1.2 Summarize fundamental security concepts
📘CompTIA Security+ (SY0-701)
🧩 What is Zero Trust?
Zero Trust is a security model based on the idea of “never trust, always verify.”
In traditional network security, anything inside the network was considered “trusted.”
But in the Zero Trust model, no one and nothing is trusted automatically — not even users, systems, or devices inside the organization’s network.
Every access request must be verified, authorized, and continuously monitored, regardless of whether the request comes from inside or outside the network.
⚙️ The Core Principle of Zero Trust
Trust is never given automatically; it must be earned and verified each time.
This means:
- Users must prove who they are (authentication).
- Devices must prove they are secure and authorized.
- Access is granted only to what is necessary (least privilege).
- Activities are continuously monitored for anomalies or suspicious behavior.
🧠 Why Zero Trust Is Important
Modern IT environments are not just one big internal network anymore.
Organizations use:
- Cloud services (Microsoft 365, AWS, Google Cloud)
- Remote workers
- Mobile devices
- IoT devices
- Third-party vendors
These make the traditional perimeter-based security model (firewalls, internal trust) less effective.
Zero Trust helps protect data and systems by ensuring each access request is checked and validated, even if it comes from within.
🔄 Key Components of Zero Trust
Zero Trust is built using two major planes:
- Control Plane
- Data Plane
Let’s break these down.
🧭 1️⃣ CONTROL PLANE
The Control Plane is responsible for making security decisions — deciding who gets access to what and under what conditions.
Think of it as the “brain” of Zero Trust.
It handles:
- Identity verification
- Access policies
- Authentication
- Authorization
Two key concepts are part of the Control Plane:
🔹 Adaptive Identity
Adaptive Identity means identity verification that adjusts based on context and risk level.
Instead of using a simple static login (like username and password only), the system analyzes several factors before allowing access.
Examples in IT environment:
- User logging in from a new location or unrecognized device → system requests multi-factor authentication (MFA).
- If a user logs in from a trusted company laptop on a corporate network, fewer checks might be needed.
- If abnormal behavior is detected (like accessing sensitive data at 3 AM), access may be blocked or limited.
So, adaptive identity = intelligent and flexible identity verification, based on risk.
🔹 Policy-Driven Access Control
In Zero Trust, access decisions are controlled by policies, not assumptions.
Policies define:
- Who can access (user or system identity)
- What they can access (resources or data)
- When and how they can access (conditions)
Policies are usually created and managed through a centralized security management system such as:
- Microsoft Entra ID (Azure AD Conditional Access)
- Okta
- Cisco Zero Trust
- Palo Alto Prisma Access
Example in IT environment:
- A policy might say:
“Only finance department users using company-managed laptops with up-to-date antivirus can access the accounting application.”
If the conditions are not met → access is denied.
✅ Summary of Control Plane:
| Component | Purpose |
|---|---|
| Adaptive Identity | Continuously verify identity based on context (location, device, time, behavior) |
| Policy-Driven Access Control | Enforce who can access what, when, and how, based on rules and conditions |
📦 2️⃣ DATA PLANE
The Data Plane is responsible for executing and enforcing the decisions made by the Control Plane.
It’s like the “hands” of Zero Trust — it actually applies the policies and controls the data flow.
🔹 Implicit Trust Zones
In older security models, networks often had trusted zones (like the internal LAN) and untrusted zones (like the internet).
Inside the LAN, devices were trusted automatically.
In Zero Trust, there are no implicit trust zones.
That means:
- Every device, user, and connection is treated as potentially untrusted.
- Verification happens even within internal networks.
- Microsegmentation is used — the network is divided into smaller secure zones, and communication between zones is strictly controlled.
Example in IT environment:
- A user in the HR department cannot automatically access the Finance department’s database even though both are inside the same corporate LAN.
- Network access control (NAC) or software-defined networking (SDN) solutions enforce this segmentation.
🔹 Subject/System
In Zero Trust, both subjects (users, applications, or devices requesting access) and systems (resources being accessed, like servers or databases) are verified.
Before communication happens:
- The subject’s identity and device posture (health, compliance) are validated.
- The system being accessed must also be secure and verified.
- Communication happens only if both ends meet security policy requirements.
Example:
- A cloud storage system verifies that the laptop connecting to it has disk encryption enabled and antivirus updated before allowing access.
🔹 Policy Enforcement
This is where the rules set by the Control Plane are enforced in the Data Plane.
It includes:
- Firewalls
- Secure Access Service Edge (SASE)
- Software-Defined Perimeter (SDP)
- Endpoint detection and response (EDR)
- Microsegmentation tools
The Data Plane makes sure that:
- Policies are followed.
- Data access is logged and monitored.
- Unauthorized attempts are blocked immediately.
Example:
- If a policy says “deny access to servers from non-corporate devices,” the enforcement point blocks that traffic instantly.
✅ Summary of Data Plane:
| Component | Purpose |
|---|---|
| Implicit Trust Zones | No area of the network is automatically trusted; all access is verified |
| Subject/System | Both users and devices must be verified before communication |
| Policy Enforcement | Applies and enforces access rules and monitors for violations |
🔄 CONTROL PLANE vs DATA PLANE
| Feature | Control Plane | Data Plane |
|---|---|---|
| Function | Makes decisions about access | Enforces those decisions |
| Focus | Identity, policies, authentication | Traffic, enforcement, monitoring |
| Example | Azure Conditional Access deciding who can log in | Firewall applying the rule to allow or block the connection |
🧩 How Zero Trust Is Implemented in IT Environments
- Strong Identity Management
- Centralized identity provider (e.g., Azure AD)
- Multi-Factor Authentication (MFA)
- Adaptive identity checks
- Device Security Verification
- Ensure only compliant devices (with updated OS, antivirus, encryption) can connect.
- Network Segmentation
- Divide networks into small zones (microsegmentation).
- Enforce policies between each zone.
- Least Privilege Access
- Users and devices get only the access they need to do their job.
- Continuous Monitoring
- Use SIEM (Security Information and Event Management) and EDR to detect and respond to suspicious activity.
📘 Exam Tips for Security+ SY0-701
- Zero Trust = Never trust, always verify.
- Understand the difference between Control Plane and Data Plane.
- Remember:
- Control Plane → makes decisions (adaptive identity, policy control).
- Data Plane → enforces decisions (no implicit trust, policy enforcement).
- Know that Zero Trust applies to users, devices, applications, and networks.
- Zero Trust is about continuous verification, not one-time authentication.
- It works best with:
- MFA
- Device compliance checks
- Network segmentation
- Policy-based access control
🧾 Summary Chart for Quick Review
| Plane | Component | Description | Example |
|---|---|---|---|
| Control Plane | Adaptive Identity | Verifies users dynamically based on behavior, location, device | MFA challenge for unusual login |
| Control Plane | Policy-Driven Access Control | Centralized policies decide who gets access | Conditional access in Azure AD |
| Data Plane | Implicit Trust Zones | No automatic trust; every access verified | Microsegmentation in a data center |
| Data Plane | Subject/System | Both user and resource verified | Device compliance check before accessing cloud storage |
| Data Plane | Policy Enforcement | Applies rules to traffic | Firewall blocks non-compliant devices |
