Click each card to expand. Five areas cover the full Domain 2 objective set.
1. Zero Trust Architecture & SASE
โพ
Zero Trust Core Principles
- Verify explicitly โ authenticate and authorize every request using all available data points (identity, location, device health, service).
- Use least privilege โ limit user access with just-in-time and just-enough-access (JIT/JEA) policies.
- Assume breach โ minimize blast radius, segment access, and verify end-to-end encryption.
- Identity is the new perimeter โ every access request is authenticated regardless of network location.
- ZTNA โ application-level access replacing VPN tunnels; users access specific apps, not the network.
- Deperimeterization โ eliminating the trusted internal network assumption.
SASE Architecture
- SASE converges SD-WAN (network) with CASB, SWG, ZTNA, FWaaS (security) into a cloud-delivered service.
- SD-WAN โ software-defined WAN, the network underlay in SASE architectures.
- SASE is about convergence โ combining networking and security into one cloud-native platform.
๐ก
Study tip: SASE = SD-WAN + cloud-native security stack. The exam tests understanding that SASE is about convergence, not just a product name.
2. Cloud Security Architecture
โพ
Shared Responsibility & Cloud Tools
- Shared responsibility model โ provider secures "of the cloud," customer secures "in the cloud." Varies by IaaS/PaaS/SaaS.
- CASB โ visibility and control over SaaS apps (shadow IT discovery, DLP, policy enforcement).
- CWPP โ runtime security for VMs, containers, serverless workloads.
- CSPM โ detects misconfigurations (open S3 buckets, overly permissive IAM).
- CNAPP = CASB + CWPP + CSPM converged into a single platform.
- Serverless security โ function-level IAM, dependency scanning, event injection prevention.
๐ก
Study tip: Know the three acronyms โ CASB (SaaS visibility), CWPP (workload runtime), CSPM (config drift). CNAPP combines all three.
3. Network Segmentation & Microsegmentation
โพ
- Traditional segmentation โ VLANs, DMZs, firewalls controlling north-south (perimeter) traffic.
- Microsegmentation โ software-defined east-west controls between workloads within the same segment.
- East-west traffic โ lateral (workload-to-workload); north-south traffic โ perimeter (in/out).
- Lateral movement prevention โ microsegmentation contains attackers even after initial entry.
๐ก
Study tip: Traditional segmentation handles north-south (perimeter). Microsegmentation handles east-west (lateral movement). Know which addresses which threat.
4. PKI & Enterprise Access Controls
โพ
Access Control Models
- MAC โ labels/clearances assigned by policy. Used in classified environments. Most restrictive.
- DAC โ owner controls access. Standard Unix/Windows file permissions. Least restrictive.
- RBAC โ permissions tied to roles. Scalable for large organizations. Most common.
- ABAC โ policies evaluate multiple attributes (role + device health + time + location). Most granular.
๐ก
Study tip: MAC = policy/label (most restrictive), DAC = owner-driven (least restrictive), RBAC = role-driven (most common), ABAC = attribute-policy (most granular).
5. PAM & Identity Federation
โพ
Privileged Access Management
- PAM โ controls, monitors, and audits privileged access. JIT provisioning; JEA (just-enough-access). Privileged session recording.
Federation Standards
- SAML 2.0 โ XML-based federated SSO. IdP authenticates, passes assertion to SP.
- OAuth 2.0 โ authorization delegation framework; grants apps permission without sharing credentials.
- OIDC โ authentication layer on top of OAuth 2.0, adds ID tokens for user identity.
๐ก
Study tip: SAML = enterprise SSO (authentication). OAuth = authorization delegation. OIDC = authentication on top of OAuth.
