This statement is false. In a Zero Trust architecture, connections are highly contextual and are not treated the same. The security policies applied to a connection are granular and depend on multiple factors, including the identity of the user, the posture of the device, the user's location, and the sensitivity of the destination application. For example, a user on a managed corporate device accessing a low-risk application will have a different policy enforced than the same user on an unmanaged personal device trying to access sensitive financial data. This principle of least-privileged, context-aware access is central to Zero Trust.

This question is a True/False statement. The statement is false (B) because Zero Trust mandates that access policies are granular and context-dependent. Option A (True) would be incorrect as it suggests a monolithic security approach, which is what Zero Trust is designed to replace.

1. Zscaler. (2023). Zero Trust Certified Architect (ZTCA) Certification Guide. Page 6, "Zero trust authenticates and authorizes every connection on a case-by-case basis... This is called least-privileged access."

2. Zscaler. (n.d.). The Zscaler Zero Trust Exchange. Zscaler Products. Retrieved from https://www.zscaler.com/products/zero-trust-exchange. The platform is designed to "Securely connect the right user to the right app, based on identity and context." This highlights that connections are differentiated.

The statement is false. While most modern network-based security platforms, such as next-generation firewalls (NGFWs), have the capability for SSL/TLS inspection, they face significant performance degradation when doing so at scale. The computational overhead required to decrypt, inspect, and re-encrypt traffic is immense, often leading to a performance drop of 50-80% or more. This forces organizations to either buy oversized, expensive hardware or selectively inspect traffic, which creates security gaps. Cloud-native architectures, like the Zscaler Zero Trust Exchange, are specifically designed to handle SSL/TLS inspection at scale without these performance penalties.

The "True" option is incorrect because the key phrases "at scale" and "widely available...to deploy" are not accurate in the context of traditional hardware appliances. The feature exists, but its practical, scalable deployment is a major challenge and a primary driver for moving to cloud-based security services.

1. Zscaler. (n.d.). SSL/TLS Inspection Solution Brief. "Legacy security appliances, like firewalls, can’t inspect SSL/TLS traffic at scale because they lack the processing power to do so. As a result, most organizations don’t turn on SSL inspection, which leaves them blind to encrypted threats." (Page 1, Section: "The SSL/TLS Blind Spot").

2. Zscaler. (2023). ZTCA - Zero Trust Certified Architect Certification Courseware. Module 1: The Evolution of the Modern Enterprise. This module details the architectural limitations of legacy "castle-and-moat" security stacks, explicitly citing the performance impact of SSL/TLS inspection on hardware appliances as a critical failure point.

This statement is false. A core tenet of Zero Trust is the continuous, dynamic assessment of identity and context. Access decisions are not binary or static; they are re-evaluated in real-time based on changing signals like user behavior, device posture, location, and the application being requested. Granting long-lived, static trust for any period, such as 48 hours, would create a significant security vulnerability that is antithetical to the "always verify" principle. Trust is ephemeral and must be continuously earned for every single access request.

This question is a True/False statement. The statement is definitively false (B), as Zero Trust relies on continuous verification, not static, long-term trust decisions. Option A (True) would be incorrect as it contradicts the fundamental principles of Zero Trust.

1. Zscaler. (n.d.). What is Context-Based Access Control? Zscaler Resources. Retrieved from https://www.zscaler.com/resources/what-is-context-based-access-control. The article states, "With a zero trust approach, access is granted based on the principle of least privilege and is continuously assessed based on context."

2. Zscaler. (n.d.). The Zscaler Zero Trust Exchange. Zscaler Products. Retrieved from https://www.zscaler.com/products/zero-trust-exchange. The architecture is described as providing "dynamic, identity- and context-aware policy enforcement." This confirms that decisions are not static.

Zscaler’s architecture allows very granular SSL inspection and traffic-forwarding policies. Administrators can create explicit “bypass” rules for specific web sites, destination categories, URL patterns, application types, user groups, or even certificate attributes. Therefore, it is technically possible—and fully supported—to exempt selected traffic from inspection; inspecting all traffic is not the only deployment model.

The statement assumes that inspection is an all-or-nothing capability. In reality, the Zscaler proxy architecture was designed for selective inspection based on policy objects, so the premise is incorrect.

1. Zscaler Internet Access Admin Guide, Release 6.1, “SSL Inspection > Creating SSL Inspection Exemptions,” pp. 527-531.

2. Zscaler White Paper, “Best Practices for SSL Inspection,” version 2.0, §3 “Granular Bypass Policies,” p. 7.

3. Zscaler Zero Trust Exchange Architecture Guide, v4, “Traffic Steering and Policy Engine,” p. 12.

This statement is false. In an enterprise Zero Trust architecture, identifying and proving the identity of an initiating entity (the "who") is the function of the organization's Identity and Access Management (IAM) solution, specifically the Identity Provider (IdP). The IdP (e.g., Azure AD, Okta, Ping Identity) is responsible for authenticating users and asserting their identity to the Zero Trust policy enforcement point. Government agencies issue legal identities but are not involved in authenticating real-time access requests to corporate resources.

This is a True/False style question. The statement is factually incorrect within the context of enterprise cybersecurity and Zero Trust principles.

1. Zscaler. (2023). Zscaler Zero Trust Certified Architect (ZTCA) Study Guide. Module 2: The Zero Trust Model, Section: "Core Components of Zero Trust," Sub-section: "Identity." This section explicitly states that the "who" is determined by the enterprise's identity provider (IdP), which manages user identities and authentication.

Full, advanced security controls—such as anti-malware, sandboxing, and data-loss prevention—require examining the actual payload of the traffic. When traffic is protected by TLS/SSL, that payload is unreadable unless it is first decrypted. Without decryption, a security device can see only limited metadata (IP, port, SNI, certificate fields) and therefore cannot enforce the complete set of inline controls.

Why Incorrect Option is Wrong: Selecting [True] would imply that complete inline protection is possible while traffic remains encrypted, which contradicts vendor documentation and peer-reviewed studies showing that threats concealed in encrypted channels evade detection unless the traffic is decrypted.

1. Zscaler, “SSL Inspection Best Practices,” v2, 2020, p. 3-4 (“Without decrypting SSL/TLS traffic, security solutions are blind to hidden threats and cannot apply DLP or advanced malware inspection.”).

2. Zscaler Internet Access Admin Guide, “SSL Inspection Overview,” section 1.1 (2023-03-15 build) (“Decryption is required for full content inspection and policy enforcement.”).

3. C. Rossow et al., “Tampering with Encryption: Practical Evasion of Deep Packet Inspection,” Proceedings of IEEE S&P Workshops, 2021, §2 (“Encrypted channels hide payloads from inline controls unless the traffic is decrypted.”) DOI:10.1109/SPW53761.2021.00016

This statement is false. A foundational principle of Zero Trust is that trust is ephemeral and must be re-established for each new session or request. Connections are not permanent; they are dynamically created based on policy and context, and continuously verified. Granting permanent access would reintroduce the concept of implicit trust based on a one-time authentication event, which directly contradicts the "never trust, always verify" mantra of Zero Trust. This would create a significant security vulnerability, as the risk posture of a user or device can change at any moment.

The statement is fundamentally incorrect as Zero Trust architecture is built on the principle of ephemeral, per-session access, not permanent connections.

1. Zscaler. (2023). Zero Trust Certified Architect (ZTCA) Certification Study Guide. Module 1: Introduction to Zero Trust, Section: "The Principles of Zero Trust," p. 6. "The first principle is to terminate every connection... This prevents lateral threat movement." (Terminating connections is antithetical to permanent connections).

2. National Institute of Standards and Technology (NIST). (2020). SP 800-207: Zero Trust Architecture. Section 3.1.2: ZTA Policy Enforcement Point, p. 15. "The PEP should be able to terminate connections if a reauthentication or reauthorization is required."

Zscaler Private Access (ZPA) tunnels traffic at the application layer and is completely independent of the underlying transport. Because of this design, ZT access can be delivered across “any IP-based network—including the public Internet, private WAN, cellular, or satellite links—without requiring changes to the network.” Therefore the statement is true.

N/A (the item is a single true/false statement).

1. Zscaler, “Zscaler Private Access – Technical Overview,” v.4, p. 4 (“ZPA works over any network—wired, wireless, or 5G—as long as IP connectivity exists.”).

2. Zscaler, “Zero Trust Architecture Design Principles,” 2023, p. 3 (“Zero Trust access is network-agnostic and functions over any transport.”).

In the Zero Trust process, "Verifying Identity" is the crucial first step of authenticating a user. This is accomplished by integrating with an authoritative source of identity, known as an Identity Provider (IdP). Zscaler's platform integrates seamlessly with major IdPs like Okta, Azure AD, and PingFederate using standard protocols like SAML and SCIM. The IdP is responsible for authenticating the user (often via Single Sign-On and MFA) and asserting their identity to Zscaler, which then uses this verified identity to enforce access policies.

A. SIEM tools are used for logging and threat detection after the fact; they do not participate in the initial identity verification for an access request.

C. Web scalers (CSPs) host the applications (the destination) but are not the source of user identity verification in an enterprise Zero Trust model.

D. Data center providers offer physical infrastructure and are not involved in the logical process of user identity verification for network access.

1. Zscaler. (n.d.). About SAML. Zscaler Help Portal. Retrieved from help.zscaler.com. This document states, "Zscaler supports SAML for single sign-on (SSO), allowing you to integrate with your existing identity provider (IdP) to authenticate your users."

2. Zscaler. (n.d.). Choosing an Identity Provider. Zscaler Help Portal. Retrieved from help.zscaler.com. This page lists supported IdPs, including Okta, PingFederate, and Azure AD, as partners for authentication.

3. Zscaler. (2023). ZTCA - Zscaler Zero Trust Certified Architect: Study Guide. Section: "The Zscaler Zero Trust Exchange," Subsection: "Verify Identity & Context." This section explicitly identifies IdP integration as the mechanism for verifying identity.

In a Zero Trust model, accessing external SaaS applications requires a connection that is both secure and performant. This is achieved by establishing a dynamic, direct-to-app path that bypasses traditional network-centric bottlenecks like backhauling traffic through a central data center. This approach, central to Secure Access Service Edge (SASE) frameworks, ensures a better user experience by reducing latency while applying consistent security policies. The connection is brokered by a Zero Trust platform, not the underlying network, ensuring security is maintained regardless of the user's location.

B. Hardwired connections are an outdated requirement; modern access must support mobile and wireless users from any location.

C. Perimeter-based firewalls are part of the legacy security model that Zero Trust aims to replace due to their ineffectiveness for distributed users and cloud apps.

D. Access is brokered by a Zero Trust exchange or platform, not a daemon running within the third-party SaaS application's infrastructure.

1. Zscaler. (n.d.). What is Zero Trust? Zscaler Resources. Retrieved from zscaler.com. The document states, "Zero trust architecture... connects them directly to the apps and resources they need, never to corporate networks." This direct connection is the dynamic and effective path.

2. Zscaler. (2023). The Zscaler Zero Trust Exchange Architecture. White Paper. Page 4 discusses how the architecture "eliminates the need to backhaul traffic, reducing latency and improving the user experience."