The correct answer is B . In Zero Trust architecture, application connectivity is not treated as identical across all destinations . Each application must be evaluated according to its business purpose, sensitivity, exposure, trust level, data handled, user population, and enterprise risk tolerance . This is a core departure from legacy network-centric design, where many applications were reached through the same broad network access model once a user was connected.
Zero Trust instead applies application-specific and context-aware access control . An internal private application, a sanctioned Software as a Service (SaaS) platform, an unmanaged external website, and a high-risk destination should not all receive the same access treatment. Some may require direct allow, some may require isolation, some may require additional inspection, and some may need to be blocked entirely.
This is why Zero Trust policy is granular rather than uniform. The architecture assumes that connectivity decisions must reflect risk . Application location alone does not determine trust, and neither does function alone. The enterprise must decide how each destination is handled based on its overall risk profile and policy requirements. Therefore, the statement is false.
