CCZT Free Practice Test

In SaaS and PaaS, which access control method will ZT help define for access to the features within a service?

1. A. Data-based access control (DBAC)
2. B. Attribute-based access control (ABAC)
3. C. Role-based access control (RBAC)
4. D. Privilege-based access control (PBAC)

Correct Answer: B
ABAC is an access control method that uses attributes of the requester, the resource, the environment, and the action to evaluate and enforce policies. ABAC allows for fine-grained and dynamic access control based on the context of the request, rather than predefinedroles or privileges. ABAC is suitable for SaaS and PaaS, where the features within a service may vary depending on the customer??s needs, preferences, and subscription level. ABAC can help implement ZT by enforcing the principle of least privilege and verifying every request based on multiple factors.
References =
✑ Attribute-Based Access Control (ABAC) Definition
✑ General Access Control Guidance for Cloud Systems
✑ A Guide to Secure SaaS Access Control Within an Organization

What is the function of the rule-based security policies configured on the policy decision point (PDP)?

1. A. Define rules that specify how information can flow
2. B. Define rules that specify multi-factor authentication (MFA) requirements
3. C. Define rules that map roles to users
4. D. Define rules that control the entitlements to assets

Correct Answer: D
Rule-based security policies are a type of attribute-based access control (ABAC) policies that define rules that control the entitlements to assets, such as data, applications, or devices, based on the attributes of the subjects, objects, and environment. The policy decision point (PDP) is the component in a zero trust architecture (ZTA) that evaluates the rule-based security policies and generates an access decision for each request. References =
✑ Certificate of Competence in Zero Trust (CCZT) prepkit, page 14, section 2.2.2
✑ A Zero Trust Policy Model | SpringerLink, section ??Rule-Based Policies??
✑ Zero Trust architecture: a paradigm shift in cybersecurity - PwC, section ??Security policy and control framework??

To ensure an acceptable user experience when implementing SDP, a security architect should collaborate with IT to do what?

1. A. Plan to release SDP as part of a single major change or a "big-bang" implementation.
2. B. Model and plan the user experience, client software distribution, and device onboarding processes.
3. C. Build the business case for SDP, based on cost modeling and business value.
4. D. Advise IT stakeholders that the security team will fully manage all aspects of the SDP rollout.

Correct Answer: B
To ensure an acceptable user experience when implementing SDP, a security architect should collaborate with IT to model and plan the user experience, client software distribution, and device onboarding processes. This is because SDP requires users to install and use client software to access the protected resources, and the user experience may vary depending on the device type, operating system, network conditions, and security policies. By modeling and planning the user experience, the security architect and IT can ensure that the SDP implementation is user-friendly, consistent, and secure.
References = Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 7: Network Infrastructure and SDP

To validate the implementation of ZT and ZTA, rigorous testing is essential. This ensures that access controls are functioning correctly and effectively safeguarded against potential threats, while the intended service levels are delivered. Testing of ZT is therefore

1. A. creating an agile culture for rapid deployment of ZT
2. B. integrated in the overall cybersecurity program
3. C. providing evidence of continuous improvement
4. D. allowing direct user feedback

Correct Answer: C
Testing of ZT is providing evidence of continuous improvement because it helps to measure the effectiveness and efficiency of the ZT and ZTA implementation. Testing of ZT also helps to identify and address any gaps, issues, or risks that may arise during the ZT and ZTA lifecycle. Testing of ZT enables the organization to monitor and evaluate the ZT and ZTA performance and maturity, and to apply feedback and lessons learned to improve the ZT and ZTA processes and outcomes.
References = Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 8: Testing and Validation

The following list describes the SDP onboarding process/procedure. What is the third step? 1. SDP controllers are brought online first. 2. Accepting hosts are enlisted as SDP gateways that connect to and authenticate with the SDP controller. 3.

1. A. Initiating hosts are then onboarded and authenticated by the SDP gateway
2. B. Clients on the initiating hosts are then onboarded and authenticated by the SDP controller
3. C. SDP gateway is brought online
4. D. Finally, SDP controllers are then brought online

Correct Answer: A
The third step in the SDP onboarding process is to onboard and authenticate the initiating hosts, which are the clients that request access to the protected resources. The initiating hosts connect to and authenticate with the SDP gateway, which acts as an accepting host and a proxy for the protected resources. The SDP gateway verifies the identity and posture of the initiating hosts and grants them access to the resources based on the policies defined by the SDP controller.
References =
✑ Certificate of Competence in Zero Trust (CCZT) prepkit, page 21, section 3.1.2
✑ 6 SDP Deployment Models to Achieve Zero Trust | CSA, section ??Deployment Models Explained??
✑ Software-Defined Perimeter (SDP) and Zero Trust | CSA, page 7, section 3.1