Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
Get Free Early Access to TAISE Module 3! Sample the Certificate Experience Today!

Achieving Resilience Through Zero Trust

Published 08/29/2025

Home
Industry Insights
Achieving Resilience Through Zero Trust
Written by Alex Sharpe, Managing Director at Sharpe42.

“The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” - Sun Tzu

“Resilience is the ability to remain viable amidst adversity." Historically, we believed as an industry we could prevent incidents by the deliberate implementation of defenses. The few that got through would easily be addressed by the technical staff or would be covered by insurance (risk transfer). We also believed technical defenses were sufficient. After all, it is the digital assets under attack.

That is no longer the case. Incidents happen too often. Incidents are too disruptive, taking businesses offline for days, weeks, or even months. The impact to the business is too great. Too much to be covered by insurance. The long tail can last years with resulting lawsuits and loss of digital trust lasting years.

The malicious actors understand that many years of implementing technical controls have made these technical controls our strongest defense, so they go around them by attacking the people, the process, and the organizational dimensions. Most agree attacks on the human dimension (social engineering) are key to north of 90% of incidents. Some believe the number is 98%.

What to do? The solution is simple, but it takes execution. Instead of just focusing on technical defenses we focus on the technology, the people, the process, and the organizational dimensions through the entire cyber lifecycle of protecting, detecting, and recovering. NIST decomposes this into the five phases (Identify, Protect, Detect, Respond, Recover) in the Cyber Security Framework (CSF). There is no material difference in principle.

This is graphically represented:

cyber lifecycle phases

Resilience builds upon this in crucial ways.

No longer treat the delivery of products and services as either on or off like we did with Disaster Recovery (DR) and Business Continuity (BC).

Rather we look for ways of remaining “viable amidst adversity.” The military refers to this as “mission assurance.” Instead of being on or off, alive or dead, we operate above Minimum Viable Service Levels (MVSL) until we can fully restore.

An easily understandable example is a municipal water supply taken offline by a cyber incident. The MVSL may be that emergency services (e.g., fire) and hospitals can go without municipal water for no more than two hours. No more than 10k people will be without municipal water for more than 24 hours. In resilience, we prioritize according to business need (or the mission) while also engaging alternative strategies to get us through.

Look for alternate strategies.

To remain viable, the main strategy must include alternative strategies. Note that the above example says “municipal water.” Fire trucks can be supported by tanker trucks full of water, hospitals can have stand-alone water supplies, and constituents can be supplied with bottled water and tanker trucks until municipal water is fully restored.

Use of the Business Impact Analysis (BIA) to increase alignment between the business strategy, the security architecture, and operations.

Resilience takes alignment and an understanding of dependencies. Let’s face it, nobody has unlimited resources and not all services are created equal. Knowing our priorities helps focus our attention and allocation resources.

Focus on external dependencies.

Our world is more interconnected than ever. We rely on Cloud Service Providers (CSP), Managed Service Providers (MSP), and Managed Security Service Providers (MSSP). Historically, our plans focused heavily on our internal systems, internal assets, and internal dependencies. To be successful now, we have no choice but to look at external dependencies. Think about what services you are not available to deliver to your customers if your CSP or SaaS provider experiences a significant outage. Verizon’s 2025 Data Breach Investigation Report (DBIR) shows 30% of incidents are the results of a third party. That is doubled from the previous year. Others like Security ScoreCard and Marsh believe the percentage is almost twice as much.

 

The role of Zero Trust

A quick review of the Zero Trust Guiding Principles shows an alignment between Zero Trust and resilience.

  • Begin with the End in Mind (Business / Mission Objectives)
  • Do Not Overcomplicate
  • Products are Not the Priority
  • Access is a Deliberate Act
  • Inside Out, not Outside In
  • Breaches Happen
  • Understand your Risk Appetite
  • Ensure the Tone from the Top
  • Instill a Zero Trust Culture
  • Start Small and Focus on Quick Wins
  • Continuously Monitor

Zero Trust’s foundational concepts of always verifying identity and access controls are essential to building resilience. Both Zero Trust and resilience employ techniques to reduce the blast radius, thereby reducing the impact and fostering faster recovery. Both employ techniques to continuously monitor. The key difference is resilience is a much broader business imperative. Everything you do for Zero Trust fosters resilience.

 

What’s Next

CSA formed a joint working group with the Financial Services Leadership Council and Zero Trust Task Force. We are on track to have a draft “Zero Trust Guidance for Building a Resilient Enterprise” out for review this fall. Additional contributors are always welcomed.

Enhancing cloud security strategyZero TrustIdentity and Access ManagementCloud Incident Response

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
The First AI Model Security Leaderboard
Register for the AI Agent Security Summit in San Francisco
Open Peer Review: Key Management in Cloud Services 2025
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Secure your cloud data with Zero Trust Training
Related Articles:
Identity Security: Cloud’s Weakest Link in 2025

Published: 09/19/2025

Why I'm Joining CSA

Published: 09/16/2025

The Third-Party Access Problem: The Elephant in the Room for Every CISO’s Identity Strategy

Published: 09/16/2025

Reflecting on the 2024 Microsoft Breach

Published: 09/15/2025