Zero Trust Resource Hub

The Zero Trust model is quickly rising as the favored strategy to protect important assets. CSA’s Virtual Zero Trust Summit delivers knowledge needed to understand the core concepts of Zero Trust. Featuring prominent industry leaders such as John Kindervag, the founder of Zero Trust philosophy, the Summit will provide critical insights, tools, and best practices to develop and implement a Zero Trust strategy. With Zero Trust established as the future of information security, taking a Zero Trust based approach will inevitably become a requirement for organizations and a required skill for professionals. View the summit recordings to expand your Zero Trust knowledge and gain the necessary skills you need to implement the robust security measures required.  Click the link to access the session recordings. 

Most security teams are moving toward the Zero Trust framework - widely accepted as the new standard in security – but it’s about more than just the right technology. Learn how to implement a comprehensive, ongoing approach to security in the e-book The Innovator’s Guide to Zero Trust Security.

This NSA cybersecurity information sheet (CSI) provides guidance to enable organizations to assess devices in their systems and be better poised to respond to risks to critical resources. The device pillar is a key component of the Zero Trust security framework. It ensures devices within or attempting to connect to resources in an environment are located, enumerated, authenticated, and assessed. The document provides recommendations for ensuring all devices meet an organization’s access criteria and security policies before they are authorized.  Recommendations to increase maturity levels of Zero Trust device pillar capabilities include device identification, inventory, and authentication, device authorization using real time inspection, and remote access protection.

Matching Google Cloud services with NIST 800-207

This guide is intended to provide readers with an understanding of the following: 

Implementing zero trust is not something that can be done overnight, in a silo, with a sole vendor, or by one team. A successful journey is driven by significant amounts of detailed planning, cross-business unit collaboration, organizational buy-in, and stakeholder support; all accompanied by the right selection of vendors and capabilities. The end state of this journey is a paradigm shift that will fundamentally alter current approaches to securing an enterprise, as achieving zero trust impacts every user, device, workload, data source, asset, and service within an organization.

This updated Snapshot document is intended to make public the direction and thinking about the path we are taking in the development of the Zero Trust Commandments Standard. This document is intended for executive leaders in business, security, and IT. The Commandments in this document originate from the principles contained in The Open Group White Paper: Zero Trust Core Principles. The Commandments are presented first together on a single page and then separately, each on its own page, with further detail.

Zero Trust is a major industry trend that is being adopted and promoted by security teams within many organizations around the globe, and for good reasons: it delivers improved security and can also reduce cost and improve business efficiency and agility. However, Zero Trust is also an industry buzzword that can be confusing and is often misunderstood by many, particularly non-technical and non-security people. Business leaders and non-security professionals are key stakeholders, budget holders, and gatekeepers in any enterprise’s journey to Zero Trust that can make the difference between successful and failed Zero Trust initiatives. This is because, fundamentally, adopting Zero Trust as an organizational strategy requires change, support, and investment of significant time, effort, and money across the enterprise. Therefore, security teams need to be able to communicate the value of Zero Trust to non-technical or non-security audiences, all the way up to the Board of Directors. We believe that the infosec industry has not sufficiently enabled security practitioners to clearly, succinctly, and directly communicate the business value that a Zero Trust strategy can bring. The goal of this CSA guidance is to fill that gap. 

Identity and the ability to consume attributes and Zero Trust (ZT) signals across pillars is a key principle of zero trust architecture. ZT aims to reduce the success of cyber-attacks and data breaches using risk-based access requirements, including phishing resistant MFA and robust, fine grained, least privilege authorization.

ZT implements controls closer to the asset being protected (the protect surface). From an IAM perspective this increases the richness of the risk-based access control decision and avoids granting access based on binary trust of a single parameter.

This document provides a clear understanding of what Zero Trust security is and the guiding principles that any organization can leverage when planning, implementing, and operating Zero Trust. These best practices remain consistent across all Zero Trust pillars, use cases, environments, and products. As expertise and industry knowledge mature, additional authoritative references such as guidance, policies, and legislation may be added.

The need for board members to understand cyber risks has never been greater. This guide helps directors determine the maturity and cyber readiness of an organization. It offers seven clear steps for overseeing cyber issues and explains how zero trust architectures provide excellent risk mitigation.

A series of six half-hour recorded panel presentations about identity as it relates to both Cloud and Zero Trust: Understanding Identity (2 parts), Identity Challenges, Extending Identity into the Cloud, Leveraging identity for Zero Trust, Future challenges and pitfalls with Identity. Hosted on YouTube.

This document provides guidance on how to secure operational technology (OT) while addressing their unique performance, reliability, and safety requirements. OT encompasses a broad range of programmable systems and devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems and devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems. The document provides an overview of OT and typical system topologies, identifies common threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.

The objective of this publication is to provide guidance for realizing an architecture that can enforce granular application-level policies while meeting the runtime requirements of ZTA for multi-cloud and hybrid environments.

NIST Special Publication 800-207 lays out a comprehensive set of zero trust principles and referenced zero trust architectures (ZTA) for turning ZT concepts into reality. A key paradigm shift in ZTAs is the change in focus from security controls based on segmentation and isolation using network parameters (e.g., Internet Protocol (IP) addresses, subnets, perimeter) to identities. From an application security point of view, this requires authentication and authorization policies based on application and service identities in addition to the underlying network parameters and user identities. 

Acuity's Danny Toler and Sara Mosley (both former federal cyber leaders  who actively contributed to the development of the Zero Trust Maturity Model) recently completed a report that highlights the recent changes to CISA's Zero Trust Maturity Model - now V2.0. The report provides concrete advice for cybersecurity staff who are charting the transition to a Zero Trust architecture.

This book by Jason Garbis provides clear guidance on how to successfully get started with a Zero Trust initiative.  Zero Trust is a security strategy, and by definition is broad in scope and impact. As such, it can be overwhelming for security practitioners and enterprises. This book helps readers communicate Zero Trust's value, identify and eliminate barriers to success, and determine appropriate on-ramps for initial Zero Trust projects. 

This document introduces Zero Trust to Business, Security, and IT leaders. It described the drivers for Zero Trust, their implications, and the role of Zero Trust. In the Digital Age, the necessary seamless flow of data across myriad networks, applications, storages, and other resources introduces the dilemma that it is no longer feasible, or even possible, to consider all elements of the service topology as “trusted”. 

In 2005 the Jericho Forum and the OpenGroup did some foundational work for Zero Trust on the failure of the perimeter security model and the need for de-perimeterization, which is the inspiration for the Open Group's Zero Trust Commandments.

Recorded presentation communicating the business value of Zero Trust to the CSA ZT workgroup by Yves Le Gelard, former EVP, Chief Digital Officer and Group CIO at ENGIE SA, a 70B revenue global energy company. Yves led the transformation journey at scale for network, security and cloud applications to reduce risk and improve quality of user experience. Yves speaks to many executives on how to get buy-in for zero trust, lessons learned from the journey and his experience on M&A as it relates to cyber risk.

Prior to his role at ENGIE, Yves served as Senior Vice President, Services EMEA at SAP and as Executive Vice President at Fujitsu America Inc. He is also a board member of Cigref which gathers the Group CIOs of the largest French companies.  Arranged by Zscaler. 

The Cybersecurity and Infrastructure Security Agency (CISA) recently released an updated Zero Trust Maturity Model (ZTMM) to help organizations assess and improve their Zero Trust security posture. Zero Trust is built off the assumption that all users, devices, and network traffic are potentially malicious and requires continuous verification and authentication. CISA’s ZTMM provides an approach to achieve continued modernization efforts related to zero trust within a rapidly evolving environment and technology landscape. This blog post summarizes key maturity model concepts.

CISA recently released version 2 of their Zero Trust Maturity Model. There is a lot of interest across the public and private sectors to understand the differences and motivations behind V2.

CSA Zero Trust and Industry Insights Blog Post by John Kindervag that compares and contrasts the new version of the CISA Zero Trust Maturity Model and the 2017 Forrester Maturity model that he developed in 2016 while working for Forrester. 

CISA’s ZTMM is a roadmap that organizations can reference as they implement a zero trust architecture. It aims to assist organizations in the development of ZT strategies and implementation plans. It includes five pillars and three cross-cutting capabilities, is based on the foundations of zero trust. Within each pillar, the maturity model provides specific examples of traditional, initial, advanced, and optimal zero trust architectures. It is a foundational CSA ZT research source document.

Greg Simpson is the former CTO of Synchrony Financial and the former CTO of GE. At both companies, Greg oversaw his team going through a security transformation and infrastructure modernization. Greg will join us to discuss his experience going through a digital transformation with zero trust and what lessons learned he has from the journey. Greg will also discuss what tactics you can leverage throughout your zero trust journey to get buy-in and support, building a digital company, and how you influence internally to sell the value of Zero Trust.

NSA is providing recommendations for Maturing Identity, Credential, and Access Management in Zero Trust to help system operators’ mature identity, credential, and access management (ICAM) capabilities to better mitigate cyber threats.

Cybersecurity incidents are on the rise due to immature ICAM capabilities of many mission critical systems. Adoption of a Zero Trust cybersecurity framework is part of the US National Cybersecurity Strategy and is directed by presidential Executive Orders. The Zero Trust model limits access to only what is needed and assumes that a breach is inevitable or has already occurred. 

John Kindervag, Senior Vice President, Cybersecurity Strategy

ON2IT Group Fellow and Founder of Zero Trust

provides an informational session for the ZT WG on the On2IT managed service Zero Trust implementation methodology. 

Seven Questions Every CXO Must Ask About Zero Trust is a practical leadership guide for driving secure digital transformation. It helps executives identify Zero Trust use cases, deploy secure architecture, and learn to overcome organizational resistance to change. Insights by experts, for experts.