Zero Trust Resource Hub

In most nations, the health of public services relies on secure and resilient Critical Infrastructure. We call these infrastructures "critical" because their destruction would have a drastic impact on the welfare of a nation. This publication promotes the implementation of Zero Trust principles for securing Critical Infrastructure. As an extensible and holistic enterprise security strategy, Zero Trust is the key for ensuring Critical Infrastructure protection. 

More specifically, this document delves into the nuanced application of Zero Trust for Operational Technology and Industrial Control Systems security strategies. First, it clarifies the foundational concepts of Zero Trust. Then, it provides a tailored roadmap for implementing these principles into Operational Technology and Industrial Control Systems settings. This roadmap employs a systematic five-step approach based on the NSTAC Report to the President on Zero Trust.

By leveraging this guidance, organizations will find a clear forward-looking path for continuous improvement of their security postures.

This joint guide will assist organizations in defining a baseline for event logging to mitigate malicious cyber threats. The increased prevalence of malicious actors employing living off the land (LOTL) techniques, such as living off the land binaries and fileless malware, highlights the importance of implementing and maintaining an effective event logging program.

 The authors encourage public and private sector senior information technology (IT) decision makers, operational technology (OT) operators, network administrators, network operators, and critical infrastructure organizations to review the best practices in the guide and implement recommended actions. These Zero Trust-aligned actions can help detect malicious activity, behavioral anomalies, and compromised networks, devices, or accounts.

For more information on LOTL techniques, see joint guidance Identifying and Mitigating Living Off the Land Techniques and CISA’s Secure by Design Alert Series. For more information and guidance on event logging and threat detection, see CISA’s Secure Cloud Business Applications (SCuBA) products, network traffic analysis tool Malcom, and Logging Made Easy.

US Executive Order (EO) 140281 requires federal agencies to implement zero trust. For the Department of Defense (DoD), zero trust requires designing a consolidated and more secure architecture without impeding operations or compromising security.  Zero trust supports the Federal Information Security Modernization Act of 2014 (FISMA), 2018 DoD Cyber Strategy, the 2019 DoD Digital Modernization Strategy, and the DoD Chief Information Officer’s (CIO) vision. The overlays are designed to accelerate implementation of zero trust within the department to better protect DOD networks.

The DoD Zero Trust Overlays are based on the DoD Zero Trust Reference Architecture and the DoD Zero Trust Capability Execution Roadmap. These documents describe the set of pillars, capabilities, enablers, and supporting activities and outcomes that underpin the Zero Trust Overlays.

Guidance from CISA, the FBI and partner organizations in Canada and New Zealand urges business owners of all sizes to move toward more robust security solutions—such as Zero Trust, Secure Service Edge (SSE), and Secure Access Service Edge (SASE)—that provide greater visibility of network activity. Additionally, this guidance helps organizations to better understand the vulnerabilities, threats, and practices associated with traditional remote access and VPN deployment, as well as the inherent business risk posed to an organization’s network by remote access misconfiguration. 

The US National Cyber Director provided this report to the President and Congress as required by law. This report assesses the cybersecurity posture of the United States, the effectiveness of national cyber policy and strategy and the status of the implementation of national cyber policy and strategy.

The report reveals significant strides in the Federal Government's cybersecurity efforts, particularly through implementing Zero Trust Architecture (ZTA) as required by 2021 Executive Order 14028 for Improving the Nation’s Cybersecurity.

This cybersecurity information sheet (CSI) provides recommendations for maturing data security and enforcing access to data at rest and in transit, ensuring that only those with authorization can access the data. It further discusses how these capabilities integrate into a comprehensive Zero Trust (ZT) framework. 

Recent events highlight that adversaries who are successful at gaining a foothold in information systems often readily gain unfettered access to all data in those systems. By applying the recommendations in the data pillar, including identifying risks to data, integrating granular data attributes into access control mechanisms, and monitoring data access and use, organizations will reduce the impact and consequences of breaches and identify suspect activity earlier in the cyber intrusion lifecycle.

Enterprise adoption of Zero Trust is broad and growing. How is a mature Zero Trust program achieved? The NSTAC Report to the President on Zero Trust and Trusted Identity Management outlines a five-step implementation process. 

This publication by the CSA Zero Trust Working Group provides guidance on iteratively executing the first step of the Zero Trust implementation process, “Defining the Protect Surface.” Defining the protect surface entails identifying, categorizing, and assessing an organization's data, applications, assets, and services (DAAS); business risk; and current security maturity. In this document, readers will find valuable guidance that starts their Zero Trust security journey on the right path.

The US NSA has published a Cybersecurity Information Sheet (CSI) that details curtailing adversarial lateral movement within an organization’s network to access sensitive data and critical systems. The CSI, entitled “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar,” provides guidance on how to strengthen internal network control and contain network intrusions to a segmented portion of the network using Zero Trust principles.

The network and environment pillar–one of seven pillars that make up the Zero Trust framework–isolates critical resources from unauthorized access by defining network access, controlling network and data flows, segmenting applications and workloads, and using end-to-end encryption. The CSI outlines the key capabilities of the network and environment pillar, including data flow mapping, macro and micro segmentation, and software defined networking.

This joint NSA & CISA cybersecurity information sheet (CSI) makes recommendations for implementing Zero Trust (ZT) security principles in a cloud environment, which can differ from on-premises (on-prem) networks. While on-prem networks require specialized appliances to enable ZT, cloud technologies natively provide the necessary infrastructure and services for implementing these recommendations to varying degrees. This CSI focuses on best practices using features commonly available in cloud environments.

The US Department of Homeland Security (DHS) has been implementing zero trust mandates for years. DHS leadership established a Zero Trust Action Group, and later a Zero Trust Integrated Product Team, incorporating technical leadership from across the Department—and together, these teams have made impressive progress.

This strategy establishes a shared vision that better protects resources, stabilizes cybersecurity budgets, and accelerates mission outcomes—all at the same time. This strategy will also allow the Department to pursue a shared zero trust vision while addressing shared challenges, including resource scarcity, legacy technology, and a nascent shared services environment.

This joint guidance for network defenders focuses on how to mitigate gaps and to detect and hunt for LOTL activity. The information in this guide is derived from a previously published joint advisory; incident response engagements undertaken by several of the authoring agencies; red team assessments by several of the authoring agencies using LOTL for undetected, persistent access; and collaborative efforts with industry.

The authoring agencies have observed cyber threat actors, including the People’s Republic of China (PRC) and Russian Federation state-sponsored actors, leveraging LOTL techniques to compromise and maintain persistent access to critical infrastructure organizations. The authoring agencies are releasing this joint guide for network defenders (including threat hunters) as the malicious use of LOTL techniques is increasingly emerging in the broader cyber threat environment.

Cyber threat actors leveraging LOTL abuse native tools and processes on systems. They use LOTL in multiple IT environments, including on-premises, cloud, hybrid, Windows, Linux, and macOS environments. LOTL enables cyber threat actors to conduct their operations discreetly as they can camouflage activity with typical system and network behavior, potentially circumventing basic endpoint security capabilities. This is where a Zero Trust strategy can help.

The Zero Trust playbook series guides you with specific role-by-role actionable information for planning, executing, and operating Zero Trust from the boardroom to technical reality. It provides simple, clear, and actionable guidance that fully answers your questions on Zero Trust using current threats, real-world implementation experiences, and open global standards. This first book in the series helps you understand what Zero Trust is, why it’s important for you, and what success looks like.

The Zero Trust model is quickly rising as the favored strategy to protect important assets. CSA’s Virtual Zero Trust Summit delivers knowledge needed to understand the core concepts of Zero Trust. Featuring prominent industry leaders such as John Kindervag, the founder of Zero Trust philosophy, the Summit will provide critical insights, tools, and best practices to develop and implement a Zero Trust strategy. With Zero Trust established as the future of information security, taking a Zero Trust based approach will inevitably become a requirement for organizations and a required skill for professionals. View the summit recordings to expand your Zero Trust knowledge and gain the necessary skills you need to implement the robust security measures required.  Click the link to access the session recordings. 

Most security teams are moving toward the Zero Trust framework - widely accepted as the new standard in security – but it’s about more than just the right technology. Learn how to implement a comprehensive, ongoing approach to security in the e-book The Innovator’s Guide to Zero Trust Security.

This NSA cybersecurity information sheet (CSI) provides guidance to enable organizations to assess devices in their systems and be better poised to respond to risks to critical resources. The device pillar is a key component of the Zero Trust security framework. It ensures devices within or attempting to connect to resources in an environment are located, enumerated, authenticated, and assessed. The document provides recommendations for ensuring all devices meet an organization’s access criteria and security policies before they are authorized.  Recommendations to increase maturity levels of Zero Trust device pillar capabilities include device identification, inventory, and authentication, device authorization using real time inspection, and remote access protection.

Matching Google Cloud services with NIST 800-207

This guide is intended to provide readers with an understanding of the following: 

Implementing zero trust is not something that can be done overnight, in a silo, with a sole vendor, or by one team. A successful journey is driven by significant amounts of detailed planning, cross-business unit collaboration, organizational buy-in, and stakeholder support; all accompanied by the right selection of vendors and capabilities. The end state of this journey is a paradigm shift that will fundamentally alter current approaches to securing an enterprise, as achieving zero trust impacts every user, device, workload, data source, asset, and service within an organization.

This updated Snapshot document is intended to make public the direction and thinking about the path we are taking in the development of the Zero Trust Commandments Standard. This document is intended for executive leaders in business, security, and IT. The Commandments in this document originate from the principles contained in The Open Group White Paper: Zero Trust Core Principles. The Commandments are presented first together on a single page and then separately, each on its own page, with further detail.

Zero Trust is a major industry trend that is being adopted and promoted by security teams within many organizations around the globe, and for good reasons: it delivers improved security and can also reduce cost and improve business efficiency and agility. However, Zero Trust is also an industry buzzword that can be confusing and is often misunderstood by many, particularly non-technical and non-security people. Business leaders and non-security professionals are key stakeholders, budget holders, and gatekeepers in any enterprise’s journey to Zero Trust that can make the difference between successful and failed Zero Trust initiatives. This is because, fundamentally, adopting Zero Trust as an organizational strategy requires change, support, and investment of significant time, effort, and money across the enterprise. Therefore, security teams need to be able to communicate the value of Zero Trust to non-technical or non-security audiences, all the way up to the Board of Directors. We believe that the infosec industry has not sufficiently enabled security practitioners to clearly, succinctly, and directly communicate the business value that a Zero Trust strategy can bring. The goal of this CSA guidance is to fill that gap. 

Identity and the ability to consume attributes and Zero Trust (ZT) signals across pillars is a key principle of zero trust architecture. ZT aims to reduce the success of cyber-attacks and data breaches using risk-based access requirements, including phishing resistant MFA and robust, fine grained, least privilege authorization.

ZT implements controls closer to the asset being protected (the protect surface). From an IAM perspective this increases the richness of the risk-based access control decision and avoids granting access based on binary trust of a single parameter.

This document provides a clear understanding of what Zero Trust security is and the guiding principles that any organization can leverage when planning, implementing, and operating Zero Trust. These best practices remain consistent across all Zero Trust pillars, use cases, environments, and products. As expertise and industry knowledge mature, additional authoritative references such as guidance, policies, and legislation may be added.

The need for board members to understand cyber risks has never been greater. This guide helps directors determine the maturity and cyber readiness of an organization. It offers seven clear steps for overseeing cyber issues and explains how zero trust architectures provide excellent risk mitigation.

A series of six half-hour recorded panel presentations about identity as it relates to both Cloud and Zero Trust: Understanding Identity (2 parts), Identity Challenges, Extending Identity into the Cloud, Leveraging identity for Zero Trust, Future challenges and pitfalls with Identity. Hosted on YouTube.

The objective of this publication is to provide guidance for realizing an architecture that can enforce granular application-level policies while meeting the runtime requirements of ZTA for multi-cloud and hybrid environments.

NIST Special Publication 800-207 lays out a comprehensive set of zero trust principles and referenced zero trust architectures (ZTA) for turning ZT concepts into reality. A key paradigm shift in ZTAs is the change in focus from security controls based on segmentation and isolation using network parameters (e.g., Internet Protocol (IP) addresses, subnets, perimeter) to identities. From an application security point of view, this requires authentication and authorization policies based on application and service identities in addition to the underlying network parameters and user identities. 

Acuity's Danny Toler and Sara Mosley (both former federal cyber leaders  who actively contributed to the development of the Zero Trust Maturity Model) recently completed a report that highlights the recent changes to CISA's Zero Trust Maturity Model - now V2.0. The report provides concrete advice for cybersecurity staff who are charting the transition to a Zero Trust architecture.

This book by Jason Garbis provides clear guidance on how to successfully get started with a Zero Trust initiative.  Zero Trust is a security strategy, and by definition is broad in scope and impact. As such, it can be overwhelming for security practitioners and enterprises. This book helps readers communicate Zero Trust's value, identify and eliminate barriers to success, and determine appropriate on-ramps for initial Zero Trust projects.