CCZT: A Major Milestone on the Zero Trust Journey

My personal history in cybersecurity began in the very early days of the commercialization of the nascent Internet. I started out as a firewall guy in 1992, primarily because my customers relied on firewalls to protect their network perimeters. Firewall implementation was underpinned by a simple principle: trust the internal network and distrust the external. The default template for firewall policies was “Everything is denied except that which is explicitly allowed.” However, this binary trust model had limitations. As an explosion in the usage of the World Wide Web paralleled rapid expansion of an organization’s private network, network architectures became much more complicated. Early firewalls experienced “policy entropy” as administrators struggled to keep up with policy changes and were forced to poke so many holes in the firewall that it began to resemble Swiss cheese.

The continued growth in the Internet caused the limitations of traditional perimeter-based security to become increasingly evident. An organization that caught my eye while working for the Information Systems Security Association was the Jericho Forum, launched in 2004. They proposed the concept of de-perimeterisation (spelled in UK English in a nod to where a majority of the founders came from), a model where security is not defined by the location (inside or outside the perimeter), but by where the data resides, how it's accessed, and by whom. The other related development I observed around this time was the emergence of web application firewalls, which showed that networks were an insufficient construct for a security policy.

The term "Zero Trust" was coined by John Kindervag in 2010 while he was a principal analyst at Forrester Research. Kindervag's work provided a new framework for cybersecurity, pivoting away from traditional, perimeter-based models. Zero Trust is based on the principle of never trust, always verify, meaning that no entity, inside or outside the network, is trusted by default. Access to resources is granted based on strict verification and least-privilege access. It was a great articulation of the principles, but did not catch on immediately.

At the Cloud Security Alliance, volunteer experts experienced with DoD Orange Book security started a working group around the concept of a Software-Defined Perimeter (SDP) in 2014. While there were many volunteers involved, Junaid Islam and Bob Flores were the original instigators. SDP is a security framework that restricts network access to an organization's resources, creating a virtual boundary around them. The impetus was to “cloudify” the traditional hardware perimeters specified in Orange Book security. In recent years, the late Juanita Koilpillai was one of our most active leaders of SDP.

The RSA Conference in February of 2020 was held under the shadow of a mysterious new virus. It would prove to be one of the world’s last major conferences before large gatherings were shut down due to COVID-19. In my observation, the pandemic caused tremendous interest in Zero Trust. As businesses sent workers home with no notice, they found out that tremendous amounts of their security strategies were based upon trust in entities that no longer existed, such as controlled physical access to computer systems. Since that time, there has been an aggressive, whole-of-industry effort to adopt Zero Trust as a strategy to build security that is resilient and flexible by rooting out areas of implicit trust. The US Federal Government has notably taken the lead, starting with the executive order in 2021.

Today the Cloud Security Alliance launched our Certificate of Competence in Zero Trust (CCZT). This is an online examination supported by training and self-study options. I am very proud of the work our team has done and the support we have received from numerous volunteers around the world. I think you will find that CCZT is very well aligned with the US Federal Government, carefully referencing works from NIST, DoD, and CISA.

If you go back to the beginning of my story with early Internet firewalls, you might ask why Zero Trust will succeed. My belief is that adoption is succeeding because of timing. Today we have a multitude of automation and orchestration technologies, primarily due to the cloud revolution. We always had good intentions, but having frameworks like DevOps and tools to deploy infrastructure and policy as code are enabling Zero Trust at scale. As the Cloud Security Alliance begins its journey in securing Generative AI, I think we will find that Zero Trust is an excellent framework for protecting the massive data protection challenge that Large Language Models (LLMs) present.

Thank you to everyone who has been a part of this major milestone in Zero Trust. I have no doubt that we have a lot of work in front of us, but I am hopeful that many of you look into the Certificate of Competence in Zero Trust (CCZT) as part of your personal cybersecurity journey and as a linchpin of your organization’s Zero Trust strategy.