Zero Trust Architecture — 4-Zone Control Placement
SY0-701 Obj 3.2 · Zero Trust / Enterprise Security
Acme Corp is migrating from a perimeter-based model to Zero Trust Architecture (ZTA).
The network spans four zones: Internet, DMZ, Internal, and Cloud (Azure). Your task is to place
8 ZTA controls into their optimal zone — some controls could plausibly fit two zones, but only one placement is correct under ZTA principles.
Then answer the trade-off questions below.
Drag each control to its optimal ZTA zone
🗃️ ZTA Controls — drag each to its optimal zone
🔐 ZTNA Gateway
🔀 Micro-segmentation
🔄 Continuous Auth
⏱️ JIT Access
🛡️ DLP Proxy
🔑 PAM Vault
☁️ CASB
🪪 Identity Provider
Internet (Untrusted)
External users, remote workers, partners
🌍 External📱 BYOD🏠 Remote
Drop control here
DMZ / Edge
Public-facing services, access enforcement
🖥️ Web Server⚖️ Load Balancer
Drop control here
Drop control here
Internal Network
Workstations, servers, lateral movement risk
💻 Workstations🗄️ DB Server📁 File Server
Drop control here
Drop control here
Drop control here
Cloud (Azure/SaaS)
Shadow IT risk, cloud app governance
☁️ Azure📊 SaaS Apps🪣 Blob Storage
Drop control here
Drop control here
⚖️ ZTA Trade-Off Questions
Q1. A ZTNA gateway and a traditional VPN both grant remote access. Under ZTA, why is ZTNA preferred?
Q2. Your security team wants to place the PAM Vault in the Cloud zone for accessibility. A senior engineer objects. Who is correct and why?
Q3. Under ZTA, "never trust, always verify" means which of the following about internal network traffic?