Which of the following BEST describes how a Zero Trust security architecture handles access to organizational resources?
All internal users are trusted automatically, but external users must undergo additional verification.
No user or device is trusted by default; each access request must be authenticated and authorized based on contextual policies before a resource is released.
Users receive permanent access to all resources once they authenticate successfully at the start of a session.
Resources are accessible to anyone by default, and access restrictions are applied only after suspicious behavior is detected.
Zero Trust operates on the principle of "never trust, always verify." No human, device, or workload is granted implicit trust-even if it is inside the traditional network perimeter. Every request must be authenticated, authorized, and evaluated against policy and context (such as device health, user role, and behavioral indicators) before access is allowed. This differs from legacy models that trust internal entities by default or allow open access until suspicious behavior is detected. The other options describe permissive or perimeter-based approaches that contradict Zero Trust fundamentals.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'never trust, always verify' mean in the context of Zero Trust?
Open an interactive chat with Bash
What are some common methods used to implement Zero Trust?
Open an interactive chat with Bash
How does behavior analytics play a role in the Zero Trust model?