Interview › Security & DevSecOps
What is Zero Trust, and how does it differ from perimeter-based security? [Intermediate]
Answer
Zero Trust assumes no network location is automatically trusted. Every request should be authenticated, authorized, encrypted, and continuously evaluated based on identity, device/workload posture, context, and least privilege. This differs from perimeter security, which trusts traffic once it is inside the network.
Technical explanation
Perimeter models fail when attackers compromise internal credentials, VPNs, workloads, or lateral movement paths.
Zero Trust emphasizes identity-aware access, mTLS, strong authorization, segmentation, continuous monitoring, and explicit policy.
It is a security architecture direction, not a single product.
Hands-on example
Hands-on: for services, enable mTLS through a service mesh, authorize service-to-service calls with identities, restrict Kubernetes NetworkPolicies, use short-lived workload credentials, and log every privileged action for audit and anomaly detection.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]