In zero trust architecture, which component defines policy and makes access decisions?

• A. Data plane
• B. Identity store
• C. Control plane
• D. Policy engine

Answer: (C)

Policy-based access decisions are central to zero trust. The component that defines the rules and evaluates requests against those rules is the policy engine, often acting as the Policy Decision Point. It uses attributes like who is requesting, where they’re coming from, the device posture, and current context to determine whether to permit or deny access. The data plane simply carries the approved traffic; it doesn’t define policy or make decisions. The identity store provides identities and attributes for policy evaluation but does not itself set policies or decide access. The control plane handles management and signaling for network devices, not the policy evaluation logic. So, the policy engine is the component that defines policy and makes access decisions.