Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.2.4. Zero Trust Architecture

šŸ’” First Principle: Zero Trust is an architecture where no entity ā€” user, device, or application ā€” is inherently trusted, regardless of network location. Every access request is fully authenticated, authorized, and encrypted. The mantra: "never trust, always verify."

The exam specifically tests the two planes:

Control Plane ā€” the decision-making layer:

  • Adaptive identity ā€” adjusting authentication requirements based on risk context (location, device health, behavior)
  • Threat scope reduction ā€” limiting the blast radius of any compromise through micro-segmentation
  • Policy-driven access control ā€” decisions based on policy rules rather than network location
  • Policy Administrator ā€” establishes and removes access based on policy engine decisions
  • Policy Engine ā€” evaluates access requests against policies and makes allow/deny decisions

Data Plane ā€” the enforcement layer:

  • Implicit trust zones ā€” minimal trust areas (vs. the traditional model where the entire internal network is trusted)
  • Subject/System ā€” the entity requesting access
  • Policy Enforcement Point (PEP) ā€” the gateway that enforces the policy engine's decision. The PEP is the only path to protected resources ā€” there's no way to bypass it. Every request, whether from an employee's laptop or a server API call, passes through the PEP.

Implementation reality: Zero Trust doesn't mean ripping out existing infrastructure. Organizations implement it incrementally: start with identity verification (MFA everywhere), add device health checks (only compliant devices access sensitive resources), then layer in micro-segmentation and continuous monitoring. Each step reduces implicit trust. The goal is that network location alone never grants access ā€” an attacker on the internal network faces the same authentication requirements as one on the internet.

Loading diagram...

āš ļø Exam Trap: Know which components belong to which plane. Policy Engine and Policy Administrator are Control Plane (they decide). Policy Enforcement Point is Data Plane (it enforces). Subject/System is also Data Plane.

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications