Download Publication

Who it's for:
- Zero Trust implementation teams
- Security managers, architects, and analysts
- Business system owners
- CISOs
- Compliance officers
Map the Transaction Flows for Zero Trust
Release Date: 11/18/2024
The NSTAC Report to the President on Zero Trust defines five steps to implementing a Zero Trust security strategy. This publication provides guidance on executing the second step: mapping transaction flows for the protect surface. CSA is developing separate research documents to elaborate detailed guidance for each of the five steps. Explore Step 1, defining the protect surface, in our first publication.
The Zero Trust protect surface consists of Devices, Assets, Applications, and Services (DAAS). Mapping the transaction flows establishes granular visibility into communication between these elements, with other protect surfaces, and with users and external services. This helps you understand how the business system works before defining security policies in subsequent steps.
The mapping methods explored in this document include comprehensive system analysis and leveraging scanning tools. The document also delves into how these methods can help refine protect surfaces and design Zero Trust architectures. Additionally, it outlines the benefits of mapping transaction flows and provides a maturity model for evaluating the effectiveness of transaction flow mapping practices.
Navigate the complex task of understanding system architecture, transaction flows, and security maturity within the Zero Trust security model. Enhance your cybersecurity resilience and establish a foundation for enforcing an adaptive and robust security posture in your organization.
Key Takeaways:
- A review of Zero Trust strategy and the five-step Zero Trust implementation process
- How to validate the protect surface’s DAAS elements and refine their metadata
- How to identify and document users of the protect surface and the types of endpoint devices they use
- How to identify dependencies and transactions among DAAS elements, users, other business systems, and external services
- How to map data flows
- How to validate and refine the understanding of the relative sensitivity and security maturity of the system
- Specific considerations for cloud, OT, and IoT devices
- Challenges of mapping transaction flows
- Benefits of mapping transaction flows
Download this Resource
Related Resources
Acknowledgements

Michael Roza
Risk, Audit, Control and Compliance Professional at EVC
Michael Roza
Risk, Audit, Control and Compliance Professional at EVC
Since 2012, Michael Roza has been a pivotal member of the Cloud Security Alliance (CSA) family. He has contributed to over 125 projects, as a Lead Author or Author/Contributor and many more as a Reviewer/Editor.
Michael's extensive contributions encompass critical areas including Artificial Intelligence, Zero Trust/Software Defined Perimeter, Internet of Things, Top Threats, Cloud Control Matrix, DevSecOps, and Key Management. H...

Vinotth Ramalingam
Cybersecurity Product Leader at Dell Technologies
Vinotth Ramalingam
Cybersecurity Product Leader at Dell Technologies

Erik Johnson
Cloud Security Specialist & Senior Research Analyst, CSA
Erik Johnson
Cloud Security Specialist & Senior Research Analyst, CSA
Worked for the Federal Reserve for many years and volunteered with the CSA with a focus on CCM/CAIQ V4, specifically the STA domain, and developing a comprehensive framework and guidance for defining and managing the cloud shared security responsibility model (SSRM).
I recently retired from the Federal Reserve and am now consulting with the CSA as a Senior Research Analyst with a focus on Zero Trust and Financial Services.
Linke...
Are you a research volunteer? Request to have your profile displayed on the website here.
Interested in helping develop research with CSA?
Related Certificates & Training

For those who want to learn from the industry's first benchmark for measuring Zero Trust skill sets, the CCZT includes foundational Zero Trust components released by CISA and NIST, innovative work in the Software-Defined Perimeter by CSA Research, and guidance from renowned Zero Trust experts such as John Kindervag, Founder of the Zero Trust philosophy.
Learn more
Learn more