CSA’s New Zero Trust Training and Why It's Needed
Blog Article Published: 10/10/2022
Zero Trust has possibly been the most mentioned concept in the cybersecurity arena over the last 12 months. For some, it is a revolutionary approach. For others, it is an evolution of a series of trends already ongoing for over a decade. Finally, there are people who consider it just a buzzword and new marketing stratagem to sell products.
Personally, I’m in the field of those who believe that it is a fantastic marketing locution that has the merit of summarizing under a coherent framework an evolutionary approach to cybersecurity. This approach aims to revisit the classical logic of security and push toward the idea of embedding security from the inside out.
In other terms: In my opinion, John Kindervag has the merit to bring under a coherent framework a few common sense approaches to modern cybersecurity (e.g., critical-assets-centric protection, least privilege, segregation of duties, context-based access policies, evidence-based trust, etc.) and give this framework a catchy name.
No matter which camp you are in, I think it is undeniable that there is a lot of confusion in the industry, and there are a lot of organizations that need support and guidance in their Zero Trust journey. Now, the choice of the word ‘journey’ is not casual, since Zero Trust is not a stand-alone project, but is a group expedition toward a moving target, with no final destination. The ultimate goal is a self-improving organization.
During this group journey, different skills and expertise are going to be required. The organization needs leaders to build a Zero Trust strategy, governance, and risk posture; data and assets owners to record and classify assets and define the right policies; infrastructure and network architects to define the IT and service structure; identity experts to design and improve IAM approaches; developers to build the right logic, orchestrations, and controls into the development pipelines, applications, and API; security experts to protect devices and built and automate controls; data analysts to make good use of the data/telemetry sources; etc.
In some cases, the necessary skills and expertise are already there; after all, we already see examples of cloud-native and Zero Trust-native companies. In other cases (possibly the majority), new knowledge would need to be acquired.
What CSA is Doing
CSA has made Zero Trust one of its strategic goals for the upcoming years and in March, we launched a flagship initiative called the Zero Trust Advancement Center (ZTAC). In this context, we are going to create an educational program that will include a comprehensive Zero Trust training curriculum and professional certificate. The training curriculum has the ambition to cover all the critical areas of the Zero Trust philosophy. It is structured in eight areas of knowledge:
- Zero Trust Strategy and Governance, Risk, and Compliance
- Zero Trust Architecture
- Zero Trust Planning and Implementation
- Visibility, Analytics, and Monitoring
- Data, Assets, Applications, and Services (DAAS)
- Device Security
- Applications and Workloads
In the upcoming weeks, we’ll start releasing the initial modules of our training. We’ll start with an Introduction to Zero Trust Architecture, followed by a series of three modules on Software-Defined Perimeter (SDP).
The fact that CSA has focused its initial effort on the networking component of Zero Trust doesn’t mean that we consider that a priority. We do recognize though, that ‘network’ seems to be the most mature area within the Zero Trust pillars and the one where the most literature and best practices have been created. Anecdotally, CSA initiated its Zero Trust research in 2013 with the SDP Working Group.
Expect additional modules on Zero Trust Planning and Implementation to be released at the beginning of 2023.
Trending This Week
#1 Cloud Network Virtualization Benefits of SDN over VLAN
#2 Simple but Effective Tactics to Protect Your Website Against DDoS Attacks in 2021
#3 Understanding the OWASP API Security Top 10
#4 How to Choose a Zero Trust Architecture: SDP or Reverse Proxy
#5 3 Big Amazon S3 Vulnerabilities You May be Missing
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.