ZPA Access Policy rules use identity, user/group, device posture, and contextual signals to decide private-application access. Valid criteria are enforcement attributes that ZPA can evaluate, such as group membership, risk score, domain-joined state, and certificate trust. Option B (Yes. Controls for segmentation and conditional access are part of the Access Control Services) is correct because all listed criteria are legitimate policy inputs for ZPA access decisions.
Why the other options are incorrect:
A. No. Access Control Services will only control access to the Internet and cloud applications: Access Control Services are not limited to internet and cloud-app access. They also include segmentation and conditional access patterns that reduce lateral movement.
C. Yes. The Cloud Firewall will detect network segments and provide conditional access: Zscaler Cloud Firewall enforces network-service and application rules for non-web and firewall-controlled traffic.
D. No. The endpoint firewall will detect network segments and steer access: Endpoint firewalls can filter traffic locally on a device. The Zscaler Access Control suite prevents lateral movement through segmentation and conditional access, not by relying on each endpoint firewall.