CompTIA DataX (CNX-001) — Question 37
A customer asks a MSP to propose a ZTA design for its globally distributed remote workforce. Given the following requirements:
Authentication should be provided through the customer's SAML identity provider.
Access should not be allowed from countries where the business does not operate.
Secondary authentication should be added to the workflow to allow for passkeys.
Changes to the user's device posture and hygiene should require reauthentication into the network.
Access to the network should only be allowed to originate from corporate-owned devices.
Which of the following solutions should the MSP recommend to meet the requirements?
Answer options
- A. Enforce certificate-based authentication. Permit unauthenticated remote connectivity only from corporate IP addresses. Enable geofencing. Use cookie-based session tokens that do not expire for remembering user log-ins. Increase RADIUS server timeouts.
- B. Enforce posture assessment only during the initial network log-on. Implement RADIUS for SSO. Restrict access from all non-U.S. IP addresses. Configure a BYOD access policy. Disable auditing for remote access.
- C. Chain the existing identity provider to a new SAML. Require the use of time-based one-time passcode hardware tokens. Enable debug logging on the VPN clients by default. Disconnect users from the network only if their IP address changes.
- D. Configure geolocation settings to block certain IP addresses. Enforce MFA. Federate the solution via SSO. Enable continuous access policies on the WireGuard tunnel. Create a trusted endpoints policy.
Correct answer: D
Explanation
Option D is correct as it includes geolocation settings to restrict access from unauthorized locations, enforce MFA, and continuous access policies, aligning perfectly with the requirements. Option A fails to address the need for secondary authentication and device posture changes. Option B does not provide adequate security measures for ongoing access or address the need for corporate device restrictions. Option C does not meet the specific access control needs outlined in the requirements.