Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA's free and virtual Global AI Symposium, October 22-24, for cutting-edge insights on AI and cloud security. 

Modern Terms and Concepts for a Zero Trust Mindset

Home
Industry Insights
Modern Terms and Concepts for a Zero Trust Mindset

Blog Article Published: 07/26/2024

Written by John Yeoh, Global Vice President of Research, CSA.


When Zero Trust was first coined by John Kindervag in 2009, it challenged the “trust but verify” approach of traditional security models. At the time, Zero Trust required us to challenge the assumption that trust is implicit. Especially with the complex networks, systems, and services that we see in today’s vast digital supply chain, trust cannot be not assumed at any level. As digital and operational infrastructure has evolved, so have the concepts to implementing Zero Trust. The phrase Zero Trust characterizes that trust does not exist at all and, as Jeffrey Ritter would later point out, trust is a human emotion, while “digital trust” should be a rules-based decision.

As we continue to evolve the Zero Trust approach, let’s outline core concepts that help set up a modern Zero Trust mindset.


Protect Surface

Applying a Zero Trust strategy involves building a high level of confidence toward a valued asset. Traditionally, we use the terms “attack surface,” “critical assets,” and “crown jewels.” For Zero Trust, the term “protect surface” isn’t necessarily new but is used because it better represents the specific attack surface that applies to critical assets. The protect surface puts the focus more on the asset instead of an attacker that comes in many forms. This mentality allows us to minimize damage and limit the blast radius of attacks and penetrations. This is especially important in the cases of Shadow IT, Shadow Access, and zero day vulnerabilities.


Trust Boundaries

Trust boundaries are areas where traditional trust towards the protect surface is identified, whether implicit or explicit. In these areas, boundaries can be established and measured to be validated via least privilege, continuous verification, automation, and other core Zero Trust principles. The OSI model layers and current Zero Trust pillars support these trust boundaries. Trust boundaries shift the focus from implicit trust to continuous verification, ensuring that every boundary is authenticated, authorized, and protected.


Confidence With Validation

A modern Zero Trust approach eliminates the term “trust” altogether. In order to remove trust as a human emotion, trust should be a rule-based decision. Confidence is a term that can be validated or measured. Within “trust boundaries” or surrounding a “protect surface”, we want to find a means to measure the level of confidence protecting that asset or accessing that asset. In simple terms, low confidence is denied while high confidence is allowed.


In Conclusion

The Zero Trust approach is an ongoing journey that evolves with the threat landscape and technology advancements. The concepts of the “protect surface”, “trust boundaries”, and “confidence with validation” allow us to apply Zero Trust principles appropriately. By adopting these principles, organizations can build more resilient systems that evolve with technology.

To stay abreast of the latest terminology and engage in discussions with the top experts in the field, visit the Zero Trust Advancement Center and join CSA working groups and events. Involvement in these programs will provide further insights, provide practical knowledge, and keep you up to date with modern terms and concepts as you implement and refine your Zero Trust approach.

Together, we can work towards building a modern and resilient security framework that adapts to new challenges and protects our most critical assets.

Data SecurityRisk ManagementZero Trust

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Zero Trust Guiding Principles v1.1
Register for CSA's Global AI Symposium
CCZT: Now with Zero Trust Strategy
Trending This Week
#1 AI Deepfake Security Concerns
#2 AWS S3 Bucket Security: The Top CSPM Practices
#3 QR Codes, Audio Notes, and Voicemail - Clever Tricks Up a Phisher’s Sleeve
#4 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
#5 Analysis for CVE-2023-23397 Microsoft Outlook Vulnerability
Secure your cloud data with Zero Trust Training
Related Articles:
An IT Veteran’s Guiding Principles for Successfully Implementing Zero Trust

Published: 09/09/2024

Responding to Cyberattacks—Creating a Successful Contingency Plan

Published: 09/09/2024

7 Most Commonly Asked PCI Compliance Questions

Published: 09/09/2024

Pioneering Transparency: Oklahoma’s Proposed Artificial Intelligence Bill of Rights

Published: 09/06/2024