Zscaler ZTCA Exam - Topic 4 Question 3 Discussion

The correct answer is A. Over any network with per-access control. In Zero Trust architecture, access is provided to the specific application, not to the underlying network. This is a foundational design principle in Zscaler's Universal Zero Trust Network Access (ZTNA) guidance. Users can connect from any location and over any network, while policy is enforced per user, per device, per application, and per session. This differs from legacy approaches that first place the user onto the network and then rely on network segmentation or firewall rules to limit access.

Option B is incorrect because establishing a full network-layer connection is characteristic of legacy VPN-based access, which extends network trust and increases lateral movement risk. Option C is also incorrect because Zero Trust is not defined by building a virtual appliance stack in front of applications. Option D includes TLS, which is used in Zscaler architectures, but the key Zero Trust concept being tested is not merely encrypted transport; it is brokered, granular, per-access connectivity without exposing the application to broad network reachability. Therefore, the most accurate answer is A.