In Zero Trust Architecture, which principle is fundamental?

A.  Trust but verify

B.  Always trust internal networks

C.  Never trust, always verify

D.  Perimeter defense is enough

Answer:  C

Explanation:

A. Trust but Verify
This was a popular security mantra for years, but it is considered the "old way" of thinking.

The Flaw: This principle implies that a user or device is granted an initial level of trust (often just by being on the corporate network), which is then audited or verified later.

The Zero Trust Correction: In a Zero Trust model, trust is never granted based on location. There is no "grace period" or "default trust" state.

B. Always Trust Internal Networks
This is the "Flat Network" philosophy that Zero Trust was specifically designed to destroy.

The Risk: Attackers love this model. Once they breach a single VPN account or an office workstation, they can move laterally across the entire network because the internal systems trust each other implicitly.

The Zero Trust View: Zero Trust treats the internal corporate network as if it were the public internet—hostile and untrusted.

C. Never Trust, Always Verify
This is the core identity of Zero Trust (NIST SP 800-207). It means that no matter where the request comes from—the CEO's laptop in the office or a contractor's tablet in a coffee shop—the security requirements remain the same.

The Three Pillars:

Verify Explicitly: Always authenticate and authorize based on all available data points (user identity, location, device health, service or workload, data classification, and anomalies).

Use Least Privileged Access: Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA).

Assume Breach: Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility and drive threat detection.

D. Perimeter Defense is Enough
This describes the "M&M" Security Model: Hard on the outside, soft on the inside.

The Reality: Modern business happens outside the perimeter (Cloud, SaaS, Remote Work). Relying solely on a firewall to protect the "inside" is insufficient when the data is in the cloud and the users are at home.

The Zero Trust Approach: Zero Trust moves the "perimeter" to the Identity and the Micro-segmentation around each individual resource.

Key Takeaway for the CISSP Exam
Zero Trust Components:

• Policy Decision Point (PDP): The "brain" that decides if access should be granted based on policy.
• Policy Enforcement Point (PEP): The "brawn" that actually blocks or allows the traffic (like a gateway or agent).
• Micro-segmentation: Breaking the network into tiny pieces so that if one server is hacked, the attacker can't reach the others.