Introduction to ZTA - Implementation options of ZTA Flashcards
(94 cards)
1
Q
What does ZTA stand for?
A
Zero Trust Architecture
2
Q
Which document defines the various ZTA implementation approaches?
A
NIST SP 800-207
3
Q
What are the two main ZTA implementation approaches defined by NIST?
A
- ZTA Using Micro-Segmentation
- ZTA Using Network Infrastructure and Software-Defined Perimeters
4
Q
What is one of the primary ZTA implementation options covered in this unit?
A
CSA’s SDP
5
Q
Name another primary ZTA implementation option.
A
Zero Trust Network Access (ZTNA)
6
Q
What is the third primary ZTA implementation option mentioned?
A
Google BeyondCorp
7
Q
True or False: The unit focuses on ZTA implementation options outside of network architecture.
A
False
8
Q
Fill in the blank: The options presented in this unit align with NIST approaches including ZTA Using _______.
A
Micro-Segmentation
9
Q
Fill in the blank: The options presented in this unit align with NIST approaches including ZTA Using Network Infrastructure and _______.
A
Software-Defined Perimeters
10
Q
What does NIST stand for?
A
National Institute of Standards and Technology
11
Q
What is the primary focus of the NIST ZT model?
A
Designing secure workflows
12
Q
How many approaches does NIST provide for ZT implementation?
A
Three approaches
13
Q
Name one of the three NIST ZTA approaches.
A
ZTA using Enhanced Identity Governance
14
Q
Name another NIST ZTA approach.
A
ZTA using Micro-Segmentation
15
Q
Name the last NIST ZTA approach.
A
ZTA using Network Infrastructure and Software Defined Perimeters
16
Q
What factors influence the selection of a NIST ZT approach?
A
Existing business flows, requirements, and cybersecurity maturity level
17
Q
True or False: A fully-realized ZT solution incorporates elements from all three NIST ZTA approaches.
A
True
18
Q
Fill in the blank: The unit focuses on NIST approaches for ‘ZTA Using _______’ and ‘ZTA Using Network Infrastructure and Software-Defined Perimeters’.
A
Micro-Segmentation
19
Q
What does ZTA stand for?
A
Zero Trust Architecture
20
Q
What does NIST SP 800-207 outline?
A
ZT tenets
21
Q
What is the significance of policy rules in NIST ZT approaches?
A
They vary according to the components used and the organization’s environment
22
Q
Subsequent ZT training courses provide what?
A
A more comprehensive and expanded overview of NIST’s approach to ZT
23
Q
What is the Software-Defined Perimeter (SDP)?
A
An approach to enabling and enforcing Zero Trust principles by providing dynamically provisioned air-gapped networks.
24
Q
What does Zero Trust (ZT) require in terms of access verification?
A
Verification of anything and everything attempting to access assets prior to authorization.
25
How does SDP improve security posture?
By defending against new variations of old attack methods and adapting to expanding attack surfaces.
26
What is the default policy enforced by the SDP gateway?
Drop-all policy until users/devices are authenticated and authorized.
27
List the major components of SDP architecture.
* Client/initiating host (IH)
* Service/accepting host (AH)
* SDP controller
* SDP gateway
28
What is the role of the SDP controller?
Secures access to isolated services by ensuring authentication, authorization, device validation, and secure communications.
29
What types of devices can act as the initiating host (IH)?
Laptops, tablets, and smartphones.
30
True or False: The AH devices typically reside on a network under the enterprise's control.
True.
31
What are the four key responsibilities of the SDP controller?
* Users are authenticated and authorized
* Devices are validated
* Secure communications are established
* User and management traffic remain separate
32
What deployment options are available for implementing SDP?
* Client-to-Gateway
* Client-to-Server
* Server-to-Server
* Client-to-Server-to-Client
* Client-to-Gateway-to-Client
* Gateway-to-Gateway
33
What principle ensures that users can only access resources they are explicitly granted permissions to?
Principle of least privilege.
34
What must be verified before the IH can connect to the AH?
The IH and users must be authenticated and authorized by the controller.
35
Fill in the blank: SDP controllers should be designed for high _______ to withstand attacks.
availability
36
What should be considered when deploying gateways in an SDP?
They can block a service in the event of failure or overload.
37
How can SDP controllers inform access policies?
Through internal user-to-service mapping or connections to third-party services.
38
What is a common use case for deploying Zero Trust Architecture (ZTA) with multiple cloud providers?
Managing a local network while using two or more cloud service providers for hosting applications/services and data.
39
What is a prominent use case of ZTA?
Cross-enterprise collaboration
40
In a cross-enterprise collaboration, which enterprises are involved in the hypothetical project example?
Enterprise A and Enterprise B
41
Who manages the project database in the collaboration between Enterprise A and Enterprise B?
Enterprise A
42
What is required for Enterprise B employees in the context of accessing data from Enterprise A?
Specialized accounts
43
What must be denied to all other resources for Enterprise B employees accessing data from Enterprise A?
Access
44
What can complicate the management of access permissions between Enterprise A and Enterprise B?
The approach of setting up specialized accounts
45
What system can streamline the configuration of permissions for cross-enterprise collaboration?
Federated ID management system
46
What is necessary for both organizations' PEPs in a federated ID community?
Authenticate subjects
47
What are the main advantages of SDP?
Maturity and widespread adoption
## Footnote
SDP has been supported by prominent enterprises and institutions such as the DOD.
48
What types of deployments is SDP used for?
Hybrid and multi-cloud deployments, VPN replacement, securing IoT
## Footnote
SDP is implemented across various industries for differing purposes.
49
What ongoing events contribute to SDP's popularity?
Regular hackathons testing SDP's attack durability
## Footnote
These events help validate the security of SDP.
50
What mechanisms are effective for enforcing ZT principles in SDP?
SPA and mTLS
## Footnote
These mechanisms enhance security without compromising user experience.
51
How does SDP improve user experience?
Provides robust security while replacing legacy solutions
## Footnote
SDP can enhance the overall experience for users.
52
Is SDP easy to implement?
Yes, it is relatively easy to implement and can complement existing solutions
## Footnote
Organizations can adopt a gradual implementation or migration to SDP.
53
What kind of environments can SDP protect?
Highly complex deployments, such as hybrid and multi-cloud environments
## Footnote
SDP's distributed and scalable nature aids in protecting these environments.
54
What is a built-in feature of SDP's architecture?
High availability
## Footnote
This feature ensures that services remain accessible.
55
What is a major disadvantage of SDP?
Requirement for client agent installation on each endpoint
## Footnote
This can complicate deployment for organizations.
56
What access methods are primarily supported by SDP?
Traditional user access methods
## Footnote
API-based, micro-service, and serverless access methods are not well-supported.
57
What does ZTNA stand for?
Zero Trust Network Access
58
Which three models have influenced ZTNA?
CSA’s SDP, Google’s BeyondCorp, and ZTNA itself
59
What is the primary premise of ZTNA?
Neither users nor applications are behind the perimeter
60
What are the two distinct architectures of ZTNA?
* Endpoint-initiated ZTNA
* Service-initiated ZTNA
61
What is a key feature of endpoint-initiated ZTNA?
A lightweight agent is installed on the end-user’s device
62
What is a disadvantage of endpoint-initiated ZTNA?
Difficult to implement on unmanaged devices
63
How does service-initiated ZTNA function?
Uses a broker between the user and the application
64
What is the role of the lightweight ZTNA connector in service-initiated ZTNA?
Establishes an outbound connection from the service to the ZTNA service broker
65
What does ZTNA assume about the user access environment?
It assumes a hostile user access environment
66
What principle does ZTNA operate under regarding user access?
Never trust, always verify
67
What is a major advantage of using ZTNA?
Reduces the attack surface by hiding services behind brokers
68
In what mode can ZTNA be implemented?
* Stand-alone product
* As a service
69
What are some advantages of cloud-based ZTNA?
* Scalability
* Ease of adoption
70
What is a significant disadvantage of ZTNA in terms of malicious actors?
Cannot guard against malicious actors already inside the perimeter
71
What technology provides continuous inspection beyond initial connection authorization?
Secure access service edge (SASE)
72
What is a challenge related to policy management in ZTNA?
Orders of magnitude more complex for programmatic access
73
Fill in the blank: ZTNA is often considered a _______ replacement.
VPN
74
True or False: ZTNA can guard against all types of malicious actors.
False
75
What is BeyondCorp?
Google’s internal network and access security platform designed to enable employee access to internal resources
## Footnote
BeyondCorp Enterprise is available to organizations with Google-based IT infrastructures.
76
What is the primary component of BeyondCorp?
The web proxy
## Footnote
It acts as the chokepoint every user/device needs to traverse to access the organization’s resources.
77
List notable features of BeyondCorp.
* Any access to protected resources is done via proxy
* Device and user identities are checked using a device inventory and user/group database
* 802.1x protocol is used for verifying managed devices and providing micro-segmentation
* An access control engine authorizes the organization’s applications and services
* A data pipeline feeds additional information into the access control engine
## Footnote
Additional information includes location, device/user trust levels, etc.
78
How does BeyondCorp comply with Zero Trust (ZT) principles?
* Device/user must be authenticated and authorized by the access proxy before connecting to enterprise applications
* The access proxy denies any access request from unauthenticated users or devices
* Each access request is handled separately by the access proxy, following the principle of least privilege
* The access proxy is continuously monitored, logging all network communications
## Footnote
This includes both legitimate and illegitimate access attempts.
79
Fill in the blank: The access proxy in BeyondCorp is the _______ of all access attempts and communication.
[choke point]
80
True or False: BeyondCorp allows access requests from unauthenticated users.
False
81
What protocol is used in BeyondCorp to verify managed devices?
802.1x
82
What does the access control engine in BeyondCorp do?
Provides authorization for the organization’s applications and services
83
Fill in the blank: BeyondCorp uses a _______ to check device and user identities.
[device inventory and user/group database]
84
What is the purpose of the data pipeline in BeyondCorp?
To feed additional information into the access control engine
85
What is BeyondCorp?
Google’s proprietary implementation of Zero Trust Architecture (ZTA)
## Footnote
BeyondCorp focuses on providing secure access to applications without relying on traditional perimeter security.
86
What are the limited implementation options for BeyondCorp?
Some organizations implement a simplified version using an access proxy only
## Footnote
This means additional components like device inventory and trust engine are left out.
87
What is the Service Initiated (Remote Application Access) approach in BeyondCorp?
A connector is deployed on the same network as shared applications to establish an outbound session
## Footnote
Users/devices authenticate with the provider to access protected applications.
88
How does the authentication workflow function in BeyondCorp's implementation?
Users are forced through an authentication workflow before access is granted
## Footnote
This prevents direct access to applications until the authentication process is complete.
89
What is the significance of the agentless model in BeyondCorp?
Agent software is not required on the connecting device
## Footnote
Application access occurs over HTTP/HTTPS at layer 7 of the OSI model.
90
What are the advantages of BeyondCorp?
Does not require client agent installation on devices, devices must be registered in the inventory
## Footnote
Each device is assigned a unique certificate.
91
What are the disadvantages of BeyondCorp?
Less flexible, difficult to integrate with existing security mechanisms, lack of strong cryptographic controls
## Footnote
Compared to SDP, BeyondCorp's access proxy is less scalable and secure.
92
True or False: BeyondCorp requires client agent installation on connecting devices.
False
## Footnote
BeyondCorp does not require client agent installation, but devices should be registered.
93
Fill in the blank: BeyondCorp's lack of strong cryptographic controls makes it less secure than _______.
SDP
## Footnote
Strong cryptographic controls are necessary for implementing an invisible cloud.
94
What role does the access proxy play in BeyondCorp?
It handles both control and data traffic
## Footnote
This makes it less scalable and secure compared to the SDP controller.
