Zero Trust Resource Hub

Recording of the customer Zero Trust Implementation Journey Presentation by Pam Kubiatowski to the CSA ZT workgroup about her global network transformation journey to advance the security posture of a multi-national organization. With more than 25 years of experience in the technology and healthcare industries, Pam specializes in networking, IT strategy, and business process improvement. 

Pam works for Zscaler but this is a vendor-neutral presentation.

Featuring a world-class program of speakers and panelists, CSA's Virtual Zero Trust Summit delivered critical insights into a variety of Zero Trust-focused topics on everything from improving corporate governance and compliance to the importance of demystifying Zero Trust for the C-suite. Click the link to access the session recordings. 

Access to multiple cloud services, the geographic spread of enterprise Information Technology (IT) resources (including multiple data centers), and the emergence of microservices-based applications (as opposed to monolithic ones) have significantly altered the enterprise network landscape. This document is meant to provide guidance to this new enterprise network landscape from a secure operations perspective. Hence, it starts by examining the security limitations of current network access solutions to the enterprise network.

Zscaler Zero Trust Certified Architect (ZTCA), the industry’s first comprehensive zero trust certification, helps network and security professionals attest their expertise in establishing a holistic, layered security approach based on zero trust principles.

The ZTCA certification course offers practical guidance on how to deliver effective control and visibility across zero trust initiatives, as well as contrasting zero trust approaches with legacy architectures. Finally, it explores architectural constructs for real-world implementation, including the Zscaler Zero Trust Exchange™.

When implemented correctly, a Zero Trust architecture/strategy/approach to Information Technology, and the architecture that supports it, has the potential to provide a simpler, more secure, and more flexible environment for your organization to do business.

This paper takes both a vendor-neutral and technology-solution-neutral look at what Zero Trust means for your organization and provides recommendations to develop a strategy and the supporting architecture that supports the organization and its workflows; aligning IT to business goals and outcomes.

A list of vendor submissions organized according to Zero Trust categories outlined by type: Platforms, Networks, Users, Devices, Data, Workloads, Automation & Orchestration, Visibility & Analytics, MSSPs

Associated paper: The Forrester Zero Trust Extended (ZTX) Ecosystem (by Chase Cunningham) 

The US DoD’s Zero Trust Strategy and Roadmap is intended to guide the DoD's incremental implementation of Zero Trust. Initial Target Level capabilities will establish a required minimum set of ZT capability outcomes and activities necessary to secure and protect DoD data, applications, assets, and services (DAAS) and manage risks from currently known threats. 

What does implementing Zero Trust mean for CISO’s or other leadership roles in the enterprise? When approached with a Zero Trust project idea, what must leaders consider? What are the budgeting considerations involved in Zero trust? What key features should you concern yourself with, and how does this fit into the overall scope to protect your business? How do you merge into Zero Trust with competing priorities? What are the risks from a leadership perspective when moving into a Zero Trust world? This presentation by Jim Reavis and John Kindervag will discuss and evaluate executive considerations for Zero Trust. 

This book delivers an insightful and practical discussion of Zero Trust implementation. Presented in the form of a fictional narrative involving a breach at a company, the book tracks the actions of the company's new IT Security Director.

It covers John Kindervag's 5-Step methodology for implementing Zero Trust, the four Zero Trust design principles, and how to limit the impact of a breach.

While the security framework has steadily gained traction over the past several years, Zero Trust adoption rates passed a critical threshold in 2022. More than half of the organizations surveyed (55%) have a Zero Trust initiative in place, and the vast majority (97%) plan to have one in the coming 12 to 18 months. 

In the report, discover:

This book will help you and your organization have a better understanding of what Zero Trust really is, recognize its history, and gain prescriptive knowledge that will help you and your enterprise finally begin beating the adversaries in the chess match that is cyber security strategy. 

This NSTAC report focuses on the convergence of IT/OT for government departments, agencies, and industrial or critical infrastructures. It aims to identify opportunities for the US government to aid in a secure convergence of OT cybersecurity in relevant stakeholder communities, including Zero Trust. 

The goal for this report is to provide strategic and actionable recommendations that the government should implement to further reduce risk and secure the nation's critical infrastructure. NSTAC also recognizes that the government alone cannot uniquely resolve all the challenges surrounding OT cybersecurity, and readers from all stakeholder groups will benefit from the additional findings, best practices, and general guidance contained in the appendices.

Enterprise security leaders understand that building a Zero Trust Architecture is a necessary strategy, but ask: “How do I start this journey?” This paper recommends the NIST Zero Trust framework, outlines its key principles, and how CrowdStrike can get organizations started on a frictionless Zero Trust maturity journey. 

Zero Trust is a powerful concept, but all the hype around it has led to numerous interpretations. Agreeing to a term set that defines the concept will greatly improve the ease with which we can then implement the Zero Trust strategy. Hence ON2IT has developed a Zero Trust dictionary as an authoritative lexicon with definitions and terminology defined by John Kindervag, the Creator of Zero Trust. 

Definitive U.S. General Services Administration guidance for federal government purchasing of Zero Trust solutions. 
This document is being provided by Cloud Security Alliance. 

NIST National Cybersecurity Center of Excellence (NCCoE) ZT Implementation guidance addresses implementation challenges through industry and IT community collaboration. Guidance focuses on approach and architecture, with implementation guidance and demonstrations from technology vendors. 

The Zero Trust Fact Sheet provides an overview of the ZT Architecture (ZTA) implementation project. The SP 1800-35 volumes offer vendor solutions as examples of how to implement ZT so it is not entirely vendor-neutral.

Volumes C & D are open for public comment until 9/9/22.

Learn how Microsoft is implementing a Zero Trust security model to ensure a healthy and protected environment with the internet as the default network with strong identity, device health enforcement, and least privilege access. 

Report on the results of a CSA CISO survey. Areas covered include where Zero Trust falls as a priority in the organization, the percentage of those who have completed related implementations, top business challenges, and top technical challenges.  

Note:  A BrightTALK login/self-registration is required to view this document. In this webinar, Cloud Security Alliance’s John Yeoh highlights the evolution of Zero Trust, the goals of the ZTAC initiatives, and the components that make it the most trusted source on Zero Trust today.  

Software-Defined Perimeter (SDP) architecture has become important given the shift toward the cloud and the ever-heightened threat landscape. This specification from CSA’s SDP and Zero Trust Working Group covers the architectural components and basic security communications protocol for SDP, updated from version SDP Specification v1.0, published in April 2014.  

The advent of Zero Trust should be regarded as an opportunity to better align IT with an organization’s business strategy. The whole purpose of modern networked computing is to facilitate collaboration, both with others that are part of the organization, but more importantly with entities that are not part of the organization; whether on the Intranet, via the Internet or as part of an outsourced service. Implementing Zero Trust is not about buzz-words (especially when communicating to the C-Level), it’s about organizational and cultural transformation. 

The Security Service Edge (SSE) is Gartner’s specification of policy decision and enforcement as components of the Secure Access Service Edge (SASE) framework. There are seven pitfalls to avoid on the enterprise digital transformation journey to SSE. Avoiding these missteps will allow those IT leaders to select the right set of services, architecture, and functions to deliver on the SSE value proposition. 

The Security Service Edge (SSE) promises consolidated, simplified, cloud-delivered security and connectivity. There are seven pitfalls to avoid on the enterprise digital transformation journey to SSE. Avoiding these missteps will allow those IT leaders to select the right set of services, architecture, and functions to deliver on the SSE value proposition. This journey should be a path away from the “old ways of working,” such as anchoring to networks or allowing blanket access to services, which limits the ability to transform and meet the needs of business. 

Mobile devices are being used to access and modify sensitive data, requiring greater security on those devices. The 2021 “Executive Order on Improving the Nation’s Cybersecurity” requires agencies to explore advanced zero trust architectures of which mobility is an integral part. The CISA document Applying Zero Trust Principles to Enterprise Mobility helps organizations mature their approaches to mobile security. 

The US President’s National Security Telecommunications Advisory Committee (NSTAC) report focuses on Zero Trust and Trusted Identity Management. Zero trust is a cybersecurity strategy premised on the idea that no user or asset is to be implicitly trusted. It assumes that a compromise has already occurred or will occur, and therefore, a user should not be granted access to sensitive information by a single verification done at the enterprise perimeter. Instead, each user, device, application, and transaction must be continually verified. 

It is a key CSA ZT research source document.