This set builds vocabulary for per-request, identity-based access control replacing traditional VPNs.
0 / 5 completed
1 / 5
At standup, a dev describes replacing a traditional VPN with a system that verifies every request based on identity and device posture rather than trusting anything inside a network perimeter. What model is this?
Zero Trust is a security model that verifies every request based on identity, device posture, and context, rather than assuming anything inside a traditional network perimeter is automatically trusted. This shifts away from the old model where being on the corporate network implied trust. Cloudflare's Zero Trust suite implements this for accessing internal applications.
2 / 5
During a design review, the team wants to grant access to an internal application per-request based on policies like user identity and device compliance, without a persistent VPN tunnel. Which concept supports this?
Access policies are evaluated on a per-request basis, checking factors like identity and device compliance each time rather than granting a broad, persistent trust once a VPN tunnel is established. This finer granularity limits what a compromised session can access. It is a core mechanic distinguishing Zero Trust access from traditional VPN-based network trust.
3 / 5
In a code review, a dev references the software running on an endpoint that reports its security posture, like OS patch level, before granting access. What is this called?
A device posture check evaluates properties of the connecting device, such as OS patch level or disk encryption status, as part of the access decision, ensuring only sufficiently secure devices can reach sensitive internal resources. This adds a device-level signal on top of user identity verification. It reflects Zero Trust's emphasis on evaluating multiple context signals, not identity alone.
4 / 5
An incident report shows a compromised laptop was still able to access internal tools because device posture wasn't factored into the access decision. What gap does this reveal?
If access policies check only user identity credentials without also evaluating device posture, a compromised but otherwise correctly authenticated device can still reach sensitive resources. A properly configured Zero Trust setup incorporates device signals precisely to close this kind of gap. This finding is common in incident reviews where policy configuration didn't match the intended security model.
5 / 5
During a PR review, a teammate asks how a Zero Trust access model differs from a traditional VPN granting broad network access once connected. What is the key distinction?
A traditional VPN typically grants broad access to the internal network once connected, implicitly trusting subsequent activity, while Zero Trust evaluates identity, device posture, and context for each request to each specific resource. This reduces the blast radius if credentials or a session are compromised. The tradeoff is more granular policy configuration and per-request evaluation overhead.