CNX-001 · Question #18
A customer asks a MSP to propose a ZTA design for its globally distributed remote workforce. Given the following requirements: - Authentication should be provided through the customer's SAML identity
The correct answer is D. - Configure geolocation settings to block certain IP addresses.. Among the listed requirements, the one that maps directly to a specific technical control is: 'Access should not be allowed from countries where the business does not operate.' This is enforced by configuring geolocation-based IP blocking on the access proxy or firewall, which is
Question
A customer asks a MSP to propose a ZTA design for its globally distributed remote workforce. Given the following requirements:
- Authentication should be provided through the customer's SAML
identity provider.
- Access should not be allowed from countries where the business does
not operate.
- Secondary authentication should be added to the workflow to allow for
passkeys.
- Changes to the user's device posture and hygiene should require
reauthentication into the network.
- Access to the network should only be allowed to originate from
corporate-owned devices. Which of the following solutions should the MSP recommend to meet the requirements?
Options
- A
- Enforce certificate-based authentication.
- B
- Enforce posture assessment only during the initial network log-on.
- C
- Chain the existing identity provider to a new SAML.
- D
- Configure geolocation settings to block certain IP addresses.
How the community answered
(54 responses)- A2% (1)
- B4% (2)
- C11% (6)
- D83% (45)
Explanation
Among the listed requirements, the one that maps directly to a specific technical control is: 'Access should not be allowed from countries where the business does not operate.' This is enforced by configuring geolocation-based IP blocking on the access proxy or firewall, which is choice D. The other choices are wrong for these reasons: A (certificate-based auth) addresses device identity but not the geographic restriction. B is explicitly wrong because the requirement states device posture changes must trigger reauthentication - not just at initial logon. C (chaining to a new SAML) is unnecessary because the existing SAML IdP should already support passkeys and MFA chaining. D is the control that directly addresses the geographic access restriction requirement.
Topics
Community Discussion
No community discussion yet for this question.