What does deception as a conditional block policy allow an enterprise to do?
Options:
A.
Engage in double-extortion negotiations.
B.
Conditionally decide which access request is sent to a decoy service, not the real destination workload, thus allowing security teams insight into questionable activity.
C.
Create various policy tiers, including several quarantine VLANs.
D.
Rethink its security posture, leveraging local breakouts from branch sites so that user traffic is filtered through a secure web gateway.
The correct answer is B . In Zero Trust architecture, deception as a conditional block policy means suspicious or malicious activity is not sent to the real destination. Instead, the request is redirected to a decoy or controlled service , allowing defenders to observe and understand the behavior without exposing the actual workload. This provides both protection and intelligence. It blocks harmful access while generating insight into attacker methods, compromised accounts, or risky automation.
This aligns with the Zero Trust idea that policy outcomes can be more sophisticated than simple allow or deny. A conditional block with deception is especially valuable when an enterprise wants to stop the request but also gain visibility into why the request is suspicious and how the initiator behaves when interacting with what it believes is the real target.
The other options do not match the concept. Extortion negotiations are unrelated, quarantine VLANs are a legacy network-centric control, and branch local breakout is a traffic-forwarding design choice. Therefore, deception allows the enterprise to selectively redirect questionable access attempts to a decoy service and gather useful security insight while keeping the real destination protected.
Question # 25
Verification of user and device identity is to be enabled for:
Options:
A.
Any person who wants to connect to an enterprise-controlled application, including employees, third parties, and partners.
B.
Remote employees only.
C.
Untrusted third parties only.
D.
Employees connecting from unmanaged endpoint devices only.
The correct answer is A. In Zero Trust architecture, verification of both user identity and device context should be applied to any person requesting access to an enterprise-controlled application. That includes employees, contractors, partners, and other third parties. Zscaler’s Universal ZTNA guidance states that Zero Trust gives users access to applications based on granular, context-based policies and that the user can be anywhere while the application can be hosted anywhere. This model is not restricted only to remote employees or only to outside parties.
The central principle is that no category of user receives automatic trust simply because of employment status, device ownership, or location. Instead, every access request must be evaluated using current identity and contextual information. That is why Zero Trust architectures verify not just the individual but also conditions such as device posture, location, group, and other policy-relevant attributes. Restricting this verification only to remote staff, unmanaged devices, or external users would recreate the implicit-trust problem that Zero Trust is meant to eliminate. Therefore, the correct architectural answer is that verification should apply to any person connecting to an enterprise-controlled application.
