Zero Trust Architecture

What the Exam Is Really Testing

Zero trust is not a product you buy. It is not a single technology you deploy.

CompTIA wants you to understand this:

Zero trust is an architectural approach where no user, device, or network segment is inherently trusted — every access request must be verified regardless of location.

The exam tests whether you can identify zero trust principles in a scenario and distinguish zero trust architecture from traditional perimeter-based security. You need to know the components — control plane, data plane, policy enforcement — and how deception technologies fit into a defensive strategy.

The Core Principle: Never Trust, Always Verify

Traditional security assumes that everything inside the network perimeter is trusted. A firewall guards the edge. Once you are inside, you move freely.

Zero trust rejects this assumption entirely.

• Being on the corporate network does not grant trust
• Being on a managed device does not grant trust
• Having authenticated once does not grant permanent trust
• Being a privileged user does not exempt you from verification

Every access request is evaluated independently. Every session is monitored. Trust is never assumed — it is continuously earned and verified.

Zero trust treats the internal network as hostile. Every request, from every user, from every device, is subject to authentication, authorization, and continuous validation.

Zero Trust Architecture Components

Control Plane vs. Data Plane

Zero trust architecture splits network functions into two planes:

Control Plane: This is where access decisions are made. It contains the policy engine, the policy administrator, and the identity verification systems. The control plane decides whether a request should be allowed or denied.

• Policy engine evaluates access requests against defined policies
• Policy administrator creates and manages the access policies
• Identity provider validates user and device identity
• Threat intelligence feeds inform risk-based decisions

Data Plane: This is where the actual data flows. It contains the resources being accessed and the policy enforcement points that execute the decisions made by the control plane.

• Policy enforcement points (PEPs) allow or block traffic based on control plane decisions
• Resources (applications, data, services) sit behind enforcement points
• Subject/system connections flow through the data plane

Think of it this way: the control plane is the brain that makes decisions. The data plane is the body that carries them out.

Policy Enforcement Points (PEPs)

PEPs are the gatekeepers. They sit between the user and the resource, enforcing whatever decision the policy engine makes. Every access request passes through a PEP.

In practice, PEPs can be:

• Next-generation firewalls
• API gateways
• Reverse proxies
• Software-defined perimeter controllers
• Cloud access security brokers (CASBs)

Microsegmentation

Microsegmentation divides the network into small, isolated zones. Each zone has its own access controls. Lateral movement — an attacker moving from one compromised system to another — becomes significantly harder.

Traditional segmentation uses VLANs and subnets. Microsegmentation goes further, creating security boundaries around individual workloads, applications, or even processes.

• Each segment has its own security policies
• Traffic between segments is inspected and controlled
• Compromising one segment does not grant access to others
• Reduces the blast radius of a breach

Adaptive Identity and Risk-Based Authentication

Zero trust does not apply the same authentication requirements to every request. It adapts based on risk.

• A user logging in from a known device in the office may need only standard MFA
• The same user logging in from a new device in another country triggers additional verification
• Accessing sensitive data may require step-up authentication even mid-session
• Behavioral anomalies (unusual access patterns, impossible travel) trigger policy changes in real time

This is adaptive identity — authentication requirements that flex based on the risk context of each request.

Deception and Disruption Technology

Deception technologies are not unique to zero trust, but CompTIA groups them in this domain. These tools are designed to detect, confuse, and slow down attackers who have bypassed other controls.

Honeypots

A honeypot is a decoy system designed to look like a legitimate target. It has no production purpose. Any interaction with a honeypot is suspicious by definition.

• Attracts attackers away from real systems
• Provides early warning of intrusion
• Captures attacker tools, techniques, and procedures (TTPs)
• Can be configured as servers, databases, or network services

Honeynets

A honeynet is a network of honeypots. It simulates an entire network environment to engage attackers more deeply and gather more intelligence about their methods.

Honeyfiles

Honeyfiles are decoy documents or files placed in locations an attacker might access. They have names like "passwords.xlsx" or "employee_SSN.csv" to attract attention. Any access to these files triggers an alert.

Honeytokens

Honeytokens are fake data elements embedded in real systems. They can be fake database records, fake credentials, or fake API keys. When an attacker uses a honeytoken, it immediately reveals the breach.

DNS Sinkholes

A DNS sinkhole redirects malicious DNS queries to a controlled server instead of the attacker's infrastructure. This disrupts command-and-control (C2) communication and prevents malware from reaching its intended destination.

• Known malicious domains are redirected to internal servers
• Infected systems that try to call home are identified
• Reduces the impact of malware that has already been deployed
• Provides visibility into which internal systems are compromised

Pattern Recognition

Security+ questions on zero trust and deception follow these patterns:

• Principle identification: "Which approach assumes the internal network is not trusted?" Zero trust. Any answer that implies implicit trust based on network location is wrong
• Component matching: "Where are access decisions made in zero trust?" The control plane. "Where are they enforced?" The data plane at policy enforcement points
• Microsegmentation triggers: When a question describes limiting lateral movement or reducing blast radius, the answer involves microsegmentation
• Deception identification: "A decoy server with no production function detected an intruder." This is a honeypot. If it is a decoy file, it is a honeyfile. If it is a fake credential, it is a honeytoken
• DNS sinkhole scenarios: "Infected machines are trying to contact known malicious domains." DNS sinkhole redirects those queries

Trap Patterns

Common wrong answers and why they are wrong:

• Confusing zero trust with VPN: A VPN provides secure connectivity but still trusts users once connected. Zero trust does not grant implicit trust based on connection method
• Confusing control plane with data plane: The control plane makes decisions. The data plane enforces them. If the question asks about policy evaluation, the answer is control plane. If it asks about enforcement, it is data plane
• Confusing honeypots with IDS: An IDS monitors real traffic for suspicious patterns. A honeypot is a fake system that attracts attackers. They serve different purposes
• Thinking microsegmentation is just VLANs: VLANs provide basic network segmentation. Microsegmentation creates granular, workload-level isolation with individual security policies

Scenario Practice

Question 1

An organization discovers that after an attacker compromised a single workstation, they were able to freely move between servers on the same subnet, accessing databases and file shares without additional authentication challenges.

Which zero trust principle would MOST effectively prevent this type of lateral movement?

A. Implementing a VPN for all internal network traffic between segments
B. Deploying microsegmentation with per-workload access controls and policies
C. Installing additional antivirus software on all servers in the subnet
D. Configuring a DNS sinkhole to redirect malicious domain queries

Question 2

A security team places a file named "Executive_Salaries_2026.xlsx" in a shared drive that is accessible to all employees. The file contains no real data but is configured to trigger an immediate alert when opened by any user.

What type of deception technology does this describe?

A. A honeypot system designed to simulate a vulnerable file server
B. A honeyfile designed to detect unauthorized access through user interaction
C. A DNS sinkhole designed to redirect malicious network traffic to analysis
D. A honeynet designed to simulate an entire network for attacker engagement

Question 3

A company's security operations center notices that several internal workstations are attempting to resolve domains associated with a known botnet command-and-control infrastructure. The team wants to disrupt this communication while identifying which systems are infected.

Which technology should be implemented to achieve both objectives simultaneously?

A. Deploy network-based intrusion prevention systems to block all DNS traffic
B. Configure a DNS sinkhole to redirect malicious queries to a monitored server
C. Install host-based firewalls on every workstation to block outbound connections
D. Implement a honeynet to attract the botnet traffic away from the network

Key Takeaway

Zero trust eliminates implicit trust from the network. Every access request is verified at a policy enforcement point, with decisions made by the control plane and enforced on the data plane. Microsegmentation limits lateral movement by isolating workloads. Deception technologies — honeypots, honeyfiles, honeytokens, and DNS sinkholes — detect and disrupt attackers who bypass preventive controls. On the exam, if a scenario involves trusting users because they are "inside the network," the correct answer will always challenge that assumption.