traditional model)?
- Or does it align with zero trust (explicit, continuous verification, least privilege)?
- "Any device connected to the corporate Wi-Fi can access the internal CRM server without additional authentication."
- "Remote users must connect via VPN and then can access all internal file shares once authenticated to the domain."
- "Users must authenticate with MFA, and access to the CRM server is allowed only from compliant, enrolled devices, with policies that re-check device health every 15 minutes."
- "Database administrators have permanent local admin rights on all database servers, even when not performing maintenance."
- "Contractors receive time-limited accounts that grant access only to a specific project repository, and their access is automatically revoked at the project end date."
Pause and answer for yourself, then compare with the guidance below.
Suggested reasoning (do not peek until you have tried):
- Items that treat "on Wi-Fi" or "on VPN" as sufficient should feel like implicit trust.
- Items that add MFA, device compliance, time limits, or per-resource policies should feel more zero trust-aligned.
After you check your answers, think about how you would rewrite one of the implicit-trust examples to be more zero trust-friendly.
Quick Check: Zero Trust Basics
Test your understanding of core zero trust ideas before moving on.
Which option best reflects a zero trust approach in a hybrid environment?
- Allow all devices on the corporate VPN to access internal resources without additional checks.
- Require MFA for remote access, then place users on the same flat internal network as on-site employees.
- Use centralized identity with MFA and conditional access, and restrict each user to only the specific applications and data they need, regardless of location.
- Place a next-generation firewall at the perimeter and allow unrestricted traffic inside the internal network.
Show Answer
Answer: C) Use centralized identity with MFA and conditional access, and restrict each user to only the specific applications and data they need, regardless of location.
Option 3 aligns with zero trust: centralized identity, MFA, conditional access, and least privilege across locations. Options 1, 2, and 4 rely on implicit trust in the VPN or internal network and maintain a flat, overly trusted internal environment.
Quiz: Segmentation and Access Control Models
Check how well you can connect segmentation and access control models to zero trust.
An organization wants to implement policies like: "Finance users on compliant corporate laptops can access the payroll app only during business hours." Which access control model best supports this zero trust-style requirement?
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
Show Answer
Answer: D) Attribute-Based Access Control (ABAC)
ABAC is designed for context-aware policies using attributes of users (finance), devices (compliant corporate laptop), and environment (business hours). RBAC uses roles but does not natively express time or device posture conditions.
Key Term Review: Zero Trust and Core Concepts
Use these flashcards to reinforce the most important terms from this module.
- zero trust
- Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
- hybrid environment
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
- least privilege
- An access principle where users, processes, and services are granted only the minimum permissions they need to perform their functions, reducing potential damage from compromise or misuse.
- need-to-know
- A data access principle where subjects are allowed to see only the specific information required for their job or task, even if they have a high-level clearance or role.
- just-in-time (JIT) access
- An approach where elevated permissions are granted only when needed and for a limited period, then automatically removed to reduce standing privileges.
- network segmentation
- The practice of dividing a network into separate segments or VLANs with controlled traffic between them, often enforced by firewalls and ACLs, to limit lateral movement and contain incidents.
- microsegmentation
- Fine-grained segmentation, often at the workload or application level, where specific hosts or services are allowed to communicate based on detailed policies, strongly supporting zero trust.
- Attribute-Based Access Control (ABAC)
- An access control model that makes decisions based on attributes of users, resources, actions, and environment (such as department, device compliance, and time of day), enabling context-aware, zero trust-style policies.
- Role-Based Access Control (RBAC)
- An access control model where permissions are assigned to roles (such as "HR analyst" or "DB admin"), and users are assigned to roles, commonly used to implement least privilege in enterprises.
- implicit trust vs explicit trust
- Implicit trust assumes trust based on factors like network location (inside LAN or VPN). Explicit trust requires active verification of identity, device, and context for each access request, aligning with zero trust.
Where Zero Trust Appears on SY0-701 and How to Practice
Zero Trust Across the Exam
Zero trust connects to identity and access, network design, secure operations, and governance, risk, and compliance in SY0-701-style content.
IAM and Network Design
Expect questions on MFA, SSO, RBAC/ABAC, segmentation, microsegmentation, and zero trust network access-style solutions in hybrid architectures.
Operations and GRC
Zero trust supports monitoring, SIEM, and incident containment and must align with governance, risk, and compliance policies in real enterprises.
Practice Within This Course
In upcoming diagnostics and mocks, look for scenarios about remote access or flat networks and choose answers that reduce implicit trust and limit lateral movement.
Building Intuition
As you review, always ask: does this design enforce explicit, context-aware trust with least privilege and segmentation? If yes, it likely aligns with zero trust.
Key Terms
- SY0-701
- SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.
- zero trust
- Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
- need-to-know
- A data access principle where subjects are allowed to see only the specific information required for their job or task, even if they have a high-level clearance or role.
- assume breach
- A design mindset where you plan and architect systems under the assumption that some components may already be compromised, focusing on limiting lateral movement and impact.
- explicit trust
- A trust model where each access request is actively verified using identity, device posture, and context, aligning with zero trust principles.
- implicit trust
- A trust model where access is granted based on assumptions such as being on the internal network or connected via VPN, without strong, per-request verification.
- least privilege
- An access principle where users, processes, and services are granted only the minimum permissions they need to perform their functions, reducing potential damage from compromise or misuse.
- CompTIA Security+
- CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.
- microsegmentation
- Fine-grained segmentation, often at the workload or application level, where specific hosts or services are allowed to communicate based on detailed policies, strongly supporting zero trust.
- hybrid environment
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
- just-in-time access
- An approach where elevated permissions are granted only when needed and for a limited period, then automatically removed to reduce standing privileges.
- network segmentation
- The practice of dividing a network into separate segments or VLANs with controlled traffic between them, often enforced by firewalls and ACLs, to limit lateral movement and contain incidents.
- Role-Based Access Control (RBAC)
- An access control model where permissions are assigned to roles (such as "HR analyst" or "DB admin"), and users are assigned to roles, commonly used to implement least privilege in enterprises.
- governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.
- Attribute-Based Access Control (ABAC)
- An access control model that makes decisions based on attributes of users, resources, actions, and environment (such as department, device compliance, and time of day), enabling context-aware, zero trust-style policies.