C Certs Club
Home
Oracle SAP Microsoft Cisco CompTIA Fortinet Salesforce Nutanix Linux Foundation Amazon View All Vendors →
Login Register

Zscaler ZTCA - Zscaler Zero Trust Cyber Associate Certification Exam

Download Exam View Entire Exam
Page: 2 / 2
Question #6 (Topic: Demo Questions)

How is policy enforcement in Zero Trust done? 

A.
As a binary decision of allow or block.
B.
Withouttrust, for example Zero Trust.
C.
Conditionally, in that an allow or a block will have additional controls assigned, for example Allow and isolate, or Block and Deceive.
D.
 At the network level, by source IP.
Correct Answer: C
Explanation:
In Zero Trust architecture, policy enforcement is conditional and context-based, not limited to a
simple binary allow-or-block model. Zscaler’s reference architectures explain that policy is evaluated
using the full user context, including identity, device posture, location, group membership, and other
conditions. Access decisions are therefore based on whether specific policy conditions are true,
rather than only on static network attributes such as source IP address. For example, the same
authenticated user may be allowed access from a managed device at headquarters but denied from
an airport, even with the same credentials.
Zscaler documentation also shows that Zero Trust policy can go beyond simple pass or deny
outcomes by applying additional controls. In DNS Security and Control, requests can be allowed,
blocked, or modified. In ZIA policy development, Cloud App controls allow more granular outcomes
than standard allow/block,such as restricting specific actions, applying quotas, or controlling what a
user can do inside an application. This reflects the Zero Trust principle that enforcement is adaptive,
granular, and tied to business and security context rather than network location alone.
Question #7 (Topic: Demo Questions)

How are services protected in a legacy scenario when they are discoverable on the public Internet? (Select all that apply)

A.
Establishing a DMZ that would include multiple products and services.
B.
Dynamic Application Security Testing (DAST)
C.
A large security stack including appliances that handle functions like global load balancing, firewalling, DDoS, and more.
D.
A web application firewall (WAF) for protecting against DDoS and other botnetstyle attacks.
Correct Answer: A, C, D
Explanation:
The correct answers are A, C, and D. In a legacy architecture, applications that are exposed and discoverable on the public Internet are usually protected by building a DMZ (demilitarized zone) and placing multiple security technologies in front of the service. This commonly includes a large security stack made up of separate appliances or services for functions such as load balancing, firewalling, distributed denial-of-service (DDoS) protection, and related edge security controls. A web application firewall (WAF) is also a standard protective element in these public-facing designs because it adds inspection and protection for web-based attack patterns and internet-originated abuse. Option B, DAST, is not a correct answer because Dynamic Application Security Testing is a testing and assessment method, not a live architectural protection control that sits inline to defend exposed services in production. Zero Trust architecture contrasts with this legacy model by removing direct public discoverability and reducing dependence on a complex exposed edge stack. Instead of defending openly exposed applications with layered perimeter tools, Zero Trust aims to make applications less discoverable and access more identity- and policy-driven.
Download Exam
« Prev Page: 2 / 2
Next Page