Question 27
Domain 4 — Technology, Security, and Resilience ControlsWhat is the primary principle of Zero Trust security?
Correct answer: B
Explanation
Zero Trust is built on the principle of "never trust, always verify," meaning no user, device, or request is trusted by default. Access is granted only after continuous verification of identity, context, and authorization, which reduces the risk of unauthorized access and lateral movement.
Why each option is right or wrong
A. Trust all internal users
B. Never trust, always verify
NIST SP 800-207 defines Zero Trust as an architecture that assumes no implicit trust based on network location or asset ownership; every access request must be explicitly authenticated and authorized before it is granted. In practice, this means the system does not rely on a one-time perimeter check, but requires continuous verification of the user, device, and context for each request.
C. Trust but verify
D. Trust only executives