# Remote Access Operations (VPN/ZTNA/Bastions) One-sentence definition: Secure, monitored access for users/admins from untrusted networks. ## Key Facts - Enforce MFA and device posture; prefer app-level ZTNA over full-tunnel VPN. - For admins: bastions with session recording and JIT access. - Limit split tunneling; monitor for anomalies; rotate certs/keys. - Document access approvals and periodic recertification. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Prefer ZTNA + bastions for reduced lateral movement. **Mnemonic:** “**Least** access, **logged** access.” ## Mini Scenario Q: Contractor needs DB support—how grant? A: ZTNA to bastion; JIT role; session recorded; auto-expire. ## Revision Checklist - Two controls for users. - Admin-specific control. - Recertification need. ## Related [[Secure Administration and Out-of-Band (OOB) Access]] · [[Zero Trust Network Access (ZTNA)]] · [[Privileged Access Management (PAM) and JIT JEA]] · [[Conditional Access Policies (Risk Device Location)]] · [[Domain 7 - Index]]