Domain 1 · 1.2 Fundamental Security Concepts

1.2.5 Zero Trust

Control Plane and Data Plane.

13 min

Zero Trust philosophy → "Never Trust, Always Verify"

Architecture is split into two planes: - Control Plane → the *brain*, makes decisions - Data Plane → the *muscle*, enforces decisions

Control Plane — decides

Evaluates every access request using identity, MFA, role, device, location, and risk.

Key concepts: - Adaptive Identity → verification level scales with risk - Threat Scope ReductionLeast Privilege + segmentation - Policy-driven Access Control → decisions follow predefined policies - Policy Engine (PE) → makes the final Allow / Deny / Step-up MFA decision - Policy Administrator (PA) → coordinates implementation of the decision

Data Plane — enforces

Carries the actual traffic and applies the verdict.

Key concepts: - Subject / System → the entity requesting access (user, laptop, server, app) - Policy Enforcement Point (PEP) → the *gatekeeper*; allows or blocks - No Implicit Trust Zones → every request verified, inside or outside the network

Example flow

  • Admin logs in → Control Plane checks identity, device, location
  • PE decides → PA organizes → PEP in Data Plane allows session
  • Same admin from unknown device → PE requires extra MFA or denies → PEP blocks

Exam shortcut

  • Control Plane = decides
  • Policy Engine = makes the decision
  • Policy Administrator = organizes implementation
  • Data Plane = handles traffic
  • PEP = allows or blocks

Mnemonic

Airport → officer (Control Plane) checks passport → gate (Data Plane) opens or stays closed.