Questions for the CCZT were updated on : Nov 21 ,2025
What measures are needed to detect and stop malicious access
attempts in real-time and prevent damage when using ZTA's
centralized authentication and policy enforcement?
A. Audit logging and monitoring
B. Dynamic firewall policies
C. Network segregation
D. Dynamic access policies
A
To detect and stop malicious access attempts in real-time within a Zero Trust Architecture,
comprehensive audit logging and continuous monitoring are essential. These measures provide
visibility into all access attempts and activities within the network, allowing for the early detection of
suspicious behavior. By analyzing logs and monitoring network traffic, security teams can identify
and respond to potential threats in real-time, preventing unauthorized access and minimizing the
impact of any security incidents.
In a ZTA, automation and orchestration can increase security by
using the following means:
A. Kubernetes and docker
B. Static application security testing (SAST) and dynamic application
security testing (DAST)
C. Data loss prevention (DLP) and cloud security access broker (CASB)
D. Infrastructure as code (laC) and identity lifecycle management
D
laC is a practice of managing and provisioning IT infrastructure through
code, rather than manual processes or configuration tools1
.
laC can increase security by enabling
consistent, repeatable, and scalable deployment of ZTA components, such as policies, gateways,
firewalls, and micro-segments2
.
laC can also facilitate compliance, auditability, and change
management, as well as reduce human errors and configuration drifts3
.
Identity lifecycle management is a process of managing the creation,
modification, and deletion of user identities and their access rights throughout their
lifecycle4
.
Identity lifecycle management can increase security by ensuring that users have the
appropriate level of access to resources at any given time, based on the principle of least
privilege5
.
Identity lifecycle management can also automate the provisioning and deprovisioning of
user accounts, enforce strong authentication and authorization policies, and monitor and audit user
activity and behavior6
.
Reference=
What is Infrastructure as Code? | Cloudflare
Infrastructure as Code
Security Best Practices
What is Identity Lifecycle Management? | One Identity
Identity and Access Management
A Zero Trust Security Strategy
In a ZTA, what is a key difference between a policy decision point
(PDP) and a policy enforcement point (PEP)?
A. A PDP measures incoming signals against a set of access
determination criteria. A PEP uses incoming signals to open or close a
connection.
B. A PDP measures incoming signals and makes dynamic risk
determinations. A PEP uses incoming signals to make static risk
determinations.
C. A PDP measures incoming control plane authentication signals. A
PEP measures incoming data plane authorization signals.
D. A PDP measures incoming signals in an untrusted zone. A PEP
measures incoming signals in an implicit trust zone.
A
In a ZTA, a policy decision point (PDP) is a logical component that evaluates the incoming signals
from an entity requesting access to a resource against a set of access determination criteria, such as
identity, context, device, location, and behavior1
.
A PDP then makes a decision to grant or deny
access, or to request additional information or verification, based on the policies defined by the
policy administrator1
.
A policy enforcement point (PEP) is a logical component that uses the
incoming signals from the PDP to open or close a connection between the entity and the
resource1
.
A PEP acts as a gateway or intermediary that enforces the decision made by the PDP and
prevents unauthorized or risky access2
.
Reference=
Zero Trust Architecture | NIST
Policy Enforcement Point (PEP) - Pomerium
When kicking off ZT planning, what is the first step for an
organization in defining priorities?
A. Determine current state
B. Define the scope
C. Define a business case
D. Identifying the data and assets
B
The first step in Zero Trust planning for an organization is to define the scope of the initiative. This
involves determining which systems, networks, and data will be covered by the Zero Trust policies
and what the specific objectives are. A clearly defined scope helps in prioritizing efforts, allocating
resources effectively, and setting clear goals for what the Zero Trust implementation aims to achieve.
Which architectural consideration needs to be taken into account
while deploying SDP? Select the best answer.
A. How SDP deployment fits into existing network topologies and
technologies.
B. How SDP deployment fits into external vendor assessment.
C. How SDP deployment fits into existing human resource
management systems.
D. How SDP deployment fits into application validation.
A
A key architectural consideration that needs to be taken into account while deploying SDP is how SDP
deployment fits into existing network topologies and technologies. This is because SDP deployment
may require changes or adaptations to the existing network infrastructure, such as routers, switches,
firewalls, VPNs, etc. SDP deployment may also affect the network performance, availability,
scalability, and resilience. Therefore, it is important to assess the impact and compatibility of SDP
deployment with the existing network topologies and technologies, and to plan and design the SDP
deployment accordingly.
Reference=
Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance
,
Zero Trust
Network Infrastructure and SDP
Optimal compliance posture is mainly achieved through two key ZT
features:_____ and_____
A. (1) Principle of least privilege (2) Verifying remote access
connections
B. (1) Discovery (2) Mapping access controls and network assets
C. (1) Authentication (2) Authorization of all networked assets
D. (1) Never trusting (2) Reducing the attack surface
C
Optimal compliance posture in a Zero Trust environment is primarily achieved through rigorous
authentication and authorization of all networked assets. Zero Trust operates on the principle of
"never trust, always verify," which necessitates robust authentication mechanisms to verify the
identity of users and devices. Following authentication, authorization ensures that each
authenticated entity has explicit permission to access only the resources necessary for its function,
aligning with the principle of least privilege. These practices ensure a secure and compliant posture
by minimizing the attack surface and reducing the risk of unauthorized access.
At which layer of the open systems interconnection (OSI) model
does network access control (NAC) typically operate? Select the
best answer.
A. Layer 6, the presentation layer
B. Layer 2, the data link layer
C. Layer 3, the network layer
D. Layer 4, the transport layer
B
Network access control (NAC) typically operates at layer 2, the data link layer, of the open systems
interconnection (OSI) model. The data link layer is responsible for transferring data between adjacent
nodes on a network, such as switches and endpoints. NAC operates at this layer by inspecting and
controlling the access of devices to the network based on their MAC addresses, device profiles,
security posture, and compliance status.
Reference=
Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance
,
Zero Trust
Micro-segmentation
Which ZT element provides information that providers can use to
keep policies dynamically updated?
A. Communication
B. Data sources
C. Identities
D. Resources
B
Data sources are the ZT element that provide information that providers can use to keep policies
dynamically updated. Data sources are the inputs that feed the policy engine and the policy
administrator with the relevant data and context about the entities, resources, transactions, and
environment in the ZTA. Data sources help to inform the policy decisions and actions based on the
current state and conditions of the ZTA. Data sources can include identity providers, device
management systems, threat intelligence feeds, network monitoring tools, etc.
Reference=
Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance
,
Zero Trust
ZTA Architecture and Components
How can ZTA planning improve the developer experience?
A. Streamlining access provisioning to deployment environments.
B. Require deployments to be grouped into quarterly batches.
C. Use of a third-party tool for continuous integration/continuous
deployment (CI/CD) and deployments.
D. Disallowing DevOps teams access to the pipeline or deployments.
A
ZTA planning can improve the developer experience by streamlining access provisioning to
deployment environments. This means that developers can access the resources and services they
need to deploy their applications in a fast and secure manner, without having to go through complex
and manual processes. ZTA planning can also help to automate and orchestrate the access
provisioning using dynamic and granular policies based on the context and attributes of the
developers, devices, and applications.
Reference=
Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance
,
Zero Trust
ZTA Planning and Implementation
What steps should organizations take to strengthen access
requirements and protect their resources from unauthorized access
by potential cyber threats?
A. Understand and identify the data and assets that need to be
protected
B. Identify the relevant architecture capabilities and components that
could impact ZT
C. Implement user-based certificates for authentication
D. Update controls for assets impacted by ZT
A
The first step that organizations should take to strengthen access requirements and protect their
resources from unauthorized access by potential cyber threats is to understand and identify the data
and assets that need to be protected. This step involves conducting a data and asset inventory and
classification, which helps to determine the value, sensitivity, ownership, and location of the data
and assets. By understanding and identifying the data and assets that need to be protected,
organizations can define the appropriate access policies and controls based on the Zero Trust
principles of never trust, always verify, and assume breach.
Reference=
Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance
,
Zero Trust
Data and Asset Classification
SDP incorporates single-packet authorization (SPA). After
successful authentication and authorization, what does the client
usually do next? Select the best answer.
A. Generates an SPA packet and sends it to the initiating host.
B. Generates an SPA packet and sends it to the controller.
C. Generates an SPA packet and sends it to the accepting host.
D. Generates an SPA packet and sends it to the gateway.
C
In the context of a Software-Defined Perimeter (SDP) that incorporates Single Packet Authorization
(SPA), after successful authentication and authorization, the client typically generates an SPA packet
and sends it to the accepting host. This process involves the client creating a specially crafted packet
that is designed to be recognized by the accepting host's SDP gateway. Upon receiving and validating
the SPA packet, the gateway allows the client to establish a connection to the designated services or
resources. This mechanism ensures that only authorized clients can initiate connections, enhancing
security by preventing unauthorized access.
What should be a key component of any ZT project, especially
during implementation and adjustments?
A. Extensive task monitoring
B. Frequent technology changes
C. Proper risk management
D. Frequent policy audits
C
Proper risk management should be a key component of any ZT project, especially during
implementation and adjustments, because it helps to identify, analyze, evaluate, and treat the
potential risks that may affect the ZT and ZTA objectives and outcomes. Proper risk management also
helps to prioritize the ZT and ZTA activities and resources based on the risk level and impact, and to
monitor and review the risk mitigation strategies and actions.
Reference=
Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance
,
Zero Trust
Risk Management
How can we use ZT to ensure that only legitimate users can access
a SaaS or PaaS? Select the best answer.
A. Implementing micro-segmentation and mutual Transport Layer
Security (mTLS)
B. Configuring the security assertion markup language (SAML) service
provider only to accept requests from the designated ZT gateway
C. Integrating behavior analysis and geofencing as part of ZT controls
D. Enforcing multi-factor authentication (MFA) and single-sign on
(SSO)
D
To ensure that only legitimate users can access Software as a Service (SaaS) or Platform as a Service
(PaaS) in a Zero Trust framework, implementing robust authentication mechanisms is crucial.
Enforcing Multi-Factor Authentication (MFA) and Single Sign-On (SSO) are effective strategies. MFA
adds layers of security by requiring users to provide multiple pieces of evidence to verify their
identity, making unauthorized access significantly more challenging. SSO simplifies the user
experience by allowing users to access multiple services with one set of credentials while
maintaining high security standards, particularly when combined with MFA. These measures align
with the Zero Trust principle of "never trust, always verify," ensuring that access is granted only after
thorough verification of the user's identity.
What is one benefit of the protect surface in a ZTA for an
organization implementing controls?
A. Controls can be implemented at all ingress and egress points of the
network and minimize risk.
B. Controls can be implemented at the perimeter of the network and
minimize risk.
C. Controls can be moved away from the asset and minimize risk.
D. Controls can be moved closer to the asset and minimize risk.
D
The protect surface in a ZTA is the collection of sensitive data, assets, applications, and services
(DAAS) that require protection from threats1
. One benefit of the protect surface in a ZTA for an
organization implementing controls is that it allows the controls to be moved closer to the asset and
minimize risk.
This means that instead of relying on a single perimeter or boundary to protect the
entire network, ZTA enables granular and dynamic controls that are applied at or near the DAAS
components, based on the principle of least privilege2
.
This reduces the attack surface and the
potential impact of a breach, as well as improves the visibility and agility of the security posture3
.
Reference=
Zero Trust Architecture | NIST
A Step-by-Step Approach - Comparitech
What is Zero Trust Architecture (ZTA)? - CrowdStrike
SDP features, like multi-factor authentication (MFA), mutual
transport layer security (mTLS), and device fingerprinting, protect
against
A. phishing
B. certificate forgery
C. domain name system (DNS) poisoning
D. code injections
A
SDP features, like multi-factor authentication (MFA), mutual transport layer security (mTLS), and
device fingerprinting, protect against phishing attacks by verifying the identity and authenticity of
both the user and the device before granting access to a resource.
Phishing attacks are attempts to
trick users into revealing their credentials or other sensitive information by impersonating a
legitimate entity or service1
MFA is a security mechanism that requires a user to provide more than one piece of evidence
to prove their identity, such as a password, a one-time code, a biometric factor, or a physical
token2
.
MFA can protect against phishing attacks by making it harder for attackers to access a
resource even if they manage to obtain the user’s password or other credentials2
.
mTLS is a security protocol that enables mutual authentication and encryption between two
parties, such as a client and a server3
.
mTLS can protect against phishing attacks by ensuring that
both the client and the server have valid and trusted certificates, and by preventing attackers from
intercepting or modifying the communication between them3
.
Device fingerprinting is a technique that identifies and verifies a device based
on its unique characteristics, such as its operating system, browser, IP address, or hardware
configuration4
.
Device fingerprinting can protect against phishing attacks by allowing only authorized
devices to access a resource, and by detecting any anomalies or changes in the device’s attributes
that may indicate a compromise4
.
Reference=
What is Phishing? | How to Identify & Prevent Phishing Attacks | Cloudflare
What is Multi-Factor Authentication (MFA)? | Cloudflare
What is Mutual TLS (mTLS)? | Cloudflare
What is Device Fingerprinting? | Cloudflare