| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
CISSP 14.3 - Zero-Trust Access Policy Enforcement
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series turns to zero-trust access from Domain 5, identity and access management. When there is no clean network edge left to defend, it looks at what replaces the old idea of a safe internal network and how access decisions get made and enforced against every request, no matter where it comes from.
What this episode covers
- The flaw in inside trust β moat-and-castle designs hand out broad, unearned trust the moment someone gets past the wall.
- Constant verification β zero-trust removes the trust boundary and validates every action when it is requested.
- The signals checked β identity, permissions, device configuration and posture, and current threat intelligence, on every request.
- Subjects β any requester of access, whether a person, a service, an automated agent, or another system.
- The policy engine β runs a trust algorithm on external inputs to grant, deny, or revoke access.
- The policy administrator β opens or tears down the connection and issues or ends session credentials.
- The policy enforcement point β sits inline between subject and resource, often split into a local piece and a network gateway.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is wrong with trusting the inside of your network?
Traditional designs work like a castle with a moat: you harden the outer wall, and once someone is past it they roam freely inside. Anyone who breaches the wall, or was let in for one reason, now has broad trust they never earned. A single stolen credential turns into free movement across the whole environment, and that inherited trust is exactly what zero-trust throws away.
What does zero-trust replace that trust with?
It replaces it with constant verification. Zero-trust assumes there is no trust boundary and no network edge at all, so every single action is validated at the moment it is requested as part of continuous authentication. Before access is granted, the system checks a bundle of signals like identity, permissions, the deviceβs configuration and security posture, and current threat intelligence. Trust is never granted once and kept; it is earned again with every request.
Who are the subjects in the zero-trust model?
Subjects are whoever or whatever is asking for access. That includes human users, but it deliberately reaches wider to cover services, automated agents, and other systems whenever they request access or try to use their rights. The model does not care whether a request comes from a person at a keyboard or a background process on a server. Each one is an untrusted requester that must prove itself, which lets zero-trust treat all traffic with equal suspicion.
How does the policy decision point actually decide?
The policy decision point has two cooperating halves. The policy engine makes the call, running a trust algorithm that weighs inputs from external systems like identity management, threat intelligence, and security monitoring, then deciding to grant, deny, or revoke access. The policy administrator acts on that decision, opening or tearing down the connection between a subject and a resource, issuing session credentials when access is allowed and ordering the session ended when it is not.
How does the policy enforcement point carry out the decision?
The policy enforcement point is the component that actually sits in the path between the subject and the resource. It forwards each request to the policy administrator and then does whatever it is told, either allowing the connection or ending it. In practice it is often split into two pieces, a local piece near the subject like a client or app, and a gateway piece along the network path to the resource. The decision point is the judge and the enforcement point is the officer at the door who carries out the ruling.
π Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 14.3 - Zero-Trust Access Policy Enforcement.