Question 1: Correct answer

Enterprises can deliver full security controls inline, without needing to

decrypt traffic.

True.

False.

Question 2: Correct answer

Connections to destination applications are the same, regardless of location

or function.

True, all applications must be considered equally and connected to equally.

False, each application: internal/external, trusted/untrusted, etc.

must be considered for connectivity based on the risk profile and
acceptance of each enterprise.

Question 3: Correct answer

Typically, organizations will leverage which of the following to implement

security as a part of legacy network architectures?

Access control lists (ACLs) or firewalls, or perhaps VLAN

segmentation.

Virtual and cloud provided layer 2 devices.

10G switch ports, with dark fiber connectivity.

Data Loss Prevention capabilities for ensuring nothing good leaks out of the
organization.

Question 4: Correct answer

All elements of a connection, including _____________, are considered as a

part of a risk path.

network connectivity metrics such as latency, jitter, and packet loss

any historical connections that have been made by the same user

API integrations between a zero trust architecture and SD-WAN vendors

hardware crypto accelerated SSL/TLS decryption

Question 5: Correct answer

To effectively access any external (managed by others) SaaS applications,
one must be securely connected through ___________________.

A dynamic and effective path, ensuring beneficial experience and

performance for the initiator.

A hardwired network connection.

A perimeter based statefull network firewall such as a security appliance.

No means - the only access possible is via a special daemon running within
the application space of the SaaS application itself.

Question 6: Correct answer

One example of accessing different types of services based on a

differentiator of identity is:

Having an open-access VPN policy.

Connecting to a LAN wirelessly vs through a wired connection.

Connecting from a browser in an untrusted device vs. connecting

from a device with a Zscaler Client Connector.

Relying on a Managed Services Provider (MSP) for day-to-day management

of the corporate network.

Question 7: Incorrect answer

What purpose do Data Loss controls serve? Select all that apply.

Detecting data theft through malware.

Preventing non-malicious and / or accidental data leakage.

Error checking and validation to ensure data integrity.

Intercepting data poisoning attempts from authorized users.

Question 8: Correct answer

Should a Zero Trust solution inspect traffic for all destinations?

No. Only traffic destined to engineering services and financial applications.

No. Traffic should never be inspected.

No. It's important to find a balance. The Zero trust solution should
give the enterprise the ability to implement inspection for any
application or destination. Although its strongly recommended, it's
up to the enterprise to decide where inspection is needed.

No. Only non-TLS / SSL based traffic should be inspected.

Question 9: Correct answer

Verification of user+device identity is to be enabled for:

Any person who wants to connect to an enterprise controlled

application. Employees, third parties, partners, etc.

Remote employees only.

Untrusted third parties only.

Employees connecting from unmanaged endpoint devices only.

Question 10: Correct answer

Who decides policy enforcement rules?

The Zero Trust provider.

The endpoint device management software in use.

The necessary risk controls that a customer needs to protect

against and control for, enforced by the policy within the Zero Trust
Exchange.

The InfoSec team.

Question 11: Correct answer

Identifying and proving the who value, that is - who is the initiating entity - is
usually a function of a government agency.

True.

False.

Question 12: Correct answer

What do the granular insights obtained through content inspection

determine?

Malicious threats to the initiators, and the risks the enterprise has
with external services, like data loss and unauthorized service
usage.
 The monthly bandwidth cost of a premium MPLS circuit, in order to hold the
ISP accountable with some sort of SLA.

Whether a VPN may still be required for certain legacy web applications or
third party contractor access, where due to certificate pinning and other
incompatibility issues a forward proxy solution cannot be leveraged.

Whether a ransomware breach may have occurred twelve months in the

past.

Question 13: Correct answer

Where is it most effective to assess the content of a connection?

At the policy enforcement point as effectively close to an initiator

as possible, e.g. the closest edge.

Within a data center which is deployed in a one-armed concentrator mode.

On disk, after first being copied several times for a backup.

Within an ISP's fiber backbone.

Question 14: Correct answer

Connecting to the Zero Trust Exchange is completed as one permanent

session, where all traffic is passed through one uniform path.

True.

False.

Question 15: Correct answer

What type of solution is used to ingest logs?

SIEM

Firewall

VPN

IdP

Question 16: Correct answer

In a Zero Trust architecture, should applications that you manage have any
exposed inbound listeners?
Inbound listener ports should only be accessible to those initiators
who are allowed access. All other access (and visibility) must be
denied.

Yes, allow anyone to connect to the listening service, just like having your
website on the Internet for anyone to connect with.

Yes, allow all inbound to any service, the firewall will protect the app.

Only allow access to those who share the same network.

Question 17: Correct answer

SSL/TLS inspection allows an enterprise to:

Make intuitive decisions of which traffic type to control & should be

implemented with a balanced approach to protect the company's
interest and the end initiator's privacy.

Sandbox all information.

Remove all risk related to Internet traffic.

Deliver universal control across the entire enterprise. Once assessed applies
to all traffic from that enterprise.

Question 18: Correct answer

A Zero Trust network can be:

Located anywhere.

Built on IPv4 or IPv6.

Built using VPN concentrators.

Located anywhere and built on IPv4 or IPv6.

Question 19: Correct answer

Zero Trust policy enforcement must include all verified attributes: identity;
access, content and risk controls, before allowing access.

True.

False.

Question 20: Correct answer

Which of the following actions can be included in a conditional "allow" policy?
(Select 2)

Temporarily pause the connection until a security engineer reviews the

traffic for risk.

Prioritize / deprioritize: Salesforce gets priority over YouTube when

last mile is congested.

Isolate: Stream pixels to the browser, restrict the ability to

download, copy and paste data.

Block the connection.

Question 21: Correct answer

Connections, approved by the Zero Trust Exchange, must then enable

permanent network level access for at least 30 days.

True.

False.

Question 22: Incorrect answer

MPLS has historically been leveraged for which of the following?

Private tunnels from a user's endpoint, whether they be in a Starbucks

coffee shop or connecting from their home.

Extending IP connectivity as a backhaul link between branches,

data centers, and clouds.

Private 5G links, directly establishing RAN base stations in an enterprise

location.

A forward proxy for terminating connections, for full-blown packet inspection

with SSL/TLS decryption.

Question 23: Correct answer

Policy enforcement is a unique, dynamic evaluation of which of the following?

The location of a destination application.

The per-access verification of Identity + the control of access,

content and risk for each and every connection request.

A one time verification of Identity + the control of access, content and risk.
The initiator's network.

Question 24: Correct answer

Businesses undertake ______ to increase efficiency, improve agility, and

achieve a competitive advantage.

digital transformation journeys

blue teaming exercises

red teaming exercises

disaster recovery planning

Question 25: Correct answer

The Zscaler Client Connector is:

A device used to create a secure communication channel with a Web

Application Firewall (WAF).

A cloud managed endpoint device via an MDM solution.

An agent installed on the endpoint to tunnel authorized user traffic

to the Zero Trust Exchange for protection of SaaS, private
applications, and Internet-bound traffic.

A marketplace platform that connects different types of business clients to

each other.

Question 26: Correct answer

If an initiator moves to trusted location, should they get direct access to a

destination application?

Yes. In fact if any element of the Zero Trust Exchange produces a negative
outcome, then the conditional block policy will be implemented.

It depends on the time of day.

This depends on an enterprise decision. Ideally a Zero Trust

solution would be applicable both remotely and on premises with a
service edge running where need to enforce control.

Only if the device is a managed device by the enterprise.

Question 27: Correct answer

Content stored within a SaaS/PaaS/IaaS location can be _______

 100% trusted, as cloud providers make sure content is safe before it's
uploaded.

Considered as risky until inspected, either through the in-line

SSL/TLS controls, or through assessing the files "at rest" using an
out of band assessment.

Partially trusted depending on whether you maintain a proper audit log for
access.

Should never be trusted.

Question 28: Correct answer

Connections to any application or destination through the Zero Trust

Exchange are treated equally.

True.

False.

Question 29: Correct answer

If we put a remote user on a VPN which connects back to a data center,

which of the following occurs?

The VPN routes the entire network from this client all the way to
the internal network, which typically goes into a DMZ environment,
putting the user on the network, creating a significant threat of
lateral movement.

The client benefits from WAN optimizations that results in improved

connectivity and overall optimal application performance.

The VPN provides highly secure and reliable access to the network for
authorized users only.

The VPN provides a faster connection than a direct connection over the
Internet.

Question 30: Correct answer

Identity is a binary decision, not to be revisited. Once a decision is made

about who, what, and where, that is final for at least 48 hours.

True.

False.
Question 31: Correct answer

Which of the following actions can be included in a conditional "block" policy?

(Select 2)

Quarantine: Ensure access is stopped and assessed.

Deceive: Direct any malicious attack to restricted decoy.

Firehose: Send TCP Resets to the initiator.

Allow the connection.

Question 32: Correct answer

The Zscaler Zero Trust Exchange has:

Inspection controls only in limited "core sites".

Locations in a few high traffic geographic regions.

Scalable Inspection solutions at 150+ public locations and locally in

private locations.

Expanded its scope to try to provide the proof for Fermat's last theorem.

Question 33: Correct answer

What is the trend that is increasing security risk through legacy solutions
that drive network sprawl?

A spread out group of ACLs and firewall rules, with each firewall and VPN
appliance only enforcing a subset of the total rule list.

A desire to replace edge routers with SD-WAN boxes, which can leverage
multiple uplinks for active-active VPN failover.

An ongoing dependence on layer 2 and layer 3 switching, without a

consideration for the upcoming 5G architectures.

More applications moving to the cloud, users being remote, and

VPNs and firewalls extending IP connectivity out to several different
locations.

Question 34: Correct answer

What are two categories of destination applications in Zero Trust?

(a) known: in that the application has been categorized, classified,

and updated dynamically, (b) unknown: in that the app does not
meet an existing category and thus must be profiled, learned, and
controlled conditionally.

(a) Google, (b) non-Google.

(a) SaaS, (b) PaaS.

(a) all things on the Internet, (b) all things internal.

Question 35: Correct answer

What is included in context, when verifying identity?

Attributes of the connection (what kind of user it is, e.g. in sales, is

it a BYOD device, location, etc).

Checking if the device is jailbroken or rooted.

No context is relevant - one should automatically deny the connection.

Whether the traffic is being received from a tunnel such as GRE or IPSec.

Question 36: Correct answer

The three main areas of focus within the first section of Zero Trust (Verify
Identity & Context) are:

(1) Who is the initiator, (2) What are the attributes of the
connection, and (3) Where is the initiator trying to go.

(1) Cataloguing IP address in a cloud database, (2) Cross-referencing that

database against a list of known IP offenders, and (3) Publishing the known IP
offender lists.

(1) Inspecting SSL traffic, (2) Having traffic exclusions for sensitive traffic
like healthcare and financial transactions, and (3) Implementing data loss
policies.

(1) Establishing a GRE/IPSec tunnel with the Zero Trust Exchange, (2)
Forwarding traffic by location, and (3) Implementing policies by location.

Question 37: Correct answer

Inspection of traffic is solely to get visibility of and protect against threats to

the company and its employees - as long as you're doing inspection only,
you're in good shape, you need nothing else.

Inspection for inbound threats is only half of the challenge. The

other part is the risk of data loss, theft and malicious use of
enterprise information. An inspection solution must deliver control
for both inspection and data loss.

True. Inspection to block bad things coming in is key.

80% of web traffic or more is encrypted. Thus it is key that enterprises stop
all bad things.

Inspection is not needed to protect an enterprise.

Question 38: Incorrect answer

In Zero Trust, there is an initiator; who is that initiator communicating with?

A terminator.

An exterminator.

A destination.

A set of application policies.

Question 39: Correct answer

Where should inspection happen in an effective Zero Trust implementation?

Within dedicated servers located on premise, typically in a firewall type of a

box.

At the edge.

Within legacy web applications.

Within a handoff to a third party service.

Question 40: Correct answer

Why should an enterprise categorize applications as part of their secure

digital transformation to a Zero Trust architecture?

To build structured naming conventions for apps, e.g.

Country:city:location:function.

So that these can be stored in a CMDB (configuration management

database) systems, which can be used as a policy enforcement plane for
application traffic.

To differentiate destination applications from each other, thus

enabling the deployment of granular control of valid initiator to
valid destination application.
To know which ACLs to set on their firewall.

Question 41: Correct answer

Once a network connection is made with the Zero Trust Exchange, the
connection is _____ as the Zero Trust Exchange acts as a _______.

expanded, extensible API.

terminated, forward proxy.

inspected, firewall.

permanent, cache.

Question 42: Correct answer

If you take a database from your data center and move it into the cloud, one
of the legacy mechanisms for providing access is to: (Select 2)

Create an inbound listener so that anyone from any network can

egress via the Internet and get access.

A physical ethernet cable between the data center and the cloud service
provider.

Configuring the database server with a public IP and allowing direct access
via the Internet

Extending an MPLS link to have a backhaul link to the cloud,

creating an IP routable network.

Question 43: Correct answer

Which of these are data exfiltration risks enterprises should be aware of?
(Select 3)

Proliferation of malware in the network.

Theft of intellectual property.

Extortion.

Loss of customer confidence.

Question 44: Correct answer

What is the ultimate goal of policy enforcement?

State a conditional allow or a conditional block.

Issue a log that can be interpreted in a modern SOC.

Designate an initiator as always trustworthy or always untrustworthy.

Track network bandwidth utilization across destination application

categories.

Question 45: Correct answer

As a part of verifying identity, attributes that can be used to determine

differentiated access for a user can include:

Is the user using certificates, multi-factor authentication or single

sign-on?

Risk assessment of their browsing history.

A network config that is frozen in time, with a backup and restore performed
at the exact moment of authentication.

Whether the SAML assertion is delivered via Okta or PingFederate.

Question 46: Correct answer

Identity values can be updated on a regular basis using which of the

following?

A RADIUS server.

Google authentication.

An IdP that supports SCIM.

Manual intervention to add a comprised client to a block list.

Question 47: Correct answer

Should policy enforcement apply to all traffic, including from authorized

initiators?

A true Zero Trust solution must never allow any access without
authorization.

No. It should only apply to unauthorized initiators.

Unauthorized initiators are blackholed by default.

Zero Trust allows for all initiators to see the destination, regardless of role
and responsibility.
Question 48: Correct answer

What minimal conditional "allow controls" should exist in a true Zero Trust
solution?

North, South, East and West.

Allow / Deny.

VLAN-driven network segmentation.

Allow, Warn, Prioritize (deprioritize), Isolate, Steer, Quarantine.

Question 49: Correct answer

In a network secured with a stack of security appliances and firewalls, what

happens when people want to work from outside the network?

Networks get extended using VPNs.

Users simply need a reliable WiFi connection.

Work from outside the network is not possible.

A single sign on solution can be leveraged to accomplish this.

Question 50: Correct answer

What drives network transformation?

Web application firewalls.

A DMZ that doubles in size and scope within a short period of time.

Applications moving from the data center to the cloud, along with
users increasingly being remote.

Security breaches, specifically ones in which people are socially engineered.

Question 51: Correct answer

In a Zero Trust architecture, how is the connection to an application

provided?

Over any network with per access control.

By establishing a full network layer connection.

Through a virtual security appliance stack.

 Via secure TLS connections with out-of-band inspection for advanced
threats.

Question 52: Correct answer

Cloud infrastructure security posture, as well as cloud infrastructure user

entitlements, can help contribute to a determination of connection risk;
these are typically determined via:

Automated DevOps pipelines.

API integrations between the Zero Trust platform and the major
cloud providers.

Multi-factor authentication.

Premium cloud provider subscriptions.

Question 53: Correct answer

What does one need to effectively apply a policy decision under Zero Trust?

Have a definitive understanding of each, individual request from an

initiator to a workload, enforcing least privilege under the policy
conditions.

Know that Zero Trust is least privilege.

Have a definition of initiator network and destination location.

Properly deployed security appliances at the edge.

Question 54: Correct answer

Risk within the Zero Trust Exchange is a dynamic value calculated to:

Be hashed, truncated, and stored in an obfuscated manner.

Give visibility of risky activity and allow enterprises to set

acceptable thresholds of risk.

To provide access to the network.

Reduce processing load by enabling low risk traffic to bypass less critical
inspections

Question 55: Correct answer

Once content has been opened for inspection, which controls can now be
applied?
 Data Loss: (a) Context and content aware DLP, (b) Data
classification (EDM, IDM, OCR), (c) Machine Learning Identification;
Threat Prevention: (a) Secure web gateway, (b) Cloud firewalling, (c)
Intrusion prevention, (d) Sandboxing; Visibility: (a) Cloud app
identification, (b) Shadow IT, (c) UEBA assessment.

Routing, Forwarding, NATing, Firewalling.

All / Block.

Layer 2 filtering.

Question 56: Correct answer

In a Zero Trust architecture, what is required to apply the first levels of

control policy decisions?

Inspection of SSL / TLS connections.

Local breakout so that traffic goes direct to SaaS applications from branches.

Context and Identity.

Segmenting an OT network so that it it air-gapped from the IT environment.

Question 57: Correct answer

When connecting to internal applications (something that you manage), what

is the right way to implement Zero Trust for inbound connections?

Direct access to internal applications must never be allowed.

Furthermore, internal apps should never be exposed to any
untrusted initiator & thus musts be dark. Only authorized users can
connect.

Allow direct access for on-site initiators and enforce authorization for remote
connections.

Allow direct access for connections from enterprise managed devices and
enforce authorization for unmanaged devices on-site or remote.

Only allow connections via a secure point-to-point VPN connection.

Question 58: Correct answer

Users/devices, IoT/OT, or workloads must establish a connection to:

A 3rd party destination, using browser-based access.

An Active Directory (AD) server, so that they can be catalogued.

The Zero Trust Exchange cloud, so that security controls can be

enforced.

A firewall, using a double-encapsulated IPSec VPN so that the ideal legacy

technology can be optimized.

Question 59: Correct answer

What is the security risk of an open listening service?

Log4j, which is an open source library available in most services.

Increases the risk of endpoint devices becoming jailbroken or rooted.

Weakens any authentication and authorization mechanisms in place.

Any initiator with visibility of the service (can send a handshake

request), can connect to the service. Thus anyone can test the
function, stability, security and availability of that service.

Question 60: Correct answer

Data loss controls should be considered for both inline and out-of-band
traffic.

True.

False.

Question 61: Correct answer

Assessing risk is:

A non-recurring process to determine how to treat requests from a specific

initiator for the next 30 days.

Universal control across the entire enterprise. Once assessed, risk applies to
all traffic from that enterprise.

An ongoing process to verify publicly known bad actor IP addresses.

An assessment of all things related to the current connection,

previous context and considered on an ongoing basis for future
requests, thus allowing for unique and dynamic changes in the
consideration of risk.

Question 62: Correct answer

What protects Personally Identifiable Information (PII) accidentally shared by
a colleague to the entire company?

SSL/TLS inspection.

Verifying identity and context through a secure identity provider.

Data Loss Prevention (out-of-band & inline).

Virtual firewalls.

Question 63: Correct answer

The second part of a Zero Trust architecture after verifying identity and
context is:

Controlling content and access.

Re-checking the SAML assertion.

Enforcing policy.

Microsegmentation.

Question 64: Correct answer

How are services protected in a legacy scenario when they are discoverable
on the public Internet? (Select all the apply)

Establishing a DMZ that would include multiple products and

services.

Dynamic Application Security Testing (DAST).

A large security stack including appliances that handle functions

like global load balancing, firewalling, DDoS, and more.

A web application firewall (WAF) for protecting against DDoS and

other botnet style attacks.

Question 65: Correct answer

How is risky behavior controlled in a Zero Trust architecture?

Permanent quarantining of devices in a particular VLAN.

Re-categorization of an initiator (and their organization) so that the

subsequent access requests are limited, deceived or stopped.

Logging violations in a public database.

Deploying best in class security appliances.

Question 66: Correct answer

As of 2022, SSL/TLS encryption of traffic accounts for ___ percent of web

traffic.

50%.

Over 80%.

Under 80%.

A rotating amount, typically pegged to the income taxes of a US state.

Question 67: Correct answer

The initial section of Zero Trust, Verify Identity and Context, includes three
elements; the first is:

Who is connecting.

Device posture-based determinations of quarantine.

Integration with third party threat intelligence feeds.

ML-based application discovery as a part of a microsegmentation

implementation.

Question 68: Correct answer

The first step of verifying identity is the who. And "who" is not just who is the
user, but also, in addition:

The destination, who can also be a user.

The device, and understanding what levels of access that device

has.

The type of bare metal server that the packets traverse on their way to the
destination.

The IaaS destination that the user is connecting to.

Question 69: Correct answer

There are three sections that make up a successful Zero Trust architecture;
(1) Verify Identity and Context, (2) Control Content and Access, and (3) -

Integration with an SSO provider.

SAML and SCIM-based authentication for assessing posture.

Enforce Policy.

Data Loss Prevention.

Question 70: Incorrect answer

Identity verification within a Zero Trust solution is solely about unique

identifiers, e.g. usernames for users, or MAC address for workloads, etc. This
allows for static verification of the initiator.

True.

False.

Question 71: Correct answer

Which crucial step occurs during the "Enforce Policy" stage?

Connecting an initiator to internal and external applications from

the Zero Trust Exchange.

A handshake between the initiator and destination application.

The setup of an enterprise SSO or AD server for credential validation.

Verification of identity and context of the connection.

Question 72: Incorrect answer

If an enterprise is protecting its services at a network level, e.g. using

firewalls, what happens to that protection when a user leaves the network?
(Select 2)

The initiator wont have access to the service.

Network access is maintained via TCP keep alive messages.

Users will continue to be able to access services via the internet.

A path from initiator to the network must be put in place, e.g. VPN.

Question 73: Correct answer

The only way to deploy inspection is that you must inspect all traffic -
technically speaking, at an architectural level, there is no way to have
exceptions, e.g. to certain websites or for certain types of applications.

True.
False.

Question 74: Correct answer

Which one of these is the most accurate statement?

Security through obscurity is key. Thus open any ports and services, so any
attackers get lost in the number of open services.

You cannot attack what you cannot see. Removing your attack
surface greatly improves an enterprises security posture.

Firewalls are scalable, elastic architectures.

Cloud services are reliable and provide all the necessary security by default.

Question 75: Correct answer

Policy enforcement in Zero Trust is assessed _____.

Once, for all traffic from the initiating source.

Only if the risk score is high.

For authorized users only.

For every access request.