Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog

What is Zero Trust Security?

Home
Industry Insights
What is Zero Trust Security?

Blog Article Published: 09/29/2023

Written by the CSA Zero Trust Working Group.

Zero Trust, as defined by NIST, is a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Here are 11 guiding principles to follow as you journey into the realm of Zero Trust security.


1. Begin with the End in Mind

Zero Trust is a modern approach that breaks away from the old model of assuming good actors are inside and bad actors are outside. Today, organizations live in an ecosystem that is distributed and, quite often, global. Zero Trust is designed to align the security architecture with the organization’s distributed workforce and technology model that does not have an inside and an outside. Beginning with the end in mind means having a clear vision of your desired direction and destination, allowing you to realize faster results while avoiding burnout.


2. Do Not Overcomplicate

The Zero Trust model aligns with modern lifestyles and isn't overly complex. Security controls that are preventative, detective, and corrective (or reactive) form the basis of Zero Trust principles. These controls include:

  • Least-privilege access (preventative)
  • Separation of duties (preventative)
  • Segmentation (preventative)
  • Logging and monitoring (detective)
  • Configuration drift remediation (corrective/reactive)


3. Products Are Not the Priority

Zero Trust security focuses on people, processes, and organization rather than tech. Prioritize these aspects for a stronger long-term strategy.


4. Access is a Deliberate Act

The Zero Trust model ditches physical perimeters, adapting to a global, remote, and tech-driven landscape. It relies on precise user identification, making identity verification essential before access authorization. Access decisions now involve business owners, with IT as custodians.


5. Inside Out, Not Outside In

With Zero Trust, instead of asking “What are we trying to defend against?”, you need to ask “What are we trying to protect?” Legacy security models rely on a strong outer perimeter. These models presume anyone on the inside is good and anyone on the outside is bad. With de-perimeterization progressing over the last several years, more people and assets are outside than inside.


6. Breaches Happen

Presuming 100% protection against data breaches is unrealistic. Zero Trust security verifies identities before granting access to assets, focusing on resilience, not just security. Segmentation and micro-segmentation help with reducing incident impact by restricting lateral movement.


7. Understand Your Risk Appetite

Risk appetite sets an organization's risk threshold. The CIA Triad is a fundamental InfoSec model that assesses potential harm to assets:

  • Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
  • Integrity: The property that data has not been altered or destroyed in an unauthorized manner.
  • Availability: The property of being accessible and usable upon demand by an authorized entity.


8. Ensure the Tone from the Top

The Zero Trust model requires organization-wide collaboration. An executive sponsor, ideally from the Board of Directors or senior leadership, is essential.


9. Instill a Zero Trust Culture

Zero Trust security is a shared responsibility, extending beyond IT and the CISO. Embed Zero Trust principles in training to empower all employees for enhanced cyber resilience.


10. Start Small and Focus on Quick Wins

Getting leadership support is easier when you start with a small, low-cost pilot project. This helps showcase the shift in security and its value. Taking on too much and aiming for a bigger win that takes longer can mire a project and correlate an organization’s Zero Trust efforts with failure rather than success.


11. Continuously Monitoring

Knowing that bad actors often compromise the accounts of valid users, and malevolent insiders often attempt to exceed privileges to suit their needs, it’s important to monitor and log events. Monitoring and maintaining a Zero Trust infrastructure involves regular auditing of access privileges, continuous monitoring of network behavior, maintaining up-to-date security patches, conducting risk assessments, and reinforcing user security awareness.

For more details about these 11 principles and how to get started on your Zero Trust journey, check out CSA's Zero Trust Guiding Principles publication.

To develop and demonstrate an in-depth understanding of Zero Trust, consider earning CSA’s Certificate of Competence in Zero Trust (CCZT).

Zero TrustTransitioning to the cloud

Share this content on your favorite social network today!

Future Cloud
Related Resources
Zero Trust Advancement Center
Tools and resources to guide your Zero Trust implementation.
Y2Q - The Quantum Countdown
The countdown to quantum destruction has begun, are you ready?
Global Security Database
Understand vulnerability discovery, reporting, tracking, and classification.
Latest from CSA
Virtual Cloud Trust Summit 2024
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Secure your cloud data with Zero Trust Training
Related Articles:
This Year’s Zero Trust Opportunity for Security Professionals

Published: 04/26/2024

How to Prepare Your Workforce to Secure Your Cloud Infrastructure with Zero Trust

Published: 04/24/2024

What’s in a Name? Defining Zero Trust for Leaders

Published: 04/22/2024

Do You Know These 7 Terms About Cyber Threats and Vulnerabilities?

Published: 04/19/2024