Zero Trust Resource Hub

Note:  A BrightTALK login/self-registration is required to view this document. In this webinar, Cloud Security Alliance’s John Yeoh highlights the evolution of Zero Trust, the goals of the ZTAC initiatives, and the components that make it the most trusted source on Zero Trust today.  

Software-Defined Perimeter (SDP) architecture has become important given the shift toward the cloud and the ever-heightened threat landscape. This specification from CSA’s SDP and Zero Trust Working Group covers the architectural components and basic security communications protocol for SDP, updated from version SDP Specification v1.0, published in April 2014.  

The advent of Zero Trust should be regarded as an opportunity to better align IT with an organization’s business strategy. The whole purpose of modern networked computing is to facilitate collaboration, both with others that are part of the organization, but more importantly with entities that are not part of the organization; whether on the Intranet, via the Internet or as part of an outsourced service. Implementing Zero Trust is not about buzz-words (especially when communicating to the C-Level), it’s about organizational and cultural transformation. 

The Security Service Edge (SSE) is Gartner’s specification of policy decision and enforcement as components of the Secure Access Service Edge (SASE) framework. There are seven pitfalls to avoid on the enterprise digital transformation journey to SSE. Avoiding these missteps will allow those IT leaders to select the right set of services, architecture, and functions to deliver on the SSE value proposition. 

The Security Service Edge (SSE) promises consolidated, simplified, cloud-delivered security and connectivity. There are seven pitfalls to avoid on the enterprise digital transformation journey to SSE. Avoiding these missteps will allow those IT leaders to select the right set of services, architecture, and functions to deliver on the SSE value proposition. This journey should be a path away from the “old ways of working,” such as anchoring to networks or allowing blanket access to services, which limits the ability to transform and meet the needs of business. 

Mobile devices are being used to access and modify sensitive data, requiring greater security on those devices. The 2021 “Executive Order on Improving the Nation’s Cybersecurity” requires agencies to explore advanced zero trust architectures of which mobility is an integral part. The CISA document Applying Zero Trust Principles to Enterprise Mobility helps organizations mature their approaches to mobile security. 

The US President’s National Security Telecommunications Advisory Committee (NSTAC) report focuses on Zero Trust and Trusted Identity Management. Zero trust is a cybersecurity strategy premised on the idea that no user or asset is to be implicitly trusted. It assumes that a compromise has already occurred or will occur, and therefore, a user should not be granted access to sensitive information by a single verification done at the enterprise perimeter. Instead, each user, device, application, and transaction must be continually verified. 

It is a key CSA ZT research source document.

This is the keynote address from the founder of Zero Trust. It provides a good high-level overview of Zero Trust architecture principles, strategy, and a five-step implementation methodology.   

The US ZT Strategy and the US Office of Management and Budget's Zero Trust Strategy Press Release have been issued in response to the Executive Order on Improving the Nation’s Cybersecurity. 

Zero Trust solutions are critical to meeting the mandates in President Biden’s Executive Order on Improving the Nation’s Cybersecurity. The implications of a diverse solutions landscape and challenges to deliver a Zero Trust Architecture (ZTA) are explored in this paper. 

Directional executive order from the White House for improving the US cybersecurity posture. The press release for the EO can be found here.   

This document is being provided by Cloud Security Alliance. 

Zero Trust Security uniquely covers the breadth of enterprise security and IT architectures, providing substantive architectural guidance and technical analysis with the goal of accelerating your organization‘s journey to Zero Trust. 

The US Department of Defense ZT Reference Architecture is a key CSA ZT source document that describes ZT standards and capabilities. ZT is a security strategy and framework that embeds security throughout the architecture to prevent unauthorized access. It provides zones for visibility and positions mechanisms throughout the architecture to secure, manage and monitor every device, user, application, and transaction. 

A foundational tenet of ZT is that no internal or external actor, system, network, or service is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in how we secure infrastructure, networks, and data.

NSA cybersecurity guidance explains the Zero Trust security model and its benefits, as well as challenges for implementation. It discusses the importance of building a detailed strategy, dedicating the necessary resources, maturing the implementation, and fully committing to the Zero Trust model to achieve the desired results. The following recommendations will assist cybersecurity leaders, enterprise network owners, and administrators who are considering embracing this modern cybersecurity model.

This report addresses the technical, social, policy, and regulatory issues associated with creating trust frameworks in a Zero Trust world. Industry and government are called to solve issues in ways that continue to protect the right to user privacy. 

The US National Institute of Standards and Technology (NIST) Zero Trust Architecture (ZTA) document describes ZT for enterprise security architects. It is meant to aid understanding of ZTA and provide an enterprise implementation roadmap for zero trust security concepts. Cybersecurity managers and network administrators may also gain ZTA insight from IT. It is not intended to be a single deployment plan for ZTA as enterprises will have unique business use cases and data assets to safeguard. Starting with a solid understanding of the organization’s business and data will result in a strong approach to zero trust. 

Zero Trust using Software-Defined Perimeter principles allows organizations to defend new variations of old attack methods in perimeter-centric networking models. This paper will show how SDP can be used to implement ZTNs and why SDP is applied to network connectivity. 

The CSA Software Defined Perimeter (SDP) Architecture Guide is designed to leverage proven, standards-based components to stop network attacks against application infrastructure. The architecture guide will help increase awareness and adoption of SDP and ZT, improve understanding of how SDP can be used in different environments, and help enterprises successfully deploy SDP solutions and ZT architecture recommendations. 

The US Department of Defense Acquisition University's Cybersecurity Channel includes recordings of the entire  4/4-5/23 DoD ZT Symposium that the DOD hosted virtually in collaboration with the CSA and MIT Lincoln Labs. John Kindervag's session is on Day 1 and CSA CTO and Industry Panel sessions are on Day 2.

This guidance is aimed at those implementing a zero trust architecture in an enterprise environment - this includes public and private sectors.

The principles within this guidance will help you design and review a zero trust architecture that meets your organization's individual requirements.

There are many vendors and open source offerings providing zero trust based services. These principles will help you select which combination of services can best support your journey to zero trust.