CSA ZTAC: Addressing the Challenges of Implementing Zero Trust

Catching up with industry friends and other professional contacts about the developments of our Zero Trust Advancement Center (ZTAC) and the various activities underpinning it during industry events has proven pretty enlightening. Establishment or even implementation of zero trust (ZT) strategies are all over the place, with some organizations well on their way and others only just beginning the necessary research. A voiced commonality among them all is a state of confusion:

• Confusion about the appropriate pillars that ground zero trust strategies and technological deployments in their businesses;
• Confusion about the applicable extent of a zero trust implementation and how partners play roles;
• Confusion about what technologies and services soundly fit into their tech stack, especially when considering the legion of marketers touting their products’ and services’ zero trust applications; and
• Frustration about all this confusion and how it impacts educating the rest of their C-suite and executive boards whose support is necessary for the successful execution, evolution, and maintenance of a zero trust plan.

A major challenge is just how complex implementation of a zero trust strategy can be in an already well-established cybersecurity infrastructure for both on-premises and cloud-based systems. As one of our CxO Trust Advisory Council members recently shared with me, “ZT integration of technologies is non-trivial. The consumer or end-user will face ‘experience’ impacts if there is slowness in performance (due to various technologies supporting the protection layer). In addition, there is potential operational debt if we pile up more tech without day-two maintenance in mind.”

From his perspective, when it comes to enabling corporation-wide adoption of zero trust, agreeing on a common platform and leveraging the use of cloud-native security controls are just some of the key enablers. Then there’s ensuring that whatever plan or approach is decided on takes into account on-premise services and applications.

“These are areas that may not have the full suite of ZT coverage due to legacy apps/services or application infrastructure that is designed to be highly secured (air-gapping and more),” he said. Helpful to addressing these challenges would be a “general architect’s view on a ZT model” that could support driving a discussion on use cases that would enable a more phased and methodical implementation of zero trust, he explained further.

This and other areas of need associated with zero-trust strategy development and implementation across an entire organization's IT ecosystem is exactly where CSA’s ZTAC initiative comes into play. For example, as part of our organization of the workstreams that compose our ZTAC research working group efforts, we note that the scope of the resulting guidance and other documentation will include cloud and on-premises environments, along with mobile endpoints, IoT (Internet of Things) technologies, and more. Our nine different ZTAC working group pillars see workstream groups covering Data, Applications & Workloads, and much more to ensure that we are thoroughly addressing the specific requirements of a ZT implementation and its associated architecture. And hundreds of subject-matter experts from the wider industry are participating in and helping to drive the many frameworks, guidance, and other useful outputs that these nine working groups covering the critical areas of zero trust are creating and releasing.

Additionally, a strategic group of experts from enterprises, government entities like CISA, and service providers are participating in our ZTAC Steering Committee to help us ensure that with all of the offerings – from events, workshops, research, and frameworks to zero trust training curriculum and our Certificate of Zero Trust Knowledge – we have already released or will be sharing soon are meeting the challenges CxOs are facing. They also are working with us to engage with current or new partners as needed to align with existing global standards and frameworks.

ZTAC is a great and needed work in progress led by CSA and a wider coalition of industry volunteers and experts. Through this initiative we’re looking to ensure that we help arm today’s CxOs with the tools and knowledge they need to successfully implement a zero trust strategy and infrastructure that is technology-neutral and is bolstered by best practices relevant to those technologies that have yet to be invented. It’s a necessary vendor-neutral initiative with a mighty long view that also takes into account the immediate needs we all face today. We’re excited about the knowledge base and educational offerings that we’ve made available so far and are greatly looking forward to our continued work with all of you to keep that flow of essential information, intelligence, guidance, training, and so much more progressing.