In a corporate network following Zero Trust best practices, a security team notices unusual activity from a previously authenticated and authorized device. What should the team do next?
A.
Increase the device's access privileges to monitor more closely.
B.
Ignore the activity since the device was already authenticated.
C.
Reduce the device's privileges or quarantine it for further investigation.
Zero Trust operates on the principle of Continuous Risk Assessment . Initial authentication is not a "permanent pass." If a device's behavior changes (detected by a traffic monitor or firewall), ClearPass must be able to revoke or reduce its access. The correct response is to move the device to a Quarantine VLAN or apply a restrictive ACL via CoA. This "closed-loop" security prevents lateral movement while the security team investigates the anomaly.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit