Download Zscaler Architect Exam Question Bank: Zero Trust Architecture and more Exams Computer Science in PDF only on Docsity!
Question Bank (Latest Edition).
For zero trust architecture to be built properly, the focus must not solely be on security. It must be built in such a way that? t the user experience is fast and reliable, deployment is as simple as possible, and ongoing operations are streamlined and outage-free To ensure easy operation, speed, and reliability, there are various technical elements to consider when designing a zero trust architecture
- agent technology (traffic forwarder, broker, monitor)
- centralized control of agents (Client Connector Portal)
- Branch and Cloud Connector
- security cloud (largest, 99.999% uptime SLA)
- single-pass architecture for packet inspection (packet loading to memory just once)
- private service edge to extend the public service edge (maintained by Zscaler) When evaluating solutions, architects should consider the following design foundations, ensuring that policy enforcement edges are - Hosted in vital peering locations within carrier - neutral data centers for minimal latency between source and destination. Statistics of availability, routing, and locations should be reviewable in public references like PeeringDB and partner deployments. **- Supported with a valid SLA.
- Capable of deploying privately on a per** - customer basis in locations where local conditions require nuanced deployments, such as on-premises or within an edge compute node. - Able to deliver tenancy protection so customer da ta privacy is not passed to any other component within the infrastructure and no data is ever stored to disk. • Providing global - scale protection for all enterprise services once a threat is detected.
Question Bank (Latest Edition).
The Zero Trust Exchange offers a variety of operational advantages that should be considered as part of the overall solution architecture
**- Operation that can be automated through scripts
- Built** - in tools like speedtest.zscaler.com, ip.zscaler.com, and the Trust portal - Deployment of an agent through endpoi nt managers **- App discovery with AI/ML
- Cloud** - effect and ongoing cloud updates (vs. hardware appliances) **- Support for managed and unmanaged devices
- Unified policy and centralized control plane
- One** - click integration with Microsoft 365 - Ecosystem of p artners with robust API integrations Zscaler Digital Experience (ZDX) ZDX provides digital experience insights to aid in understanding, diagnosing, and improving user experience issues. The ZDX score uses machine learning to help identify performance anomalies and send actionable alerts, with CloudPath analysis that identifies network issues between the user endpoint and their WiFi, ISP, backbone, and the Zscaler service edge. Zero Trust for Users - sample phases Phase 1: Security > Secure work from anywhere; secure internet, SaaS, private app access Connectivity > Phase out VPN infrastructure Phase 2: Security > Advanced cyberthreat and data protection (granular policies) Connectivity > Hub-and-Spoke to Zero Trust SD-WA
Question Bank (Latest Edition).
- The user's presented access criteria, whether that be the SAML attributes assigned to the users within your directory, device context, risk, etc.
- The application that you are accessing. This is defined, but in actual fact, this is the application context that the user (or the user's device) is calling, e.g., a file share on //fileserver1.company.local. Zscaler validates access based on three factors
- What the user (or device) is requesting access to; for example, web browser to legal1.company.local on port 80
- What the user is allowed access to by policy; is the user allowed access to legal1.company.local:80?
- If the application access is permitted, is the application reachable at legal1.company.local:80 from the App Connectors? DNS namespace and policy management example
- Defining and refining your domain space, e.g., what network namespaces and subdomains exist, and where they reside within your organization. This DNS namespace can then be used in policy.
- Ensuring your DNS naming convention is defined and used by the applications in the element. The policy will not permit access if you have defined *.legal.company.com for access and then your user attempts to access legal1.company.com. Note: For existing apps, you can use CNAMEs on your DNS side as long as the CNAME is called by the client- side.
- Understanding the necessary ports associated with each application. For example, you can define all of the SSH access under one app segment group with just TCP 22. Calculating risk dynamically requires varying inputs that? cannot be consumed in a uniform manner
Question Bank (Latest Edition).
Risks should be assessed through out? the lifespan of the connection The challenges with maintaining high visibility in zero trust networking? It involves a lot of data regarding user+workload+iot/ot access requirements ability to get to services connections and conditions in which they are connecting 3 main categories for Zscaler to calculate the risk scores Profile (risk aware, risk adverse...) Posture (device posture, cloud posture...) Behavior (before, now, future) Traditional way of SSL/TLS decryption - out bound Load ballancer --> Firewall --> SSL/TLS decryptor --> Proxy --> sandbox --> internet DLP is mostly based on which protocol? ICAP The Internet Content Adaptation Protocol (ICAP) is designed to offload the processing of Internet-based content to dedicated servers. ICAP helps free up resources and standardize how features are implemented.
Question Bank (Latest Edition).
Zero trust is a framework for securing organizations in the cloud and mobile world that asserts that?
- no user or application should be trusted by default
- trust is established based on context with policy checks at each step
- least-privileged access Establishing a zero trust architecture requires?
- visibility and control over the environment's users and traffic
- monitoring and verification of traffic between parts of the environment
- strong multifactor authentication (MFA) methods In modern zero trust network architecture, instead of rigid network segmentation, your data, workflows, services, and such are protected by? software-defined micro-segmentation Removing network location as a position of advantage eliminates ____trust, replacing it with ____ trust. Removing network location as a position of advantage eliminates excessive implicit trust, replacing it with explicit identity-based trust. ________ connections eliminate the risk of lateral movement and prevent compromised devices from infecting other resources. Direct user-to-app and app-to-app
Question Bank (Latest Edition).
Legacy vs Zero-Trust Network Architecture - Attack surface Legacy: Firewalls/VPNs published on the internetCan be exploited, susceptible to DDoSed ZeroTrust: Apps not exposed to the internet You can't attack what you can't see Legacy vs Zero-Trust Network Architecture - Connection Legacy:App access requires corporate network access, allows lateral movement of users and threats ZeroTrust: Connects a specific authorized user to a specific, authorized resource Legacy vs Zero-Trust Network Architecture - Pass through Legacy: Firewall/Passthrough Inspects a limited data buffer Unknown files pass through Alerts after infection ZeroTrust: Full content inspection, including TLS/SSL Hold and inspect unknown files before reaching the endpoint Legacy vs Zero-Trust Network Architecture - Tenancy Legacy: VMs of single-tenant appliances in a public cloud ZeroTrust: Cloud-native, multitenant design like Salesforce/Workday Ways to connect to the Zscaler Zero Trust Exchange
- Client-based forwarding
- Network forwarding
Question Bank (Latest Edition).
Data Loss Prevention To fully leverage all features of the control elements, it is important to have? SSL/TLS encryption enabled With zero trust, it is never ______, regardless of the situation. Rather zero trust ensures that each and every approved access is enabled through ____. With zero trust, it is never a direct network connection, regardless of the situation. Rather zero trust ensures that each and every approved access is enabled through its own individual path. Access is not a matter of sharing a network. It is a matter of having? A policy that confirms if access is allowed conditionally or not Access policy is based on? (who, what, where) + (risk of access, compromise prevention + loss prevention) Sample components of context? role, responsibility, request time, location, and circumstances of the request
Question Bank (Latest Edition).
Factors of risk assessment device posture, threats, destination, behavior, and policy Seven elements of zero trust Who What context Where is the destination Assess risk Prevent compromise Prevent data loss Enforce policy Main components of Security Service Edge (SSE)
- Analytics/visibility
- API Functionality
- Inline Functionality In case of edge security fails, another option to connect to ZTE is via site connection (SD- WAN). This is possible because? Zscaler integraded with major SD-WAN providers. Cloud connectors protection options workload-to-workload (multicloud) and workload-to-internet
Question Bank (Latest Edition).
A trusted location should be governed by enterprise-defined conditions that reduce its risk profile Technology & Architecture Considerations - Defined locations A defined location would be an enterprise office space where users are more trusted than on the open internet Managed devices Computers and other network-attached devices monitored through the use of agents by a network management system Destination App Criteria of Known Apps?
- Ext or Int manage?
- Web or non-web?
- App category?
- Decoy?
- Risk profile? Destination App Criteria of Un-Known/Newly Discovered Apps? API-Driven Risk Posture (CASB, SSPM, CNAPP) ML-Driven Categorization Zero trust services are not firewalls, which means?
Question Bank (Latest Edition).
They are neither pass-through nor static One key limitation of traditional firewalls? They are not natively able to interpret beyond an IP address i.e. content beyond the IP-to- IP stateful control, such as the identity of individual users brokered from an IdP (SAML/SCIM/etc.) Not understanding these authentication and authorization outcomes results in two distinct, negative impacts when using firewalls
- Users must authenticate twice with two different authorizations.
- These identity values must be managed in two locations, with two different sets of identity controls to consider. Benefits of Least-privileged access in zero trust **- Applies the correct controls to the correct source
- Obscures protected resources from unauthorized sources, reducing cybersecurity risks
- Reduces waste, e.g., a Linux server isn't allowed to connect to** a Windows patch system - Provides granular visibility and learning of flows per access request, not network IP - to-IP - Consolidates access based on identity and not on a network, allowing a network's function and infrastructure to be optimized Three steps for beginning the application (micro) segmentation journey
- Determine critical workloads and who should access them
- For all other traffic, obtain visibility over access, thus giving visibility and an inventory of apps with a discovery policy
Question Bank (Latest Edition).
Process to categorize apps
- Assess the app to identify its type, e.g., web app
- Identify any reputation for the app or domain
- Assess the content and function of the app
- Categorize, if possible
- If not, flag as uncategorized Once application destinations are categorized with appropriate access control policies, it is then necessary to specify which groups of users can access those applications. This allows for user-to-application segmentation independent of? network-based controls With Digital Transformation, every enterprises try to drive? Higher efficiencies Quicker agility Competitive advantages Zero Trust is not?
- Not just about users (but anyone, anything that initiates connections)
- Not anchored on any one location
- Not just about the initator and the destinations but also the relationships among them
Question Bank (Latest Edition).
Zscaler session based security each session has its own unique network security path (TCP or UDP) Zscaler controls always live in the cloud? (T/F) False Zscaler can connect user to user (T/F) False What is SAML SAML stands for Security Assertion Markup Language. It is an XML-based open-standard for transferring identity data between two parties: an identity provider (IdP) and a service provider (SP). Identity Provider — Performs authentication and passes the user's identity and authorization level to the service provider. Service Provider — Trusts the identity provider and authorizes the given user to access the requested resource. Why do we need SCIM on top of SAML? SAML. Organizations that use cloud-based solutions need a method for managing user access to resources in external providers' domains. SCIM provisioning provides a way to automate access to all the applications and services an organization uses. Without SCIM,
Question Bank (Latest Edition).
Main threat categories File-based Network-based Web-absed Uninspected encrypted traffics Types of risk telemetry organizational, locational, departmental, and user-level three key categories of user-based risk evaluation pre-compromise behavior, post-compromise behavior, and suspicious and anomalous behavior cloud-native application protection platform (CNAPP) approach agentless solution that correlates multiple security engines to prioritize hidden risks Prevent compromise - Inline threat protection Block the known bad (• Pattern • Signature • Destination) Continuous Updates Quantify the Unknown Cloud Effect (Once a new threat is identifed, it's blocked for all)
Question Bank (Latest Edition).
Prevent compromise - Inline threat protection - Quantify the unknown
**- Destination knowledge and assessment
- Content knowledge and analysis
- Behavioral Analysis (sandbox)** Prevent compromise - Out-of-Band Threat Protection Discover Malware in SaaS, PaaS, IaaS • API scanning for malware • Sandbox unknown, suspicious files Inspection in many geographies may take time and effort to find the right balance of privacy appropriate for workers' councils. Identifying the correct balance of risk reduction and privacy is not static and? should be incremental, starting with less controversial geographies and traffic types The balance between their right to be protected from threats and a user's right to privacy must be considered and implemented granularly, not as a binary "inspect or don't inspect" policy. It should be implemented based on? business risk and application type Inline considerations
- a forward proxy architecture (for cloud, intensive inspection, minimal latency)
- sandboxing
