1.2.5 Zero Trust
Control Plane and Data Plane.
Zero Trust philosophy → "Never Trust, Always Verify"
Architecture is split into two planes: - Control Plane → the *brain*, makes decisions - Data Plane → the *muscle*, enforces decisions
Control Plane — decides
Evaluates every access request using identity, MFA, role, device, location, and risk.
Key concepts: - Adaptive Identity → verification level scales with risk - Threat Scope Reduction → Least Privilege + segmentation - Policy-driven Access Control → decisions follow predefined policies - Policy Engine (PE) → makes the final Allow / Deny / Step-up MFA decision - Policy Administrator (PA) → coordinates implementation of the decision
Data Plane — enforces
Carries the actual traffic and applies the verdict.
Key concepts: - Subject / System → the entity requesting access (user, laptop, server, app) - Policy Enforcement Point (PEP) → the *gatekeeper*; allows or blocks - No Implicit Trust Zones → every request verified, inside or outside the network
Example flow
- Admin logs in → Control Plane checks identity, device, location
- PE decides → PA organizes → PEP in Data Plane allows session
- Same admin from unknown device → PE requires extra MFA or denies → PEP blocks
Exam shortcut
- Control Plane = decides
- Policy Engine = makes the decision
- Policy Administrator = organizes implementation
- Data Plane = handles traffic
- PEP = allows or blocks
Mnemonic
Airport → officer (Control Plane) checks passport → gate (Data Plane) opens or stays closed.