SkarpChapter 3 of 25
Zero Trust and Fundamental Security Concepts in Modern Enterprises
Move beyond perimeter thinking into the modern world of zero trust, least privilege, and defense in depth that underpins today’s hybrid enterprise security strategies.
From Perimeter Thinking to Zero Trust
Why Perimeter Security Is Not Enough
Older networks used a "castle and moat" model: a strong perimeter firewall protecting a trusted internal network. Inside the network, users and systems were often treated as trusted by default.
What Is a Hybrid Environment?
A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
The Trust Problem
In hybrid environments there is no clear "inside" and "outside". Users connect remotely, apps span data centers and clouds, and partners access shared services. Perimeter-only defenses are no longer enough.
Modern Security Ideas
Modern strategies rely on zero trust, least privilege, defense in depth, and security baselines. These concepts appear across Security+ SY0-701, especially in General Security Concepts and Security Architecture.
Zero Trust: Core Definition and Principles
Zero Trust: Exact Definition
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
No Implicit Trust
In zero trust, nothing is trusted just because it is on the internal network or a corporate device. Being "inside" does not grant broad access by default.
Continuous Verification
Zero trust keeps re-checking identity, device health, and context. Suspicious changes, like a new location or non-compliant device, can reduce or revoke access mid-session.
Limit Access to What Is Needed
Access is narrow and specific. Users and apps get only the permissions required for their tasks, closely tied to least privilege and need-to-know.
Connecting Zero Trust to CIA and AAA
CIA Triad and Zero Trust
The CIA triad components are confidentiality, integrity, availability. Zero trust mainly boosts confidentiality and integrity by tightly controlling who can access or change resources.
AAA and Zero Trust
AAA functions are authentication, authorization, accounting. Zero trust strengthens all three: strong authentication, fine-grained authorization, and detailed accounting logs.
Example Flow
User authenticates with MFA, is authorized only for certain apps based on role and device health, and all actions are logged and analyzed for anomalies.
Exam Signal
If a scenario focuses on identity, context-aware policies, and logging in a hybrid environment, it is likely testing zero trust applied to CIA and AAA.
Least Privilege and Need-to-Know
Least Privilege
Least privilege means giving users, processes, and systems only the minimum permissions they need to perform their tasks, and nothing more.
Need-to-Know
Need-to-know focuses on confidentiality: a person should only access specific information if it is necessary for their job or function.
Practical Examples
Help desk staff can reset passwords but not change executive groups; an app server can read its database but not drop tables or access other apps’ data.
Exam Trap to Avoid
Answers that grant broad, convenient access usually violate least privilege or need-to-know and are often incorrect on Security+ questions.
Applying Least Privilege: Three Mini Scenarios
Scenario 1: DBA and Developer
A developer asks for full admin on production to debug. Least privilege says: give only read access to needed tables or have the DBA run queries, not full admin.
Scenario 2: Marketing Intern
Roles: Sales Admin, Sales Analyst, Marketing Report Viewer. Least privilege and need-to-know point to Marketing Report Viewer: enough data, least sensitivity.
Scenario 3: Maintenance Script
A nightly backup script should use a service account with read access to specific config folders, not broad system administrator privileges.
Exam Pattern
In Security+ questions, pick the role or permission set that completes the job with the narrowest, most targeted access, not the easiest or broadest.
Defense in Depth and Security Control Types
Defense in Depth
Defense in depth means layering multiple controls so that if one fails, others still protect the asset. It is key in complex hybrid environments.
Security Control Types
The security control types are technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.
Combining Controls
Example: firewalls (technical, preventive), IDS (technical, detective), policies (managerial, directive), and locks (physical, preventive/deterrent) working together.
Exam Angle
When asked how to harden a system, look for answers that add complementary layers instead of relying on a single, stronger control.
Layered Controls Across Network, Host, Application, and Data
Network Layer Controls
Use VLANs, subnets, firewalls, and micro-segmentation. Do not trust internal networks by default; restrict lateral movement with access control lists.
Host and Endpoint Layer
Apply EDR, host firewalls, encryption, and patches. Zero trust checks device posture before granting or continuing access.
Application Layer
Implement strong authentication, RBAC/ABAC, and input validation. Apps should not rely only on network location to decide trust.
Data Layer
Encrypt data at rest and in transit, classify it, and enforce tight access controls. Even if a server is breached, data remains protected.
Security Baselines and Hardening in a Zero Trust World
What Is a Security Baseline?
A security baseline is a documented minimum security configuration that systems must meet before they are considered compliant.
Baseline Examples
OS baselines (patches, encryption), cloud baselines (network rules, logging), and identity baselines (MFA, password policies) are common.
Link to GRC
Baselines implement governance, risk, and compliance by turning policies into concrete, testable settings across the environment.
Exam Clues
When questions mention ensuring consistent hardening or reducing misconfigurations at scale, think baselines and secure templates, not manual tweaks.
Thought Exercise: Designing a Zero Trust Access Path
Imagine you are securing access to a sensitive HR web application in a hybrid environment. Employees connect from corporate laptops and personal devices, sometimes from home, sometimes from the office.
Your task: mentally design a zero trust, defense‑in‑depth access path. After you think it through, compare with the guided walkthrough below.
Questions to answer for yourself:
- How will users authenticate? What AAA controls will you use?
- How will you check device posture (corporate vs personal, patched vs outdated)?
- What network controls will you place between the user and the app?
- What application and data controls will enforce least privilege and need‑to‑know?
Now, a possible design:
- Authentication: Users sign in with SSO and MFA (authentication). Conditional access policies block high‑risk logins.
- Device posture: Only managed, encrypted corporate devices can access the full HR app. Personal devices get access only to a limited self‑service portal.
- Network controls: Users connect through a secure gateway that applies identity‑aware policies. The HR app is in a segmented subnet with strict firewall rules.
- Application and data: RBAC ensures HR staff can see full records, managers see only their team’s data, and regular employees see only their own information. Sensitive fields are encrypted in the database.
As you review, map each choice back to CIA, AAA, least privilege, and defense in depth. This is exactly the kind of reasoning the SY0-701 exam rewards.
Quiz 1: Zero Trust and Access Control
Answer this question to check your understanding of zero trust and least privilege.
An organization has moved many applications to the cloud. Users connect from various locations and devices. Security wants to implement zero trust principles. Which of the following MOST aligns with zero trust and least privilege?
- A. Place a next-generation firewall at the data center edge and allow all internal traffic by default.
- B. Require VPN access for remote users, then allow full network access once connected.
- C. Implement MFA, device compliance checks, and role-based access to each application, regardless of network location.
- D. Use MAC address filtering on internal switches to ensure only corporate devices can connect.
Show Answer
Answer: C) C. Implement MFA, device compliance checks, and role-based access to each application, regardless of network location.
Option C best matches zero trust and least privilege: strong identity (MFA), continuous device posture checks, and role-based access per application, independent of network location. A and B still rely on implicit trust once inside the network. D is weak and easy to spoof, and it focuses only on device identity, not user identity or authorization.
Quiz 2: Defense in Depth and Control Types
Test your ability to recognize layered controls and control types.
A security architect is asked to better protect a critical database server. Which combination BEST demonstrates defense in depth using multiple control types?
- A. Enable full-disk encryption on the server.
- B. Place the server behind a firewall, restrict access to a specific application server subnet, require MFA for admins, and enable detailed logging.
- C. Move the server to a larger data center with redundant power and cooling.
- D. Configure daily full backups of the database to offsite storage.
Show Answer
Answer: B) B. Place the server behind a firewall, restrict access to a specific application server subnet, require MFA for admins, and enable detailed logging.
Option B layers several controls: network segmentation and firewalls (technical, preventive), MFA (technical, preventive), and detailed logging (technical, detective/accounting). This is clear defense in depth. A, C, and D are useful but each focuses on a narrower aspect and does not show the same multi-layered approach.
Key Term Review: Zero Trust and Core Concepts
Flip through these flashcards to reinforce the core definitions and relationships you need for SY0-701.
- Zero trust
- Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
- Hybrid environment
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
- CIA triad components
- The CIA triad components are confidentiality, integrity, availability.
- AAA functions
- AAA functions are authentication, authorization, accounting.
- Least privilege
- An access control principle where users, processes, and systems are granted only the minimum permissions they need to perform their tasks, and no more.
- Need-to-know
- A confidentiality-focused principle where individuals can access specific information only if it is necessary for their job or function.
- Defense in depth
- A strategy of layering multiple, diverse security controls so that if one fails, others still protect the asset.
- Security control types (list)
- The security control types are technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.
- Security baseline
- A documented minimum security configuration that systems must meet before they are considered compliant.
- Governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.
Key Terms
- AAA
- A security framework of authentication, authorization, accounting used to control and track access.
- SY0-701
- SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.
- CIA triad
- A foundational security model consisting of confidentiality, integrity, availability.
- zero trust
- Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
- need-to-know
- A confidentiality-focused principle where individuals can access specific information only if it is necessary for their job or function.
- least privilege
- An access control principle where users, processes, and systems are granted only the minimum permissions they need to perform their tasks, and no more.
- defense in depth
- A strategy of layering multiple, diverse security controls so that if one fails, others still protect the asset.
- CompTIA Security+
- CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.
- security baseline
- A documented minimum security configuration that systems must meet before they are considered compliant.
- hybrid environment
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
- security control types
- The security control types are technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.
- governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.