Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog

Long Standing Foundations of Zero Trust

Home
Industry Insights
Long Standing Foundations of Zero Trust

Blog Article Published: 09/26/2023

Written by Alex Sharpe, Managing Director at Sharpe42.

Looking under the covers of Zero Trust, it quickly becomes apparent some long-time security principles are at work. These principles are applied differently than we historically did because of changes in the way we now work and live, combined with advances in technology and threats. When viewed as a tool, Zero Trust becomes a foundation for cybersecurity, for privacy, and to reduce the cost of compliance.

The most fundamental principle of Zero Trust is Identification and Authentication (IA). Major standards like NIST 800-63, 800-171, NIST 800-53, and ISO 27001, dedicate entire domains to this principle. Identities must be verified commensurate with the risk level of assets. It cannot be inferred or presumed like we did when a finite set of assets could be collected behind a strong physical perimeter of walls, fences, guards, guns, and sensors. A source of truth for identities is critical to achieving Zero Trust. Identities must be managed throughout the entity’s life-cycle. They must be reviewed regularly and as roles change. It is also good to review access with major technological changes like adoption of the Cloud or an organizational change like an acquisition.

The Concept of Least Privilege is defined by each standards body. While the words may be different, the spirit remains the same. NIST 800-171 AC.3.1.5 talks to the Concept of Least privilege as “…each entity is granted the minimum system authorizations and resources that the entity needs to perform its function.” By limiting access to what is required, both sites of the standard risk equation are improved - the likelihood of an incident is reduced while the impact of an incident is also reduced.

Concept of Least Functionality, also referred to as hardening, limits the use of only essential capabilities while prohibiting (or restricting) non-essential functions, ports, protocols, and/or services that are not integral to the operation. Basically, what is not required to operate is disabled or removed so it cannot be used against us. NIST 800-171 documents the Concept of Least Functionality in NIST 800-171, CM 3.4.6. Common examples include the Security Technical Implementation Guides (STIGS) produced by the US Defense Information Systems Agency (DISA) (aka, the DISA STIGS) and the Critical Security Controls produced by the Center for Internet Security (aka CIS Controls).

Separation of Duties refers to the principle that no user should be given enough privileges to misuse the system on their own. NIST 800-192 entitled Verification and Test Methods for Access Control Policies/Models is a good resource. Separation of Duties is also well understood across other disciplines. Despite its history, Separation of Duties is not widely appreciated as a tool for cybersecurity. It is widely implemented in finance and mandated for many financial institutions. The military makes extensive use of the concept to prevent unauthorized use of weapons including nuclear weapons.

Separation of Duties is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task.

Separation of Roles. Is often conflated with Separation of Duties. The distinction is simple. Separation of Roles recognizes an individual may have different roles within an organization. For example, a highly privileged system administrator is also an employee. Treating each separately helps ensure compromising one does not compromise the other while also reducing confusion and mistakes. The details are sprinkled throughout different NIST control domains: Access Control (AC), Audit & Accountability (AU), Identification & Authentication (IA), Maintenance (MA), Risk Assessment (RA or RM), and the System & Communications Protection (SC).

In summary, the many foundations of Zero Trust are not new. They are long-standing security principles applied differently to align with the way we work and live today, accommodating new threats, and advances in technology. When viewed correctly, Zero Trust forms a foundation for security, privacy, and compliance instead of a series of one-off initiatives.


Develop and demonstrate an in-depth understanding of Zero Trust with CSA’s Certificate of Competence in Zero Trust (CCZT). Learn more here.

Identity and Access ManagementZero Trust

Share this content on your favorite social network today!

Future Cloud
Related Resources
Zero Trust Advancement Center
Tools and resources to guide your Zero Trust implementation.
Y2Q - The Quantum Countdown
The countdown to quantum destruction has begun, are you ready?
Global Security Database
Understand vulnerability discovery, reporting, tracking, and classification.
Latest from CSA
Virtual Cloud Trust Summit 2024
AT&T Cybersecurity in Seattle
This Year’s Zero Trust Opportunity for Security Professionals
Trending This Week
#1 CCSK vs CCSP: Unbiased Comparison
#2 Demystifying Secure Architecture: Review of Generative AI Based Products and Services
#3 Managing Cloud Misconfiguration Risks
#4 Five Approaches for Securing Identity in Cloud Infrastructure
#5 Clarifying 10 Cybersecurity Terms
Secure your cloud data with Zero Trust Training
Related Articles:
Automation is Key: DHS Report Unveils Lessons from the Microsoft Exchange Incident

Published: 05/02/2024

Defining Cloud Key Management: 7 Essential Terms

Published: 05/01/2024

The Future of Cloud Cybersecurity

Published: 04/29/2024

This Year’s Zero Trust Opportunity for Security Professionals

Published: 04/26/2024