nerdexam
CompTIA

CNX-001 · Question #18

A customer asks a MSP to propose a ZTA design for its globally distributed remote workforce. Given the following requirements: - Authentication should be provided through the customer's SAML identity

The correct answer is D. - Configure geolocation settings to block certain IP addresses.. Among the listed requirements, the one that maps directly to a specific technical control is: 'Access should not be allowed from countries where the business does not operate.' This is enforced by configuring geolocation-based IP blocking on the access proxy or firewall, which is

Cloud Network Design

Question

A customer asks a MSP to propose a ZTA design for its globally distributed remote workforce. Given the following requirements:

  • Authentication should be provided through the customer's SAML

identity provider.

  • Access should not be allowed from countries where the business does

not operate.

  • Secondary authentication should be added to the workflow to allow for

passkeys.

  • Changes to the user's device posture and hygiene should require

reauthentication into the network.

  • Access to the network should only be allowed to originate from

corporate-owned devices. Which of the following solutions should the MSP recommend to meet the requirements?

Options

  • A
    • Enforce certificate-based authentication.
  • B
    • Enforce posture assessment only during the initial network log-on.
  • C
    • Chain the existing identity provider to a new SAML.
  • D
    • Configure geolocation settings to block certain IP addresses.

How the community answered

(54 responses)
  • A
    2% (1)
  • B
    4% (2)
  • C
    11% (6)
  • D
    83% (45)

Explanation

Among the listed requirements, the one that maps directly to a specific technical control is: 'Access should not be allowed from countries where the business does not operate.' This is enforced by configuring geolocation-based IP blocking on the access proxy or firewall, which is choice D. The other choices are wrong for these reasons: A (certificate-based auth) addresses device identity but not the geographic restriction. B is explicitly wrong because the requirement states device posture changes must trigger reauthentication - not just at initial logon. C (chaining to a new SAML) is unnecessary because the existing SAML IdP should already support passkeys and MFA chaining. D is the control that directly addresses the geographic access restriction requirement.

Topics

#Zero Trust Architecture#Access Control#Geolocation Blocking#Identity and Access Management

Community Discussion

No community discussion yet for this question.

Full CNX-001 Practice