← Concepts
General Security ConceptsSY0-701 · Task 1.2

Zero Trust control and data planes — SY0-701

Master Zero Trust control and data planes for CompTIA Security+ SY0-701: components, plane separation, and the PEP's dual-plane role.

WHAT IT IS

In a Zero Trust Architecture (ZTA), network communication flows are separated into two distinct planes. The control plane carries the coordination and decision traffic used by the ZTA's logical components to manage access. The data plane carries the actual application and service data between subjects and enterprise resources. (Source: NIST SP 800-207, Section 3.4)

Zero Trust itself is defined by NIST as "a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised." (NIST SP 800-207, via NIST Glossary)

Mental model

Think of a locked building. The control plane is the intercom-and-key-management system that decides who is permitted and programs the electronic locks. The data plane is the hallway where approved visitors actually walk. The two systems are intentionally separate: even if someone intercepts hallway traffic, they cannot reach the decision-making system, and vice versa.

NIST SP 800-207 defines three core logical components whose roles map directly onto this separation:

ComponentAbbreviationLives onRole (per NIST SP 800-207)
Policy EnginePEControl plane"Responsible for the ultimate decision to grant access to a resource for a given subject"; makes and logs the decision
Policy AdministratorPAControl planeExecutes the PE's decision; configures the PEP to allow or shut down a session; communicates with the PEP via the control plane
Policy Enforcement PointPEPBoth planes"Responsible for enabling, monitoring, and eventually terminating connections"; must send and receive messages from both planes

The PE and PA together form the Policy Decision Point (PDP). The PDP makes the ruling; the PEP enforces it.

When to use it

The exam question is almost always one of these: Which component makes the access decision? Which component executes it? Which plane carries ZTA coordination traffic versus user data?

If the question asks about…The answer involves…
Deciding whether to grant accessPolicy Engine (PE)
Opening or closing a session pathwayPolicy Administrator (PA)
Physically allowing or blocking a connectionPolicy Enforcement Point (PEP)
How PE/PA/PEP coordinate with each otherControl plane
How a user's actual application data movesData plane
Which component touches both planesPEP

COMMON MISCONCEPTION

Candidates often assume the PEP belongs entirely on the data plane because it "enforces" access to resources. That is incorrect.

NIST SP 800-207 is explicit: "The PEPs must be able to send and receive messages from both the data and control planes." The PEP sits at the boundary. It receives its instructions through the control plane (from the PA), and it gatekeeps the data plane connection for the subject. Treating the PEP as purely a data-plane component misses its dual role and leads to wrong answers on component-placement questions.

A related trap: the PE makes the decision and the PA executes it. The two are distinct logical components, even though some implementations may combine them. Exam items may give a scenario and ask which component is responsible for "configuring the PEP" (PA) versus "running the trust algorithm" (PE).

How it shows up on the exam

The cognitive target for this concept is application — recognizing which ZTA component or which plane is involved in a described scenario. Candidates are often given a short scenario and must select the matching component or plane.

Signal phrases to watch for:

  • "grant, deny, or revoke access" → Policy Engine
  • "establish or shut down a communication path" → Policy Administrator
  • "enable, monitor, or terminate a connection" → Policy Enforcement Point
  • "coordination between ZTA components" → control plane
  • "application or service data traffic" → data plane
  • "logically separate" or "not directly accessible by enterprise assets" → the required separation of the two planes

A common misconception exam items exploit is that network location confers trust. NIST SP 800-207 states that zero trust "assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location." Exam items testing this may frame a scenario around a device on the corporate LAN and ask whether that alone is sufficient for access.

Related concepts

  • CIA Triad — the foundational confidentiality, integrity, and availability goals that Zero Trust architecture is designed to protect
  • Non-repudiation — the assurance property enforced when the PE logs every access decision
  • AAA Framework — authentication and authorization are the discrete per-request functions Zero Trust mandates before any session is established

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
AboutContact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.