CISSP PRACTICE QUESTIONS – 20210228

To mitigate lateral movement, your company is implementing technical access controls per zero trust principles. Which of the following is least related to the implementation of zero trust?
A. XACML
B. De-perimeterisation
C. Separation of duties
D. Complete mediation

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Separation of duties.

Separation of duties is an administrative control, not technical.

Zero Trust

Zero Trust is a cybersecurity paradigm for access control featuring data-centric, fine-grained, dynamic, and with Visibility.

  • De-perimeterizatio removes the physical network perimeter.
  • XACML provides fine-grained access control, e.g., risk-based or attribute-based access control.
  • Complete mediation enforces the validation of each and every request, no matter the request comes from internal or external networks.

Evolvement of Zero Trust Concepts

The concepts of Zero Trust can be traced back to the idea of de-perimeterization discussed in the Jericho Forum as early as 2003. De-perimeterization promotes the idea of removing the reliance on physical network segmentation to ensure network security. It was commonly believed that internal networks protected by firewalls are safer than external networks, so there are fewer security controls implemented in internal networks.

However, de-perimeterization doesn’t mean there exists no perimeter at all. It may reduce the reliance on the physical perimeter, but virtual, software, or fine-grained logical perimeter comes into play. For example, the Global Information Grid (GIG) Black Core Network initiative at the Defense Information Systems Agency (DISA) around 2007 introduced the Software-Defined Perimeter (SDP).

John Kindervag at Forrest coined the term “Zero Trust” in 2010, nicely incorporating those ideas. The Cloud Security Alliance (CSA) then promotes and expands the awareness and adoption of Zero Trust based on the GIG SDP. Google and many big techs and organizations also got started with their zero trust initiatives.

Because of the Office of Personnel Management data breach in 2015, Zero Trust was brought to the attention of the US Congress. NIST then started to draft the guideline of Zero Trust Architecture, SP 800-207, which was finalized in August 2020.

Evolvement of Zero Trust Concepts
Zero Trust Cybersecurity Paradigm

Zero Trust as Access Control 2.0

Zero Trust as Access Control 2.0
Access Control
Data-centric Access Control
Fine-grained, Dynamic, and Visibility

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

為了減輕橫向移動(lateral movement),貴公司正在按照零信任(zero trust)原則實施技術的存取控制(technical access controls)。 以下哪項與該零信任實作最沒有關係?
A. XACML
B. 去邊界化 (Separation of duties)
C. 職責分離
D. 完全調解 (complete mediation)

Leave a Reply