CSA’s New Zero Trust Training and Why It's Needed
Published 10/10/2022
Zero Trust has possibly been the most mentioned concept in the cybersecurity arena over the last 12 months. For some, it is a revolutionary approach. For others, it is an evolution of a series of trends already ongoing for over a decade. Finally, there are people who consider it just a buzzword and new marketing stratagem to sell products.
Personally, I’m in the field of those who believe that it is a fantastic marketing locution that has the merit of summarizing under a coherent framework an evolutionary approach to cybersecurity. This approach aims to revisit the classical logic of security and push toward the idea of embedding security from the inside out.
In other terms: In my opinion, John Kindervag has the merit to bring under a coherent framework a few common sense approaches to modern cybersecurity (e.g., critical-assets-centric protection, least privilege, segregation of duties, context-based access policies, evidence-based trust, etc.) and give this framework a catchy name.
Industry Need
No matter which camp you are in, I think it is undeniable that there is a lot of confusion in the industry, and there are a lot of organizations that need support and guidance in their Zero Trust journey. Now, the choice of the word ‘journey’ is not casual, since Zero Trust is not a stand-alone project, but is a group expedition toward a moving target, with no final destination. The ultimate goal is a self-improving organization.
During this group journey, different skills and expertise are going to be required. The organization needs leaders to build a Zero Trust strategy, governance, and risk posture; data and assets owners to record and classify assets and define the right policies; infrastructure and network architects to define the IT and service structure; identity experts to design and improve IAM approaches; developers to build the right logic, orchestrations, and controls into the development pipelines, applications, and API; security experts to protect devices and built and automate controls; data analysts to make good use of the data/telemetry sources; etc.
In some cases, the necessary skills and expertise are already there; after all, we already see examples of cloud-native and Zero Trust-native companies. In other cases (possibly the majority), new knowledge would need to be acquired.
What CSA is Doing
CSA has made Zero Trust one of its strategic goals for the upcoming years and in March, we launched a flagship initiative called the Zero Trust Advancement Center (ZTAC). In this context, we are going to create an educational program that will include a comprehensive Zero Trust training curriculum and professional certificate. The training curriculum has the ambition to cover all the critical areas of the Zero Trust philosophy. It is structured in eight areas of knowledge:
- Zero Trust Strategy and Governance, Risk, and Compliance
- Zero Trust Architecture
- Zero Trust Planning and Implementation
- Visibility, Analytics, and Monitoring
- Identity
- Data, Assets, Applications, and Services (DAAS)
- Device Security
- Applications and Workloads
We are now unveiling the Zero Trust Training Curriculum and its high-level learning objectives. You can download the curriculum overview here.
In the upcoming weeks, we’ll start releasing the initial modules of our training. We’ll start with an Introduction to Zero Trust Architecture, followed by a series of three modules on Software-Defined Perimeter (SDP).
The fact that CSA has focused its initial effort on the networking component of Zero Trust doesn’t mean that we consider that a priority. We do recognize though, that ‘network’ seems to be the most mature area within the Zero Trust pillars and the one where the most literature and best practices have been created. Anecdotally, CSA initiated its Zero Trust research in 2013 with the SDP Working Group.
Expect additional modules on Zero Trust Planning and Implementation to be released at the beginning of 2023.
You can now develop and demonstrate an in-depth understanding of Zero Trust with CSA’s Certificate of Competence in Zero Trust (CCZT). Learn more here.
Related Articles:
Zero Standing Privileges (ZSP): Vendor Myths vs. Reality
Published: 11/15/2024
Modernization Strategies for Identity and Access Management
Published: 11/04/2024
Dispelling the ‘Straight Line’ Myth of Zero Trust Transformation
Published: 11/04/2024