The correct answer is B . In Zero Trust architecture, the “who” is broader than just the username or authenticated person. It also includes the device context associated with that request. This is important because Zero Trust does not make access decisions based only on user identity. It also considers whether the device is trusted, managed, compliant, encrypted, protected by endpoint security, or otherwise suitable for the requested level of access.
That means the “who” can be understood as the user together with the device being used, since both contribute to the trust decision. A user on a managed endpoint with proper posture may receive a different access outcome from the same user on an unmanaged or risky device. This is a core Zero Trust principle because it prevents identity-only decisions from becoming overly permissive.
The other options do not best match this concept. The destination is part of access context, but it is not the added meaning of “who” in this question. Bare-metal server type and IaaS destination are unrelated to verifying the requesting identity. Therefore, the correct answer is the device, and understanding what levels of access that device has .
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit