0% found this document useful (0 votes)

18 views40 pages

Study Guide - Zero-Trust-Strategy

Uploaded by

mgarciatejada

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

18 views40 pages

Study Guide - Zero-Trust-Strategy

Uploaded by

mgarciatejada

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 40

The official location for SDP and Zero Trust Working Group is

https://cloudsecurityalliance.org/research/working-groups/zero-trust/

Disclaimer

Cloud Security Alliance designed and created this Zero Trust Training course study guide (the “Work”)
primarily as an educational resource for security and governance professionals. Cloud Security
Alliance makes no claim that use of any of the Work will assure a successful outcome. The Work
should not be considered inclusive of all proper information, procedures and tests or exclusive of
other information, procedures and tests that are reasonably directed to obtaining the same results.
In determining the propriety of any specific information, procedure or test, professionals should
apply their own professional judgment to the specific circumstances presented by the particular
systems or information technology environment.

Version Number: 20240314

© 2024 Cloud Security Alliance – All Rights Reserved. You may download, store, display on your
computer, view, print, and link to the Cloud Security Alliance at https://cloudsecurityalliance.org
subject to the following: (a) the draft may be used solely for your personal, informational,
noncommercial use; (b) the draft may not be modified or altered in any way; (c) the draft may not be
redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote
portions of the draft as permitted by the Fair Use provisions of the United States Copyright Act,
provided that you attribute the portions to the Cloud Security Alliance.

© Copyright 2024, Cloud Security Alliance. All rights reserved. ii

About Cloud Security Alliance
The Cloud Security AllianceSM (CSA) (www.cloudsecurityalliance.org) is the world’s leading
organization dedicated to defining and raising awareness of best practices to help ensure a secure
cloud computing environment. Cloud Security Alliance harnesses the subject matter expertise of
industry practitioners, associations, governments, and its corporate and individual members to
offer cloud security-specific research, education, certification, events and products. Cloud Security
Alliance activities, knowledge and extensive network benefit the entire community impacted by
cloud—from providers and customers, to governments, entrepreneurs and the assurance industry—
and provide a forum through which diverse parties can work together to create and maintain a
trusted cloud ecosystem.

CSA Address

709 Dupont St.

Bellingham, WA 98225, USA
Phone: +1.360.746.2689
Fax: +1.206.832.3513

Contact us: [email protected]

Website: https://cloudsecurityalliance.org/
Zero Trust Training Page: https://knowledge.cloudsecurityalliance.org/page/zero-trust-training
Zero Trust Advancement Center: https://cloudsecurityalliance.org/zt/
Provide Feedback: [email protected]
CSA Circle Online Community: https://circle.cloudsecurityalliance.org/
Twitter: https://twitter.com/cloudsa
LinkedIn: www.linkedin.com/company/cloud/security/alliance
Facebook: www.facebook.com/csacloudfiles
CSA CloudBytes Channel: http://www.csacloudbytes.com/
CSA Research Channel: https://www.brighttalk.com/channel/16947/
CSA Youtube Channel: https://csaurl.org/youtube
CSA Blog: https://cloudsecurityalliance.org/blog/

© Copyright 2024, Cloud Security Alliance. All rights reserved. iii

Acknowledgments
Dedicated to Juanita Koilpillai, a pioneer in software-defined perimeters whose contributions to the
Zero Trust Architecture Training and CSA are immeasurable.

The Zero Trust Training was developed with the support of the Cloud Security Alliance Zero Trust
Training (ZTT) Expert Group, whose members include volunteers from a wide variety of industries
across the globe. Made up of subject matter experts with hands-on experience planning and
implementing ZTT, both as cloud service consumers and providers, the ZTT Expert Group includes
board members, the technical C-suite, as well as privacy, legal, internal audit, procurement, IT,
security and development teams. From cumulative stakeholder input, the ZTT Expert Group
established the value proposition, scope, learning objectives, and curriculum of the Zero Trust
Training.

To learn more about the Zero Trust Training and ways to get involved please visit: https://
cloudsecurityalliance.org/zt/

We would also like to thank our beta testers, who provided valuable feedback on the Zero Trust
Training.

© Copyright 2024, Cloud Security Alliance. All rights reserved. iv

Lead Developers:
Heinrich Smit, CISO & Risk Management, Semperis, USA
John Kindervag, Senior Vice President, Cybersecurity Strategy, ON2IT Cybersecurity
Michael Roza, Head of Risk, Audit, Control and Compliance
Paul Simmonds, Chief Executive Officer, Global Identity Foundation
Prasad T, Head - Information Security, Verse Innovation
Shruti Kulkarni, Cyber Security Architect & PhD Student, 6point6

Contributing Editors:
Jason Garbis, Founder and Principal, Numberline Security
Mark Schlicting, Information Security Architect, BPM
Richard Lee, Consultant/Principal, MITRE
Roland Kissoon, Senior Specialist - Cyber Security, Microsoft

Expert Reviewer:
Chase Cunningham, Speaker, Podcaster, Author, Dr. Zero Trust
Hannah Day, Principal Cloud Security Architect, Mayo Clinic
Jaye Tilson, Director of Strategy, Axis Security
Jonathan Flack, Principal Architect, Cloud & Security Architecture, Under contract to the Department
of the Air Force
Matt Lee, Senior Director of Security and Compliance Pax8
Dr. Matt Meersman, Principal CyberSecurity Engineer & PhD Student, MITRE
Dr. Ron Martin, Professor, Capitol Technology University

CSA Staff:
Adriano Sverko, Technical Writer, Cloud Security Alliance
Andy Ruth, Content Developer, Cloud Security Alliance
Anna Campbell Schorr, Training Program Manager, Cloud Security Alliance
Chandler Curran, Training Project Manager, Cloud Security Alliance
Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance
Erik Johnson, Senior Research Analyst, Cloud Security Alliance
Hannah Rock, Content Development Manager, Cloud Security Alliance
Judy Bagwell, Training Project Manager, Cloud Security Alliance
Stephen Smith, Senior Graphic Designer, Cloud Security Alliance

© Copyright 2024, Cloud Security Alliance. All rights reserved. v

Table of Contents
About Cloud Security Alliance�� iii
Acknowledgments�� iv
List of Figures�� viii
Course Intro�� 1
Course Structure�� 1
Course Learning Objectives�� 1
1 Levels of Strategy��2
1.1 Organizational Strategy - The Ultimate Goal��6
1.2 Cybersecurity Strategy - Zero Trust��6
1.2.1 Key Tenets of Zero Trust��6
1.2.2 Strategic Alignment & Operational Integration��7
1.3 IT Strategy & Technology��7
1.4 Tactics��8
1.5 Operations��9
2 Zero Trust Drivers & Buy-In�� 10
2.1 The Value of Zero Trust�� 10
2.2 Risk Management as a Driver�� 11
2.2.1 Board-Level Risk Management & Zero Trust Alignment�� 11
2.2.2 Evolving Threat & Risk Landscape�� 12
2.3 Create a Case for Zero Trust�� 12
2.4 Leadership Buy-In�� 12
3 Tactics for Zero Trust��14
3.1 Zero Trust Design Principles��14
3.1.1 Focus on Business Outcomes�� 15
3.1.2 Design from the Inside Out�� 15
3.1.3 Determine Who & What Needs Access�� 16
3.1.4 Inspect & Log Traffic�� 17
3.2 Zero Trust Maturity Model�� 18
3.2.1 Zero Trust Maturity Model in Practice�� 19
3.2.2 CISA-Based Maturity Model��20
3.3 The Five Steps for Zero Trust Implementation�� 21
3.3.1 Step 1: Define Your Protect Surface(s)�� 21
3.3.2 Step 2: Map & Prioritize the Transaction Flows�� 22

© Copyright 2024, Cloud Security Alliance. All rights reserved. vi

3.3.3 Step 3: Build a Zero Trust Architecture�� 23
3.3.4 Step 4: Create Zero Trust Policy��24
3.3.5 Step 5: Monitor & Maintain the Network��24
4 Zero Trust & Operations�� 25
4.1 Cultural & Organizational Shift��26
4.2 Training & Education��26
4.3 Regulatory & Compliance Shift��26
4.3.1 Regional Regulations�� 27
4.4 Legacy Systems & Infrastructure�� 27
4.5 Usability & Friction��28
4.5.1 User Experience��28
4.5.2 Site Reliability Engineering��28
4.5.2.1 Monitoring & Understanding System Compromises��28
4.5.2.2 Resource & Component Management��29
Conclusion��30
Glossary��30
Acronym List�� 31

© Copyright 2024, Cloud Security Alliance. All rights reserved. vii

List of Figures
Figure 1: Strategy Perspective of a Standard Org. Chart��2
Figure 2: Example of Roles and Responsibilities��3
Table 1: Org. Engagement Levels with Examples and ZT Considerations��5
Figure 3: Zero Trust Design Principles�� 15
Figure 4: Zero Trust From a People Perspective�� 16
Figure 5: CISA Zero Trust Maturity Model (ZTMM)�� 18
Figure 6: Zero Trust Maturity Journey�� 19
Figure 7: Zero Trust Maturity Model Worksheet��20
Figure 8: Zero Trust Learning Curve�� 22

© Copyright 2024, Cloud Security Alliance. All rights reserved. viii

Course Intro
This training assumes that learners are familiar with the introductory content of the Cloud Security
Alliance’s (CSA) Zero Trust Training: Introduction to Zero Trust Architecture. Additionally, we
recommend that students have at least a basic understanding of networks and network security.

This course presents an in-depth exploration of Zero Trust (ZT) from an organizational strategic
perspective; and it also delves into the foundational principles of ZT, its benefits, and the critical
factors driving organizational buy-in and strategic alignment.

This course comprises several units, each addressing a distinct, strategic ZT aspect:

• We focus on various levels of strategic engagement with ZT;

• We examine ZT’s value, drivers and business case;
• We move on to practical tactics for implementing ZT; and
• We cover the broad impact of a ZT strategy on operations, encompassing areas such as
cultural and organizational change, training and education, regulatory compliance, legacy
systems and infrastructure challenges, user experience, and adapting to the evolving threat
landscape.

Course Structure
• Unit 1: Levels of Strategy
• Unit 2: Zero Trust Drivers & Buy-In
• Unit 3: Tactics for Zero Trust
• Unit 4: Zero Trust & Operations

Course Learning Objectives

By the end of this course, you will be able to:

• Understand why ZT is a cybersecurity strategy;

• Understand the key principles and components of ZT strategy, and its relationship to the
organization;
• Identify how an organization’s business goals, and associated IT strategy can be supported with
ZT architecture;
• Understand the organization’s current state (Business and IT landscape, design architecture,
and more);
• Identify tactics and best practices for a ZT implementation; and
• Identify critical cultural, organizational and technical challenges for the implementation of a
ZT strategy.

© Copyright 2024, Cloud Security Alliance. All rights reserved. 1

1 Levels of Strategy
Equipping cybersecurity experts with the skills and knowledge they need to successfully implement
Zero Trust (ZT) security solutions is a major goal of this course. To effectively implement a
ZT strategy, your approach must clearly support existing and new business goals, align with
organizational objectives, and secure executive sponsorship and resources. A strong understanding
of strategic concepts and an organization’s particular set of strategies is essential.

Figure 1: Strategy Perspective of a Standard Org. Chart

Though organizational structures vary widely, responsibilities for many roles are more constant, as
Figure 1: Strategy Perspective of a Standard Org. Chart, above, illustrates. Hence, since ZT is integral
to the cybersecurity footprint, and has a primary focus on technology, it must involve both the IT
director and the Chief Information Officer (CIO).

And that’s not all. A ZT strategy impacts how product teams develop, deliver and utilize IT products
in their line of business (LOB). Collaboration with LOBs is important: If you can foster clarity where
there is confusion, especially in the early planning phases, you can effectively convert concepts to
intent, and intent to action and results.

Configuration state is important for site reliability, and monitoring for breaches or attacks. Though
LOBs must focus on their own strategies and approaches to adding value, their cyber activity must
be operated and monitored. In the event of breach, tools and business data must be returned to a
known state, and preferably to the expected known state.

© Copyright 2024, Cloud Security Alliance. All rights reserved. 2

Figure 2: Example of Roles and Responsibilities
Regardless of the actual terms used in your organization for each engagement level, if you can clarify
how each level influences and informs the others, you are a more effective ZT planner, architect
and implementer. We hope that structuring this course around engagement levels helps you better
organize and control your ZT-related projects.

One of the main goals in discussing strategic terms is to assist you in thinking and communicating
clearly and with authority. Clear, concise communication may drive projects to their milestones and
ultimate completion. The table below defines organizing engagement levels used in this course
(depending on your organization, actual levels may vary), as follows:

• Organization strategy (this encompasses the business goals and objectives);

• Cybersecurity strategy (usually a part of IT security strategy);
• Technology and IT strategy;
• Tactics; and
• Operations.

© Copyright 2024, Cloud Security Alliance. All rights reserved. 3

Engagement
Short Definition Examples in Practice ZT Considerations1
Level

Organization A high-level plan Corporation: Seamless • Familiarize yourself with

Strategy that outlines an integration of the the organization’s common
organization’s organization’s third parties, metrics, such as revenue,
goals and enabling seamless and net income, margins, cost-
objectives. secure collaboration for related figures & cash flow.
outsourcers and joint • Gain insight from non-
venture partners. financial measurements,
such as regulatory
Departments: Gain support compliance, audit results
from decision-makers and more.
across departments. • Embed ZT principles into
the organization’s mission
statement and core values.
• Proactively identify and
mitigate security risks at the
organizational level.
• Establish a ZT culture that
prioritizes security and
privacy.

Cybersecurity How an Zero Trust: a security • Conduct regular ZT

Strategy organization framework that assumes security assessments and
protects its that no user or device penetration tests to identify
information can be trusted by default. and remediate security
and systems, It implements security vulnerabilities.
and responds controls to verify users
when there are and devices before they
cyberattacks. are granted access to
resources.

ZT strategy can help

organizations protect
themselves from
cyberattacks, even if
the attacker has already
gained access to your
environment.

1
Note: This is not an exhaustive list of ZT considerations, instead it is meant to serve as an example
to get students to begin thinking about the different strategic levels and how they relate to ZT.

© Copyright 2024, Cloud Security Alliance. All rights reserved. 4

Technology & How an Assets: Take inventory, • Invest in new data centers
IT Strategy organization classify and categorize and cloud computing
uses technology all assets (e.g., identities, technologies.
and IT to achieve apps, networks, etc.). • Develop a scalable and
its business reliable cloud computing
objectives. Risk assessment: Conduct platform.
a thorough risk assessment • Use automation and
to help prioritize ZT efforts. DevOps to improve
efficiency and agility.
Compliance and
governance: Align with
existing compliance
requirements for
regulatory adherence
and to strengthen the
organization’s security
posture.

Tactics The things you Put ZT frameworks • Simplify user access and
use. These are into action: ZT Design assign clear management
the specific tools, principles, five steps for ZT responsibilities.
methods or implementation, Zero Trust • Deploy a micro-
actions employed Maturity Model (ZTMM). segmentation solution to
to execute isolate applications and data
strategy. Integrate with standard from each other.
business practices: Lean
manufacturing practices,
JIT inventory management,
continuous improvement
initiatives.

Operations The way you use Integrate user experience • Monitor the organization’s
them. Details of (UX) and site reliability network and systems for
how these tools engineering (SRE) in ZT suspicious activity.
and actions are adoption, focusing on • Respond to ZT security
successfully code-driven automation incidents in a timely and
employed in for enhanced operational effective manner.
practice to efficacy. • Provide ZT security
work towards awareness training to
the strategic employees.
objectives.

Table 1: Org. Engagement Levels with Examples and ZT Considerations

© Copyright 2024, Cloud Security Alliance. All rights reserved. 5

1.1 Organizational Strategy - The Ultimate Goal
Organizational strategy is the overarching, ultimate goal that guides an organization’s actions and
decisions. It represents the highest-level objective that an entity aims to achieve. We assume that
one of the key approaches that the board of directors and executive team have chosen to improve
their cybersecurity strategy is to leverage the principles of ZT.

1.2 Cybersecurity Strategy - Zero Trust

“Zero Trust2 is a cybersecurity strategy premised on the idea that no entity or asset is implicitly
trusted. It assumes that a breach has already occurred or will occur. Therefore, a user should not
be granted access to sensitive information by a single verification done at the enterprise perimeter.
Instead, each entity (user, device, application, etc.), and transaction must be continually verified.”3 At
the strategy level, ZT differs from traditional cybersecurity strategies by not assuming nor providing
any implicit or inherited trust in anything.

ZT can impact every person and process inside an organization, as well as the entire technology
stack. It should be treated as a holistic cybersecurity strategy that covers all enterprise technology
domains. This includes cloud and multi-cloud environments, internal and external endpoints. The
strategy also includes organizational and bring your own device (BYOD) scenarios, on-premises and
hybrid systems, as well as operational technology (OT) and internet of things (IoT).4

1.2.1 Key Tenets of Zero Trust

ZT is a set of principles and practices designed to reduce cyber risk in today’s dynamic IT
environments. As a cybersecurity strategy, ZT requires strict authentication and verification for
all entities (e.g., each person, device or service) trying to access an IT resource. It doesn’t matter
whether the access is inside or outside the physical network perimeter. ZT emphasizes the
protection of individual assets (systems and data) rather than network segments.

Guiding ZT principles, significance and value vary for each organization, depending on factors such
as location, industry and individual traits. The following is a list of some of the tenets that have been
discussed5:

2
As many organizations familiarize themselves with Zero Trust, they frequently discover a large
amount of misinformation that makes navigating difficult. Cloud Security Alliance’s Zero Trust
Advancement Center (ZTAC) cuts through the noise, focusing on solutions, not vendors, and
delivering trusted guidance that helps raise ZT strategy to the next level.
3
NSTAC. (2022). Report to the President on Zero Trust and Trusted Identity Management. Pg.1
4
Cloud Security Alliance (N.A) Zero Trust Implementation Primer - The Five Step Process (Draft). Pg. 6.
5
See Cloud Security Alliance course Introduction to Zero Trust Architecture for an in-depth review of
ZT tenets.

© Copyright 2024, Cloud Security Alliance. All rights reserved. 6

• Never trust, always verify: trust no one, either inside or outside the network perimeter
(assuming you have one).
• Assume a hostile environment: Malicious actors reside both inside and outside of any
environment you manage.
• Presume breach: Operate with the assumption that an adversary already has a presence in
your environment. For example, by limiting the blast radius to contain the impact of a breach
to a smaller number of impacted devices and services.

1.2.2 Strategic Alignment & Operational Integration

ZT is a holistic endeavor and not just a tactical change. As such, it represents a strategic realignment
of the entire security posture. This realignment starts at the highest engagement with the
organizational strategic objective6. For some organizations, this may be synonymous with preventing
any breach. For others, it may not be a breach that is most important, but the resiliency in place to
limit the impact of it.

Furthermore, as the table that defines the different types of organizing levels mentioned (Table 1:
Engagement Levels with Examples and ZT Considerations), Zero Trust Architecture (ZTA) is not just
a technical recommendation, but also a cultural shift. The shift demands that security aligns closely
with business functions, acknowledging that different departments may have varied security needs.
There may be other organizational objectives. Regardless of the specific organizational strategic
objective, ZT should be seen as the guiding principle or the big idea at the strategy level. ZT should
be seen as directly contributing to the organizational strategy.

1.3 IT Strategy & Technology

In the context of ZTA, significant adjustments extend beyond technology and IT strategy. The
adjustments encompass a fundamental shift in mindset and organizational culture, embracing the
“never trust, always verify” principles. Adopting a never trust, always verify approach means that
access is continuously validated through rigorous security checks and authentication measures.
A necessary transformation in adopting ZT is proliferating and enhancing network segmentation.
Segmentation is the sub-dividing of the network environment into smaller, distinct segments to limit
access and contain breaches.

At the tactical level, implementing ZT involves specific actions. For example, strict access control on
a need-to-know basis and secure access to resources regardless of their location. These topics are
discussed in more detail in the tactics and operations sections. Such alignment ensures that security
enables business operations, rather than hindering them. It requires an architecture that allows
for flexibility, catering to different service level agreements (SLAs), administrative controls, audit
requirements, regulations and certifications.

IT strategy also encompasses user and entity behavior analytics (UEBA). Additionally, technology
strategy must integrate closely with governance, while rigorously controlling and monitoring access
to reduce risk. Cybersecurity goals, including ZT, should align with the organization’s overall strategy
and board-level roadmap, guiding various projects and technology strategies for the upcoming years.

6
In some organizations, this is also referred to as the “grand strategic objective.”

© Copyright 2024, Cloud Security Alliance. All rights reserved. 7

The operationalization of ZT is where ZT concepts become tangibly interwoven with the day-to-day
activities of the organization. This ensures that every aspect of the network is designed from the
inside out with a default perspective of verifying everything and trusting nothing. To make such a
perspective functional and practical requires consolidating technologies. IT also requires enhancing
security measures for critical assets, and applying specialized controls for legacy and critical
infrastructure systems.

ZT and technology strategies are closely connected to governance, risk management, and
every aspect of security, but it is important to clarify the role of each framework. Governance,
focusing on establishing and maintaining policies, standards and guidelines, plays a crucial role
in ZT implementations. The governance ensures that ZT practices not only adhere to regulatory
requirements but also align with the organization’s overall objectives. This relationship positions ZT
as a strategic element within the governance landscape. This lesson does not cover risk management
or compliance strategies because they are covered in other lessons.

1.4 Tactics
Tactics, within the context of a ZT strategy, are crucial for effectively addressing specific risks
and aligning security measures with organizational objectives. These tactics involve prioritizing
business goals, adopting an “inside out” security approach, and implementing the principle of least
privilege to control resource access. Metrics and reporting improvements are vital for assessing
ZT effectiveness. Monitoring and logging network traffic and identifying and protecting critical
data, applications, assets and services (DAAS) also plays a pivotal role in these tactics. Additionally,
transitioning to ZT requires a phased, risk-based approach that impacts tactics, such as precise policy
creation, prioritization, and iterative implementation.

Tactics are fundamental in ensuring a smooth transition to a ZTA and are focused on protecting
assets and resources efficiently. ZT policies, detailed access controls, monitoring network traffic, and
setting progress metrics contribute to the successful implementation of ZT principles. Organizations
can bolster their cybersecurity posture by adopting these tactics and gradually progress along a Zero
Trust Maturity Model (ZTMM)7, ultimately achieving improved security outcomes. Tactics and the
maturity model are covered in the tactics units.

NIST Zero Trust Architecture (SP 800-207)8 defines the tenets that are fundamental to a ZT
environment. As such, the tenets need to be considered before deploying policy enforcement points
(PEPs) and policy decision points (PDPs). To meet these foundational tenets, a dynamic policy must
drive the shift away from network access. The policies must motivate organizations to implement
measures that reduce the attack surface prone to lateral attacks, such as macro and micro-
segmentation.

Because all communications must be secured, regardless of location, a tactical assessment

is needed. Assessments can ensure adequate encryption has been used for each application,
regardless of destination; and access to resources is on a per-session basis.

7
CISA. (2023). Zero Trust Maturity Model (Version 2.0).
8
NIST. (2020). Zero Trust Architecture (SP 800-207).

© Copyright 2024, Cloud Security Alliance. All rights reserved. 8

The migration to a ZTA might take from a few months to several years, depending on the maturity
level of the organization (See Section Zero Trust Maturity Model) – the path differs for each
organization. As noted above, tactical plans are needed for the platform, the tools, the monitoring
and detail metrics must each be assessed for the journey.

1.5 Operations
Operations refers to the activities, processes and procedures involved in managing and maintaining
organizational infrastructure and IT infrastructure. This includes a range of tasks, aimed at ensuring
the effective and efficient functioning of all IT resources, such as hardware, software, networks and
data storage systems.

Embarking on a ZT journey involves cultural and organizational shifts, emphasizing a ZT culture

over technology, and securing leadership support for continuous risk management. Training and
education geared toward understanding the ZT paradigm is commonly necessary. This includes a
strategic appreciation of ZT that targets management, and several other initiatives that emphasize
transforming business processes and roles. Regulatory landscapes are also adapting to require
robust cybersecurity practices that align with ZT principles.

Achieving ZT success involves several important considerations in managing and executing day-to-
day operations. When a ZT strategy is implemented, the identity management process should be
automated, as should monitoring and detection. Day-to-day tasks people in the roles listed above
perform include:

• Organizing log data so that input logs from different sources can be looked at and analyzed
using the same tools and interfaces.
• Adjusting controls and fine tuning the automation regularly to make sure it checks the right
parameters according to policy rules.
• Monitoring to ensure that the automatic checks of logs catch any activities that don’t follow
the policy rule.

Ensuring cybersecurity solutions enhance rather than add friction to a user’s productivity and
overall experience is an important organizational goal that operational leaders must focus on and
defend. Operational processes, such as site reliability engineering (SRE), and a focus on automation
and scalable systems, can improve operational efficiency and promote a positive user experience.
Furthermore, operational procedures may need updates to align them with a new ZT framework,
ensuring that response strategies and daily activities align with ZT principles.

Challenges include integrating ZT with legacy systems, where a tailored approach is necessary.
Maintaining vigilance in monitoring the evolving threat landscape ensures ZT remains agile and
responsive. These concepts are expanded upon in a unit dedicated to ZT operations.

© Copyright 2024, Cloud Security Alliance. All rights reserved. 9

2 Zero Trust Drivers & Buy-In
For an effective Zero Trust (ZT) implementation strategy, you must align the strategy with
organizational values and drivers. The central objective of this approach is to secure buy-in from
key stakeholders within the organization. The buy-in ensures that the ZT strategy is not only well-
conceived but also well-received and integrated within the organization.

Remember, ZT is a context and risk-based approach: access is granted according to specific

situations or conditions. Due to these characteristics, ideas that help deliver and implement ZT are
usually clearer and gain wider acceptance if you prepare use-case scenarios and provide contextual
applications to support them.

To get started in defining the desired state, you may wish to ask the following questions:

• Identifying Catalysts and Business Drivers:

• What are the primary catalysts driving the adoption of ZT in our organization?
• What are the key business drivers aligning with ZT implementation?
• Evaluating Security Posture and Data Access:
• How does our current security posture align with common attack vectors, especially in
the context of our ZT pillars?
• Is access to confidential and regulated data restricted to registered applications?
• Enhancing Security and Privacy Strategies:
• How can we develop a more efficient and effective security strategy under ZT principles?
• What role does privacy play in our overall security and risk management, and how can
we define our privacy objectives?
• Access Control and Authentication:
• Are all privileged accounts secured with FIDO2 or equivalent multi-factor authentication
(MFA), or are privileged access workstations (PAWs) necessary?
• Is MFA mandatory for all (people) identities in our environment?
• Device and Data Access Management:
• To what extent are personal (non-organization managed) devices allowed access to
organizational data?
• Competitive Advantage through Security:
• Can we gain a market advantage over competitors through a superior security and
privacy strategy?
• Compliance with ZT in Development:
• Are our development teams aligning software testing with ZT standards?

2.1 The Value of Zero Trust

ZT offers numerous potential benefits, including streamlined security and IT infrastructure
management, enhanced data protection, regulatory compliance, reduced compliance-related efforts,
increased organizational agility, stakeholder confidence, and lower IT and operational costs9. In other
words, the benefits go beyond the security domain. For these reasons, if positioned correctly, ZT has
the potential to be a business enabler rather than a hindrance to the organization or its managers. ZT
transforms IT and security, aligns business and security goals, and reduces siloed activities.
9
Cloud Security Alliance. (2023). Communicating the Business Value of Zero Trust.
© Copyright 2024, Cloud Security Alliance. All rights reserved. 10
Having established the benefits of ZT as a business enabler, the next step involves a tailored
approach. The tailored approach aims to integrate ZT into the organization’s unique culture, and
business and cybersecurity practices. Before embarking on your ZT journey, clearly define your
organization’s goals and challenges, gather relevant information, and align your strategy with
business needs. An organization must clearly define its strategy and governance, focusing on what
is relevant, what standard (if any) it commits aligning with, who is affected, when and where each
applies, and how it’s implemented. Be sure to also capture why a particular strategy or governance
policy is important. This exercise ensures that you can explain a new architecture, implement
according to related policies, and articulate how your effort seamlessly aligns with the organization’s
business model and rules.

ZT principles make it easier for IT teams and network infrastructure teams to enforce policies
consistently and accurately, enabling a more friction-free work environment. This is because
implementation of a Zero Trust Architecture (ZTA) requires moving the access enforcement points
closer to the protected asset.

2.2 Risk Management as a Driver

In a traditional legacy organization, the risk calculation is predominantly based on a binary trust. If
the entity is inside my network environment (or area of control) it is afforded a level of trust. If it’s not
on my network or in my area of control then it’s untrusted, and thus there is a need to provide extra
security measures, for example a virtual private network (VPN).

In the realm of ZT, the foundational principle is never trust, always verify. An organization shifts its
capabilities, such that it can continually assess and contextualize the risk or risks involved in granting
an entity access to an asset.

Remember, this assessment that leads to a decision is not just about having a static defense
mechanism in place. It is about creating a proactive, dynamic control plane that evolves with the
changing risk landscape. In a ZT environment, access is not only based on contextual factors, it is
also temporal. The access needs to adapt to new emerging threats, requiring a continuous review
of existing controls and emerging threats. The continuous review must ensure the organization can
function without friction from security controls while retaining sufficient protection. The emphasis
here is on maintaining consistent, measurable effectiveness.

2.2.1 Board-Level Risk Management & Zero Trust Alignment

Aligning a ZTA with an organization’s risk appetite is a strategic process, aiming to deliver security
solutions that support the board’s strategic vision.

The board plays a crucial role in organizational alignment, as they are responsible for setting and
defining the risk appetite, setting budgets and determining the appropriate risk oversight structure.
Strategic alignment and budget influences technology and control selection, resource allocation, and
policy-making, ensuring a viable cybersecurity strategy.

© Copyright 2024, Cloud Security Alliance. All rights reserved. 11

2.2.2 Evolving Threat & Risk Landscape

Monitoring the evolving threat and risk landscape is part of risk management. Cyber threats evolve
continuously, and implementing continuous monitoring involves regularly assessing and updating
an organization’s understanding of potential threats and vulnerabilities. This process includes
analyzing cyberattack trends, identifying new methods employed by attackers, and understanding
the implications of technological advancements on security. Organizations need to address these
challenges to secure their systems. ZT offers a framework that facilitates a shift in mindset that
promotes securing and protecting what is important for the organization.

2.3 Create a Case for Zero Trust

Organizations measure their health and progress using key financial metrics like revenue, net
income, margins, costs, and cash flow. Organizations also consider non-financial indicators such
as stock performance, compliance, audit outcomes, reputation, and employee productivity for
a comprehensive view. Different stakeholders prioritize various metrics. Understanding these
measures is vital for asking more effective questions, understanding drivers, and constructing a
meaningful case for adopting ZT.

The primary goal of the business case, which is defined further during Cloud Security Alliance’s
Zero Trust Planning training, illustrates how an initiative delivers organizational value and return on
investment (ROI). The business case also requires alignment with organizational strategy.

Consider these organizational elements during the buy-in phase to lay a solid foundation for a
successful and strategic implementation of ZT:

• Alignment with, and assistance in, delivering key business goals and objectives.
• The value to the business in implementing a ZTA, both tangible and intangible.
• Key stakeholder buy-in: ZT is everyone’s responsibility, not just the purview of IT or the
Chief Information Security Officer (CISO). Gaining support from the key stakeholders across
departments is essential.
• Assets inventory, classification, and categorization of business critical assets or asset
classes. These must also be defined in terms of risk to the business.
• Compliance and governance: Confirm that any changes made by implementing ZT align with
existing compliance requirements. This ensures regulatory adherence and strengthens the
organization’s security posture.
• Strengths, weaknesses, opportunities, and threats (SWOT) analysis or cost/benefit
analysis (CBA): Perform a SWOT analysis to help identify internal strengths, weaknesses,
opportunities and threats. CBAs are also helpful. These help guide IT professionals in the
initial stages of a ZT implementation.

2.4 Leadership Buy-In

You should look to map the ZT journey so that leadership, especially non-technical leadership roles,
can appreciate how it may affect their area of responsibility. The following examples illustrate how

© Copyright 2024, Cloud Security Alliance. All rights reserved. 12

ZT may serve as a foundation for areas such as privacy, security, compliance, third-party risk man-
agement (TPRM), and simplicity and efficiency at your organization10. These need translating into
examples of ZT success using current business problems that your business leaders recognise are
improved by ZT.

Privacy

• Data Minimization and Access Control: By adhering to the principle of “never trust, always
verify,” ZT ensures that access to sensitive data is tightly controlled and monitored, reducing
the risk of unauthorized data exposure.
• Enhanced User Privacy: ZTAs can protect user privacy by limiting access to personal data
and ensuring that only necessary data is processed and stored.

Security

• Reduced Attack Surface: ZT requires strict access controls without implicit trust and micro-
segmentation. The two limit the pathways an attacker can use to move laterally across a
network.
• Real-time Monitoring and Response: Continuous monitoring is a key tenet of ZT, allowing for
real-time detection and response to threats, thereby enhancing security postures.

Compliance

• Regulatory Alignment: Many regulatory frameworks require strict access controls and data
protection measures, which are core components of a ZT model.
• Audit and Reporting: ZT architectures make it easier to log access and changes, thus
supporting compliance reporting and auditing requirements.

Third-Party Risk Management (TPRM)

• Vendor Access Limitations: ZT principles can be applied to third-party vendors to ensure

they have only the access and visibility that is necessary to perform their functions.
• Continuous Verification of Third-Party Credentials: Regular re-verification of credentials and
access rights helps to manage and mitigate the risks associated with third-party partners.

Simplicity and Efficiency

• Often the implementation of ZT-based access simplifies the traditional access mechanism
for the user, enhancing productivity. ZTA helps with quick and seamless access to the assets
irrespective of location and network boundaries.
• It is essential to designate a person or a limited number of people with the accountability
and authority to manage a particular area. A clear owner ensures issues are identified and
highlighted at the appropriate level.

10
Cloud Security Alliance. (2023). Zero Trust Guiding Principles.

© Copyright 2024, Cloud Security Alliance. All rights reserved. 13

3 Tactics for Zero Trust
In this unit, we delve into the tactical aspects of implementing Zero Trust (ZT). We discuss nine
crucial sub-sections contributing to building a resilient architecture. Alongside these, we’ll also
introduce CISA’s Zero Trust Maturity Model (ZTMM), which, while not a part of the nine steps, is
important in understanding the overall progression in ZT implementation. The initial four subsections
outline the foundational principles of ZT design, while the subsequent five subsections detail the
step-by-step process for ZT implementation.

• ZT Design Principles
• Focus on Business Outcomes: Understanding how ZT aligns with and supports the
organization’s primary business goals.
• Design from the Inside Out: Developing a security strategy that starts within the
organization before extending outwards.
• Determine Who/What Needs Access: Identifying which users and devices require
access to specific resources.
• Inspect and Log Key Traffic: Aim to monitor and record critical activity for potential
threats as a targeted approach.
• Foundational Principles of ZT Design
• Step 1: Define Your Protect Surface(s): Identify and secure critical data and resources
within the network (environment).
• Step 2: Map the Transaction Flows: Understand the movement of data within and
outside the organization and the potential classification of each transaction type.
• Step 3: Build a Zero Trust Architecture (ZTA): Develop the infrastructure and capabilities
necessary for ZT.
• Step 4: Create ZT Policy: Establishing guidelines and rules for network, system and
data access and security.
• Step 5: Monitor and Maintain the Network (Environment): Continuously oversee the ZT
environment to ensure ongoing security and adapt to new threats.

These elements are vital in shaping and executing an effective security approach aligning with an
organization’s objectives.

3.1 Zero Trust Design Principles11

This section explores the foundational design principles that shape an effective ZT security strategy.
These principles guide organizations in transitioning from traditional security models to a more
robust approach suited for today’s dynamic digital landscape. The focus is on setting goals like
designing security from the inside out, accurately determining access requirements, and aiming
for thorough inspection and logging of network traffic. It is important to note, however, that the
realization of these goals may differ based on an organization’s specific capabilities and resources.

11
(2023) Zero Trust Explained by John Kindervag

© Copyright 2024, Cloud Security Alliance. All rights reserved. 14

Figure 3: Zero Trust Design Principles12

3.1.1 Focus on Business Outcomes

Shaping a ZT strategy begins with a clear understanding of the organization’s strategic direction and
its IT needs. This understanding should incorporate the organization’s specific business threats and
the broader spectrum of risks posed by factors like organized crime and nation-state actors. The
priority is to safeguard business-critical assets—considered the crown jewels—within a ZT framework.

If ZT is the chosen strategy, it’s crucial to prioritize business objectives tailored to your organization’s
specific goals and requirements. From the outset, ZT demands a clear vision, whether it’s to manage
risks within acceptable limits, reduce compliance costs, or minimize the impact of security incidents.
An effective ZT strategy balances security with the cost and value of security and available-
resource use to deliver on security initiatives versus other business initiatives like product or feature
development, while avoiding excessive measures that could hinder competitiveness.

3.1.2 Design from the Inside Out

ZT marks a shift from traditional perimeter-centric security models, which operate on the obsolete
premise that everything inside a network is safe, while external entities pose threats. ZT flips this
notion, recognizing that threats can originate from anywhere—both inside and outside the network.
This paradigm shift dictates a security architecture designed from the inside out. The design begins
with the organization’s most critical assets and data at its core and securing access from inside the
network, and then extending protection outward. This strategy reorients IT policies to move from a
stance of broad threat defense to a focused asset protection approach. The reorientation ensures
that the most vital resources are safeguarded at their heart to mitigate the risk of unauthorized
access and data breaches.

To connect the design shift to operational strategy, it’s important to consider the constraints of
limited resources, which all organizations face. This constraint necessitates effective prioritization
based on asset value. Conducting a business impact assessment (BIA) or an asset inventory
categorized by value helps in identifying critical resources. By ranking assets according to their
criticality or value, organizations can efficiently allocate their resources, aligning their security efforts
with ZT principles and securing both protect and attack surfaces more effectively.
12
Figure adapted from: (2023) Zero Trust Explained by John Kindervag.

© Copyright 2024, Cloud Security Alliance. All rights reserved. 15

3.1.3 Determine Who & What Needs Access

Today, organizations operate on a global scale, leveraging remote work, joint ventures, outsourced
services, and cloud technology. In a ZT security approach, the principle of least privilege (attribute
of never trust, always verify) necessitates a precise determination of who or what needs access to
certain resources, along with the duration and associated risks of such access. This principle ensures
that each entity – be it a user or a system – has access strictly as per their need, thus narrowing the
attack surface and enhancing security. An asset’s visibility should strictly conform to the need-to-
know basis, remaining invisible to those without a legitimate requirement for access.

Figure 4: Zero Trust From a People Perspective13

The concept derived from the Identity Security Alliance, as depicted in Figure 4 Zero Trust From
a People Perspective, encompasses seven elements: users, applications, infrastructure, identity,
device/workload, access, and transaction. Training individuals outside of security roles, like network
teams and developers, to identify and manage trust relationships across these elements is a key
challenge. Critical tasks include mapping out where trust is established. Examples include between
users and identities or infrastructure and identities, and adopting secure practices like proper firewall
configurations and secure coding. A thorough understanding of these trust points allows for the
effective identification and mitigation of vulnerabilities that cybercriminals target. Benefit is derived
from the insights gained through extensive penetration testing experience.

13
Cloud Secuirty Alliance. (2023) The Most Important Part of Zero Trust: People by George Finney

© Copyright 2024, Cloud Security Alliance. All rights reserved. 16

3.1.4 Inspect & Log Traffic
Two key principles of ZT, as outlined in NIST Zero Trust Architecture (SP 800-207)14, are:
Continuously monitoring and assessing the security and integrity of all assets and resources.
Gathering extensive information on the current state of assets, network infrastructure, and
communications to enhance security measures.

In the journey towards ZT adoption, organizations require some sort of logging and monitoring
capabilities. The level of sophistication will vary greatly, depending on the level of organizational
maturity, and the resources available.

This process typically begins with the establishment of foundational log management practices.
This means starting with the basic yet important step of implementing systems to gather user and
entity activity logs, particularly focusing on privileged credentials, coupled with routine manual
analysis. This initial phase should cover all essential ZT pillars, laying the groundwork for more
advanced security measures.

As the organization’s maturity in the ZT framework advances, supplemented by adequate resources

and expertise, it can evolve these practices into more sophisticated systems. A key development
in this evolution is the integration of a security information and event management (SIEM) system.
SIEM serves as a pivotal tool for automated log aggregation and analysis, setting the stage for the
adoption of security, orchestration, automation, and response (SOAR) capabilities.

In scenarios where the organization has control over network-level infrastructure or can log traffic at
the access gateway, it’s strategically important to incorporate relevant and contextual ZT logs into a
SIEM system or log management tool. This integration not only enhances the organization’s security
posture but also aligns with the fundamental principles of ZT. The integration ensures continuous
monitoring and adaptation to the ever-evolving security landscape. The ability to assess and log
relevant and contextual traffic from both internal and external sources can significantly enhance
operational intelligence.

Additionally, at high levels of maturity, the carefully selected log data from various layers or
applications can be unified into a common data structure. Data captured includes device, time,
user, and the resource or asset access (e.g., server, service, application, etc.) requested. By coupling
monitoring and logging, engineers can continuously improve security by rapidly countering any
suspicious activity. Continuously scrutinizing traffic patterns in such a manner is a powerful, strategic
asset.

Capturing data and monitoring it in real time requires the development of reactive controls, including
system and organization controls (SOC) assessments, analysis, response staff and automation
in the response pipeline. Logging is only any good if you do something with it, but for the many
organizations without a SOC in place, there is no reason for a major consolidated log database. It is
acceptable for the ZTA configuration to simply monitor and log:

• At the policy decision points (PDPs);

• All admin operations; and
• All user access event logs.

14
NIST. (2020). Zero Trust Architecture (SP 800-207)

© Copyright 2024, Cloud Security Alliance. All rights reserved. 17

3.2 Zero Trust Maturity Model

Figure 5: CISA Zero Trust Maturity Model (ZTMM)15

This section covers the CISA Zero Trust Maturity Model (ZTMM)16, which helps organizations enhance
their ZT strategies. The CISA ZTMM outlines maturity stages – Traditional, Initial, Advanced, Optimal
– across ZT pillars (Identity, Devices, Networks, Applications and Workloads, and Data) and capabil-
ities (visibility, automation, governance). These maturity stages help organizations assess, plan and
implement the necessary measures to progress toward a more secure ZTA. The CISA ZTMM journey,
depicted in the accompanying figure, represents a path towards achieving optimal ZT maturity. This
journey, a practical visual representation, shows how companies advance through ZT’s various matu-
rity levels.

15
Figure adapted from: CISA. (2023). Zero Trust Maturity Model (Version 2.0).
16
CISA. (2023). Zero Trust Maturity Model (Version 2.0).

© Copyright 2024, Cloud Security Alliance. All rights reserved. 18

Figure 6: Zero Trust Maturity Journey17

To utilize the CISA ZTMM effectively, grasp the framework, refine your functions and assess your
current ZT maturity. Finally, plan steps for maturity advancement and align them with organizational
projects and priorities, using a prioritization model to guide you.

3.2.1 Zero Trust Maturity Model in Practice

Tailoring the CISA ZTMM to fit your needs may seem overwhelming. It is not advisable to strive to
achieve optimal maturity across all pillars simultaneously. Nor is it advisable to focus on a single pillar
and expect to perfect it across the entire organization. Attempting to perfect one pillar (like identity)
across all systems before moving to the next is not only impractical but can lead to stagnation in
overall security posture improvement. It is important, instead, to evaluate each protect surface, using
worksheets such as the one illustrated below, which is based on the NSTAC report. Each worksheet
identifies the protect surface and critical data, assets, application, and services (DAAS) element
being evaluated, with 5 (optimized) representing the best possible score for each attribute. The total
perfect score on a worksheet would be 25. This is a rare occurrence. Such worksheets help teams
prioritize projects, based on safeguarding business-critical assets. This targeted approach allows for
a more accurate assessment of maturity gaps and enables the development of specific projects to
enhance the security and maturity of each protect surface. Furthermore, by evaluating each protect
surface individually, organizations can create a more nuanced and actionable cybersecurity roadmap.
Finally, all the protect surfaces can aggregate to define an overall score for the organization as well as
an average score per protect surface.

17
Figure adapted from: (2023) Zero Trust Explained by John Kindervag.

© Copyright 2024, Cloud Security Alliance. All rights reserved. 19

Figure 7: Zero Trust Maturity Model Worksheet18

This methodology simplifies the complexity inherent in managing multiple and discrete identity
solutions across an organization. For example, if an organization focuses on improving the security
maturity of its directory services (as a protect surface), it can methodically elevate the maturity level
in this specific area, thereby making tangible progress and ensuring continuous improvement in cy-
bersecurity defense. Finally, it helps you monitor progress across various ZT projects to stay aligned
with your organization’s IT strategy and cybersecurity strategy.

3.2.2 CISA-Based Maturity Model

You may also wish to explore this interactive CISA ZTMM Spreadsheet model19, a comprehensive
tool with status bars for monitoring progress. After a ZT assessment, approach the journey system-
atically, with the same considerations that we suggested if you choose to use the National Security
Telecommunications Advisory Committee (NSTAC) based assessment model:

• Analyze all functions, adjusting the depth as needed;

• Avoid tackling all functions simultaneously so as to not be overwhelmed;
• Focus on enhancing specific areas within individual projects, addressing a single protect
surface at a time; and
• Ensure projects align with business drivers and deliver tangible business value, not just
security benefits.

You are encouraged to tailor the ZTMM approach to your organization’s needs. This pragmatic ap-
proach ensures that the journey towards a mature ZT environment is both achievable and manage-
18
Figure adapted from: NSTAC. (2022). NSTAC Report to the President on Zero Trust and Trusted
Identity Management. Pg. A-1
19
Jason Garbis and Numberline Security have created The Zero Trust Maturity Model Resource Center
and associated worksheets (GCP Sheets and Excel), aligned with the CISA ZTMM. Learn more about
these tools here.

© Copyright 2024, Cloud Security Alliance. All rights reserved. 20

able, because it keeps you flexible. Remember that the goal is delivering tangible value to your busi-
ness, with ZT maturity serving as a measure of progress and a guide for prioritizing enhancements in
your implementation.

3.3 The Five Steps for Zero Trust Implementation

In the journey towards an ideal ZT architecture, there are five essential steps to follow to operational-
ize each protect surface project. These steps provide a structured approach to enhance cybersecurity
and ensure a successful transition to a ZT paradigm. Organizations can gain a deeper understanding
of their data interactions by:

• Beginning with the definition of protect surface(s) and a risk-based strategy in Step 1;
• Mapping transaction flows in Step 2;
• Building and implementing protect surface projects (tailoring the ZTA), that emphasize
flexibility and customization to work alongside existing network environments in Step 3;
• Focusing on creating precise ZT policies, addressing the who, what, where, when, why, how,
and for how long of access controls in Step 4; and
• Continuous monitoring and maintaining the network (environment) as it enters production
(fundamental to the sustained success of a ZTA) in Step 5.

These five steps collectively form the foundation for implementing a comprehensive ZT strategy.

3.3.1 Step 1: Define Your Protect Surface(s)

As you embark on your ZT journey, shift your perspective to focus on what you’re protecting rather
than what you’re defending against. Visualize your end goal and prioritize safeguarding critical and
vulnerable components within your protect surface, known as DAAS. Organizations should prioritize
identifying protect surfaces, and then document attack surfaces to complement them, steering clear
of a traditional, attack-surface-centric approach. Examples include:

• Data: Sensitive information. Examples include:

• Payment card industry (PCI);
• Protected health information (PHI);
• Personally identifiable information (PII); and
• Intellectual property (IP) that can cause significant harm if compromised.
• Applications: Software interacting with sensitive data or controlling essential assets and
processes related to the business.
• Assets: IT, OT, or IoT devices such as point-of-sale (PoS) terminals, supervisory control and
data acquisition (SCADA) controls, and networked medical devices.
• Services: Examples include:
• Domain Name System (DNS);
• Dynamic Host Configuration Protocol (DHCP);
• Active Directory; and
• Network Time Protocol (NTP).

© Copyright 2024, Cloud Security Alliance. All rights reserved. 21

To deploy ZT environments, organizations should focus on two factors: the criticality of the protect
surface and the duration of the ZT journey, ideally ongoing. Data classification – as identified above
(data sensitivity) – is a critical starting point. Start with low-sensitivity learning protect surfaces, like
lab environments or non-critical web pages, allowing for safe experimentation and failure. Progress
to practice protect surfaces, which are more sensitive but not the organization’s most critical assets.
This step-by-step approach builds confidence in ZT principles before moving to the most sensitive
areas. After securing high-value assets, the focus shifts to less critical protect surfaces, gradually
covering all significant areas in the ZT environment.

Figure 8: Zero Trust Learning Curve20

3.3.2 Step 2: Map & Prioritize the Transaction Flows

The fundamental objective of this step is to prove to your audience that you have an understanding
of how the whole cybersecurity system works. Mapping transaction flows for each protect surface
is critical for understanding how DAAS components interact (how the system works). The mapping
is also critical for determining the optimal placement of controls for data protection. These network
traffic patterns, specifically tailored to the protect surface data, are essential for shaping the overall
design.

Once the transaction flows have been mapped, the next task involves prioritizing, which may also
be shaped by the reality of the readily available resources. This process involves determining how
resources, such as personnel, time and budget, should be allocated to these prioritized flows to im-
plement the ZTA efficiently.

From a strategic viewpoint, defining protect surfaces and prioritizing transaction flows are neces-
sary inputs to request and allocate necessary resources (e.g., budget and personnel). For example,
20
Figure adapted from: (2023) Zero Trust Explained by John Kindervag.

© Copyright 2024, Cloud Security Alliance. All rights reserved. 22

business processes involving sensitive data should be prioritized, as these processes are crucial for
establishing access rights and conditions within the ZTA21. To ensure a smooth transition to ZTA,
starting with a low-risk business process is advisable, minimizing disruption and gaining valuable
experience before moving on to more critical processes.

3.3.3 Step 3: Build a Zero Trust Architecture

Implementing a ZTA through protect surface projects is a journey that modifies the existing infra-
structure and processes rather than replaces what has already been implemented. Designing protect
surface projects involves mapping transaction flows, identifying controls and secondary protect
surfaces, and ultimately designing a system or solution. Even in a completely new environment,
transitioning to ZTA within a single technology refresh cycle is improbable. Adapting existing work-
flows to ZTA likely necessitates, at the very least, a partial overhaul. How an enterprise migrates to a
strategy depends on its current cybersecurity posture and operations. Migrating to ZTA requires an
organization to have detailed knowledge of its assets (physical and virtual), subjects (including user
privileges), and business processes.

Let us put these principles into plain and practical language. The protect surface with the most
sensitive assets is in most need of ZT. Temptation: address this surface first. However, the services,
assets or business data contained therein might need approvals from more than one department. As
we mentioned earlier, as a strategic thinker, you may benefit from delivering a faster or easier win. To
establish confidence and trust within the organization, you can opt to improve a protect surface that
needs less approvals and less time to complete – the low-hanging fruit.

Another strategy might be to look at protect surfaces where you can build some shared services, or
consolidate some technologies. Your benefit here is in showing value and then repeating what you
have done on other protect surfaces. With each consecutive instance producing better results in less
time. Something complex, such as centralization of Identity Providers (IdP centralization), may be
challenging in situations where you are implementing a centralized IdP in a large or complex organi-
zation, running legacy systems and diverse application environments. Visible benefits may include
simplified management, a better user experience or improved compliance with regulatory require-
ments22.

ZT frameworks are not tied to any specific technology, allowing organizations to fully customize their
security measures based on their unique protection needs. This flexibility allows for a security ap-
proach that is focused on critical protect surfaces within the organization. Dividing the network into
smaller, distinct segments to limit access and contain potential breaches, ensuring that even if one
segment is compromised, others remain secure heightens security and control over data flow within
the organization. Enterprises can adopt various approaches to implement ZTA, emphasizing differ-
ent components and policy rules. These approaches, namely governance-driven enhanced identity,
logical micro-segmentation, network-based segmentation, cloud usage and outsourcing, and even
removal of the corporate network altogether, all can adhere to ZT principles.

NIST. (2020). Zero Trust Architecture (SP 800-207)

See NSTAC. (2022). NSTAC Report to the President on Zero Trust and Trusted Identity Management.
22

Appendix A and B for more ideas.

© Copyright 2024, Cloud Security Alliance. All rights reserved. 23

Typically, a complete ZT solution incorporates many different elements. The suitability of each
approach varies, depending on the strategic business direction and risk defined by the board, and
should flow down into the architectural solution chosen. While one approach may align seamlessly
with a chosen use case and policies, it doesn’t imply that other approaches wouldn’t work. Indeed, al-
ternative approaches, while more challenging to implement, may provide better long term alignment
with the overall strategic business direction.

Depending on the enterprise, multiple ZTA deployment models may be employed within a particular
organization for various business processes.23

3.3.4 Step 4: Create Zero Trust Policy

ZT policies form the cornerstone of a secure ZTA. While these policies are initially static, they should
be designed to evolve dynamically in tandem with the organization’s progression in implementing
and maturing its ZTA.

To effectively implement ZT, organizations should use the 5 W’s plus How for policy creation. This
method helps the effort focus on defining granular access controls and considerations for resource
access. It also helps you to write specific policy statements and procedures, tailored to the protect
surface access perspective. The list below outlines the key aspects that should be factored into any
risk evaluation when creating ZT policies:

• Who: Determine which entities (people, devices, organizations, code, agents, etc.) should
be allowed to access a particular resource.
• What: Understand the context in which the entity tries to access systems and/or data
• When: Define the time frames or conditions under which the entity may access the
resource.
• Where: Identify the location, network, or geo-fence that allows the entity access.
• Why: Establish why the entity (the “Who”) needs access to the resource, emphasizing the
justification.
• How: Define the technological controls necessary to deliver appropriate risk-based controls
to satisfy the 5 W’s.

3.3.5 Step 5: Monitor & Maintain the Network

In the CISA ZTMM, visibility and analytics provide the insights that improve ZT operations. Knowing
the current and dynamic state of each protect surface’s security posture within the network (environ-
ment) is critical to any potential response. This involves a focus on logging, monitoring and prompt
alerting. These components enable continuous improvement and an effective incident response
framework. Regular feedback loops, efficient incident detection, a robust response plan, and the
ongoing monitoring of activities are key to maintaining and updating policy rules.

It’s also important to regularly review and modify the protect surface and automated policies, which
can be achieved through quarterly reviews of ZT identity, devices, access, policies, and protect sur-
faces.
To learn more about model variations, review these Cloud Security Alliance courses: Introduction to
23

Software-Defined Perimeter and Architectures and Components of Software-Defined Perimeter.

By continually monitoring and updating each subsequent protect surface, organizations can progres-
sively strengthen their security posture. Such continuous oversight not only enhances security but
also improves operational efficiency, speed of access, and flexibility, contributing to overall produc-
tivity. Communicating these returns on investment to leadership is essential to acknowledge the
long-term benefits of the ZT strategy.

4 Zero Trust & Operations

When organizations conduct a detailed technology landscape assessment, they should identify spe-
cific areas where Zero Trust (ZT) principles can and should be applied to optimize or extend existing
controls. These enhancements encompass a range of security technologies, including continuous
authentication and authorization, user and entity behavior analytics (UEBA), and dynamic policy
enforcement points (PEPs). Automation and orchestration, based on the designed Zero Trust Archi-
tecture (ZTA), are ZT enablement items.

Here is a list of common operational areas impacted by ZT strategy:

• System administration;
• Network management;
• Data management;
• Performance monitoring;
• Helpdesk and support; and
• DevOps and engineering (access workflow).

This section delves into the multifaceted approach necessary to effectively adopt and integrate ZTA.
It also emphasizes the need for a shift in corporate culture, tailored to each organization’s unique
business type and directorial objectives. Education initiatives are vital for both staff and senior man-
agement to understand and communicate the business value of ZT. This educational aspect is pivotal
for gaining board buy-in and aligning ZT with the organization’s strategic goals.

In response to the evolving cybersecurity regulatory landscape and the inadequacy of traditional
security models, ZT offers a proactive and comprehensive framework to protect sensitive data and
infrastructure. Organizations need to be aware of regulatory requirements in different regions and
adapt their ZT strategy accordingly, especially those with legacy systems. The organization may
need to adopt a vendor-based readymade solution to construct the automated workflow to integrate
multiple ZTA elements. More orchestration at each step, such as during access and monitoring, can
make the operation easier and more adoptable.

Finally, the integration of user experience (UX) and site reliability engineering (SRE) plays a critical
role in the successful adoption of ZT. By focusing on UX and automated, code-driven solutions,
organizations can foster greater team support, reduce human error, and ensure that security mea-
sures are both effective and user-friendly, ultimately enhancing their security posture and operational
efficiency.

4.1 Cultural & Organizational Shift
The following list highlights areas for corporate culture shifts, tailored to each organization’s specific
business type and directorial objectives.

• Cultivate a ZT culture:
• Emphasize people, processes and organizational aspects over technology acquisition.
• Implement continuous monitoring, logging and responsive actions.
• Change the tone from the top:
• Secure executive endorsement and support for ZT initiatives, ensuring leadership
commitment.
• Develop a communications plan for consistent stakeholder alignment and guidance on
the ZT journey.
• Instill a culture of continuous risk management:
• Continuously assess and measure risk to guide access decisions and align with risk
appetite.

4.2 Training & Education

Educational initiatives help ensure IT staff, senior management and line-of-business (LOB) managers
understand the new ZT paradigm. ZT-informed executives are key to communicating ZT’s business
value, especially in getting board buy-in. This involves demonstrating how ZT aligns with the organi-
zation’s strategic objectives. In parallel, it is important to educate the broader workforce. This edu-
cation should focus on differentiating ZT principles from mere technology tools, helping employees
understand the fundamental concepts of ZT. Training reaching the broader workforce should also
provide an understanding of revised roles within the ZT framework.

Where applicable, the organization’s audit functions (both internal and external) need to participate in
the educational process. Auditors need to be informed about how ZT architecture enhances organi-
zational security and resilience.

Lastly, ZT training should be integrated into the existing training program for all staff. This integration
ensures that future updates, scheduling and necessary refreshes are consistently applied and not
overlooked by the organization’s training and education functions.

4.3 Regulatory & Compliance Shift

The cybersecurity regulatory landscape is undergoing a dynamic transformation, spurred by the
escalating complexity and frequency of cyber threats. Traditional security models are increasingly in-
adequate in this environment, prompting governments and industry regulators to endorse proactive
and comprehensive frameworks like ZT for safeguarding sensitive data and critical infrastructure.

In this evolving scenario, specific regulations and compliance standards, such as General Data

Protection Regulation (GDPR)24 and Health Insurance Portability and Accountability Act (HIPAA)25,
are being updated to necessitate the adoption of ZT-aligned security controls. This trend is especial-
ly pronounced in the finance, healthcare and government sectors, where the sensitivity of stored
personal data heightens the urgency. While not all regulations mandate ZT principles yet, the shift is
undeniable in these highly regulated industries, where compliance is not just a legal formality but a
critical defense against modern cyber threat.

4.3.1 Regional Regulations

Organizations must stay informed about the regulatory requirements in the countries and regions
where they store data and operate. The advent of new regulations often brings the need for specific
assessments or attestations, particularly during transitions to ZTAs.

In the United States, for instance, compliance with the Federal Information Security Management
Act (FISMA) becomes crucial for US federal government entities, and their suppliers and service
providers. This often necessitates optimization and automation of compliance tasks. The reasoning
behind this is linked to the requirements of FISMA, which mandates that agencies undergo a rigorous
cycle of assessment and reauthorization of systems, especially when making significant changes like
adopting ZT. The challenge lies in legacy environments, where agencies frequently find it difficult to
keep pace with these demanding tasks, resulting in potential delays or constraints in fully transition-
ing to a ZT framework.

4.4 Legacy Systems & Infrastructure

Specialized technologies – sometimes legacy-based – such as OT, IoT or industrial control systems
(ICS) devices, are often deployed within critical infrastructure services and often have significant
technical constraints in key areas, such as patching and access control. This and similar technologies
may require implementing specialized micro-perimeter access control technologies and strategies to
achieve ZT objectives for such infrastructure.

Organizations with legacy systems and traditional trust models often encounter challenges in
adopting ZT, particularly due to limited network and asset visibility. As we have mentioned in other
sections, the transition to ZT varies with each organization’s unique attributes, including its maturity
level, mission and specific challenges. Not all legacy systems require immediate ZT upgrades, but
any updates should be strategically planned to address emerging threats and system modernization.

Legacy infrastructure influences the adoption of ZT models. For example, the Information Security
Continuous Monitoring (ISCM) model requires adaptable systems for its data movement workflows.
Legacy systems’ rigidity can hinder the implementation of such models. Additionally, an organiza-
tion’s experience with measurement programs affects its ability to adopt ZT, with more mature orga-
nizations adapting more easily than those with less developed measurement capabilities.
24
General Data Protection Regulation is designed to protect data and privacy of European Union
citizens.
25
Health Insurance Portability and Accountability Act is United States legislation designed to, in part,
protect a patient’s health information.

4.5 Usability & Friction
This section explores the integral role of user experience (UX) and SRE26 in promoting the adoption of
ZT architecture in organizations. The focus is on refining UX to boost the acceptance of ZT principles
while shifting towards a more automated, code-driven approach. This shift not only enhances team
support but also minimizes human error, thus strengthening SRE practices. The synergy between UX
and SRE ensures that security measures are not only effective but also user-friendly, enhancing the
organization’s security posture and ensuring smooth operational processes. The key to fostering ZT
acceptance among employees is to prioritize UX and implement solutions through code and automa-
tion, leading to greater team buy-in and improved SRE outcomes.

4.5.1 User Experience

Incorporating UX helps encourage ZT acceptance and adoption within an organization. A key aspect
of this is transitioning from manual processes to code-based automation. By leveraging automation
and code, team acceptance is increased, and the likelihood of human error is significantly reduced.
This shift improves SRE practices. A well-designed UX ensures that security measures are robust and
user-friendly, fostering a more secure and efficient work environment.

4.5.2 Site Reliability Engineering

SRE combines software engineering and IT operations to build scalable and reliable systems. Focused
on proactive management through continuous monitoring, automation, orchestration and scalability,
SRE planning is a key part of ZT security, helping to maintain system integrity and resilience, includ-
ing early vulnerability detection and efficient resource management.

Applicable to both cloud-based and on-premises environments, SRE’s principles, such as automation,
performance monitoring and incident management, universally enhance system reliability, regardless
of the hosting setup.

Automation and orchestration (AO) are usually coupled terms, enabling ZT improvement in two
important ways. First, AO provide automated feedback that improves access controls, policies, and
enforcement, based on feedback loops.

Second, with infrastructure as code (IaC) and automated compliance checks, automated scripts and
tools can continuously check compliance with ZT policies, ensuring that any deviations are quickly
detected and rectified. AO also enables rapid response to detected threats by automatically adjust-
ing access controls and network configurations in real-time. IaC helps prevent infrastructure drift
– the phenomenon where the live state of the network diverges from the state defined in code. This
alignment is vital for maintaining the integrity of ZT policies.

4.5.2.1 Monitoring & Understanding System Compromises

In ZT security, monitoring the technology stack is crucial for vulnerability detection, with SRE en-
hancing this through continuous system monitoring and logging. This approach enables quick iden-
26
Google. (2016) Site Reliability Engineering.

tification of potential breaches and supports proactive security measures. Additionally, SRE aids in
understanding system compromises through postmortem analysis and learning from failures, which
is essential for secure recovery and resilience enhancement. Practices like thorough incident doc-
umentation and blameless postmortems help teams understand root causes and reinforce system
defenses.

4.5.2.2 Resource & Component Management

In the context of ZT security, deploying immutable resources may play a crucial role, and this is
where SRE becomes significant. Immutable resources refer to infrastructure components that, once
deployed, are not modified. Instead, if changes are needed, new instances of the resources are de-
ployed. SRE facilitates this by automating the deployment process, ensuring that new instances are
consistent, reliable, and verifiable. This approach reduces the risk of configuration drift and unautho-
rized changes, aligning well with the ZT principle of “never trust, always verify.” SRE’s focus on auto-
mation and reliability ensures that deploying immutable resources is efficient and secure.

A decisive and swift response may be necessary when a system component is compromised. This
approach is akin to rapidly decommissioning and replacing – effectively and quickly removing and
substituting the compromised component with a new, secure instance. SRE supports this rapid
response strategy with practices like infrastructure as code and automated deployment pipelines.
These practices allow for the quick rollout of new, unaffected instances, minimizing downtime and
exposure to threats. By automating the replacement process, SRE ensures that the response to secu-
rity incidents is fast and reliable.

Conclusion
In Zero Trust (ZT), the levels of strategic engagement include several components. At the top is the
organization’s strategy, guiding overall actions and decisions. Below this, at the strategy level, ZT
redefines traditional trust concepts in computing, emphasizing continuous verification due to the
inevitability of breaches.

Aligning ZT with organizational values involves understanding its adoption drivers, like compliance
and security enhancement, and how it offers competitive advantages such as streamlined security
and cost reduction. Risk management is key, focusing on protecting digital assets and requiring clear
ownership for risk handling.

Building a business case for ZT involves assessing financial and performance impacts, gaining
cross-departmental stakeholder buy-in, and aligning it with organizational strategy. Tactics for
ZT implementation include focusing on specific business outcomes, internal security design, and
managing access permissions.

Successful ZT adoption necessitates a cultural shift, integrating continuous risk management,

executive support, and comprehensive education across all organizational levels. It also involves
adapting to regulatory changes. Overall, ZT is a cybersecurity approach that requires strategic
alignment, planning, and execution for full effectiveness.

Glossary
For additional terms, please refer to our Cloud Security Glossary, a comprehensive glossary that
combines all the glossaries created by CSA Working Groups and research contributors into one place.

Acronym List
Acronym Term
AD Active Directory

AO Automation and Orchestration

BYOD Bring Your Own Device

C-Suite Chief-Suite

CBA Cost/Benefit Analysis

CFO Chief Financial Officer

CIO Chief Information Officer

CISO Chief Information Security Officer

COO Chief Operating Officer

DAAS Data, Applications, Assets and Services

DHCP Dynamic Host Configuration Protocol

DNS Domain Name System

FISMA Federal Information Security Management Act

HR Human Resources

IaC Infrastructure as Code

ICS Industrial Control Systems

IdP Identity Providers

IoT Internet of Things

IP Intellectual property

ISCM Information Security Continuous Monitoring

IT Ops Information Technology Operations

LOB Line of Business

MFA Multi-Factor Authentication

NSTAC National Security Telecommunications Advisory Committee

NTP Network Time Protocol

OT Operational Technology

PAW Privileged Access Workstations

PCI Payment card industry

PDPs Policy Decision Points

PEPs Policy Enforcement Points

PHI Protected health information

PII Personally identifiable information

PoS Point-of-Sale

ROI Return on Investment

SCADA Supervisory Control and Data Acquisition

SIEM Security Information and Event Management

SLA Service Level Agreement

SOAR Security, Orchestration, Automation, and Response

SOC Security Operation Center

SRE Site Reliability Engineering

SWOT Strengths, Weaknesses, Opportunities, and Threats

TPRM Third-Party Risk Management

UEBA User and Entity Behavior Analytics

UX User Experience

VPN Virtual Private Network

ZT Zero Trust

ZTA Zero Trust Architecture

ZTMM Zero Trust Maturity Model

Illumio White Paper How To Build A Micro Segmentation Strategy
No ratings yet
Illumio White Paper How To Build A Micro Segmentation Strategy
14 pages
DG Fortisiem Reference Architecture
No ratings yet
DG Fortisiem Reference Architecture
26 pages
Cnssi 4009
No ratings yet
Cnssi 4009
252 pages
Module I: Program Orientation: Answer Key
0% (1)
Module I: Program Orientation: Answer Key
3 pages
RFP - RFP - 1809 - Construction of 250 Villas in Al Samha (Musanada's E-Procurement Portal)
No ratings yet
RFP - RFP - 1809 - Construction of 250 Villas in Al Samha (Musanada's E-Procurement Portal)
215 pages
SDP
No ratings yet
SDP
57 pages
Zero Trust Principles and Guidance For IAM 071223
No ratings yet
Zero Trust Principles and Guidance For IAM 071223
20 pages
SANS - How - To - Use Zero - Trust - To - Secure - Workloads - in The - Public - Cloud
No ratings yet
SANS - How - To - Use Zero - Trust - To - Secure - Workloads - in The - Public - Cloud
14 pages
Zta Nist SP 1800 35c Preliminary Draft 2
No ratings yet
Zta Nist SP 1800 35c Preliminary Draft 2
90 pages
Speaker0 Session9570 1
No ratings yet
Speaker0 Session9570 1
34 pages
An Overview of Zero Trust - Study Guide
No ratings yet
An Overview of Zero Trust - Study Guide
1 page
Next Gen Ztna Benefits
No ratings yet
Next Gen Ztna Benefits
2 pages
Kuppingercole Ztna Analyst Report
No ratings yet
Kuppingercole Ztna Analyst Report
90 pages
Zero Trust PDF
No ratings yet
Zero Trust PDF
19 pages
Forrester Wave Zero Trust Edge Solutions
No ratings yet
Forrester Wave Zero Trust Edge Solutions
14 pages
Zero Trust Network Access Evolution
No ratings yet
Zero Trust Network Access Evolution
29 pages
Ultimate Test Drive Next Gen Firewall Presentation
No ratings yet
Ultimate Test Drive Next Gen Firewall Presentation
33 pages
Microsegmentation 2
No ratings yet
Microsegmentation 2
11 pages
LR 57 A Comprehensive Framework For Migrating To Zero Trust Architecture
No ratings yet
LR 57 A Comprehensive Framework For Migrating To Zero Trust Architecture
25 pages
Zscaler Zero Trust Cloud Security Virtual Internship: BY P V Lakshmi 22KD5A0416
No ratings yet
Zscaler Zero Trust Cloud Security Virtual Internship: BY P V Lakshmi 22KD5A0416
14 pages
Q3 2024 Forrester Wave Attack Surface MGT
No ratings yet
Q3 2024 Forrester Wave Attack Surface MGT
25 pages
Zero Trust Access For Dummies, Fortinet Special Edition Lawrence Miller PDF Available
100% (1)
Zero Trust Access For Dummies, Fortinet Special Edition Lawrence Miller PDF Available
111 pages
Zscalar 4H8
No ratings yet
Zscalar 4H8
9 pages
Zero Trust for Identity Architects
No ratings yet
Zero Trust for Identity Architects
26 pages
Zero Trust Data Security Guide
No ratings yet
Zero Trust Data Security Guide
42 pages
How To Architect Zero Trust Security With Vmware Workspace One
No ratings yet
How To Architect Zero Trust Security With Vmware Workspace One
26 pages
66e1ac9e8623931856991c5e - CISO's Guide To Cloud Security
No ratings yet
66e1ac9e8623931856991c5e - CISO's Guide To Cloud Security
14 pages
Creating and Maintaining SOC MSP1 Whitepaper
No ratings yet
Creating and Maintaining SOC MSP1 Whitepaper
11 pages
Report Security Architect and Cybersecurity
No ratings yet
Report Security Architect and Cybersecurity
16 pages
Cloud Security & Deployment Models
No ratings yet
Cloud Security & Deployment Models
12 pages
SASE Adoption Guide (Netskope)
No ratings yet
SASE Adoption Guide (Netskope)
13 pages
Guideline+on+Effectively+Managing+Security+Service+in+the+Cloud+10 2 18
No ratings yet
Guideline+on+Effectively+Managing+Security+Service+in+the+Cloud+10 2 18
53 pages
SB Securing Ot Networks With Microsegmentation
No ratings yet
SB Securing Ot Networks With Microsegmentation
5 pages
SY0-071-Module 3 Powerpoint Slides
No ratings yet
SY0-071-Module 3 Powerpoint Slides
232 pages
Ciso Workshop 3 Identity and Zero Trust User Access PDF
No ratings yet
Ciso Workshop 3 Identity and Zero Trust User Access PDF
26 pages
Evolution Firewall - 1
100% (1)
Evolution Firewall - 1
31 pages
Secure by Design
100% (1)
Secure by Design
36 pages
SDP101 Overview Presentation W Talktrack 022421-210316-174943
No ratings yet
SDP101 Overview Presentation W Talktrack 022421-210316-174943
24 pages
Training - Azure Administrator Associate Certified
No ratings yet
Training - Azure Administrator Associate Certified
2 pages
Hype Cycle For Security Operations 2021
No ratings yet
Hype Cycle For Security Operations 2021
77 pages
Zero Trust Deployment Plan 1672220669
No ratings yet
Zero Trust Deployment Plan 1672220669
1 page
Application Layer: Introduction To Networks v5.1
No ratings yet
Application Layer: Introduction To Networks v5.1
36 pages
ZT Concept Content - Dennis
No ratings yet
ZT Concept Content - Dennis
43 pages
Comprehensive Guide To Cloud Security
No ratings yet
Comprehensive Guide To Cloud Security
15 pages
Security Operations Center: By: Mohamad Mahmoud
No ratings yet
Security Operations Center: By: Mohamad Mahmoud
6 pages
NIST SP 800-82r
No ratings yet
NIST SP 800-82r
316 pages
CARTA
No ratings yet
CARTA
16 pages
Cybersecurity Framework 021214 Final
No ratings yet
Cybersecurity Framework 021214 Final
41 pages
Understanding CASB - Cloud Access Security Broker
No ratings yet
Understanding CASB - Cloud Access Security Broker
2 pages
ZCTA Zscaler-PrimaryFunctionalities StudentGuide May17-V1.0
No ratings yet
ZCTA Zscaler-PrimaryFunctionalities StudentGuide May17-V1.0
80 pages
Enterprise Governance
No ratings yet
Enterprise Governance
33 pages
Computer Report
No ratings yet
Computer Report
4 pages
Zscaler Q3-23 Corporate Presentation
No ratings yet
Zscaler Q3-23 Corporate Presentation
40 pages
Cloud Security Posture Management Buyers Guide
No ratings yet
Cloud Security Posture Management Buyers Guide
14 pages
Acalvio Deception Cyberdefense Manual
No ratings yet
Acalvio Deception Cyberdefense Manual
68 pages
SY0-071-Module 4 Powerpoint Slides
No ratings yet
SY0-071-Module 4 Powerpoint Slides
358 pages
SOC Interview
No ratings yet
SOC Interview
5 pages
Security Operations Center A Framework For Automat
No ratings yet
Security Operations Center A Framework For Automat
16 pages
Cloud Controls Matrix Template (December 2024)
No ratings yet
Cloud Controls Matrix Template (December 2024)
36 pages
Communicating The Business Value of Zero Trust (Good)
No ratings yet
Communicating The Business Value of Zero Trust (Good)
33 pages
Zero Trust Guiding Principles 072123
No ratings yet
Zero Trust Guiding Principles 072123
20 pages
CCZT Knowledge Guide
No ratings yet
CCZT Knowledge Guide
10 pages
Assignment 2
No ratings yet
Assignment 2
6 pages
PM - Unit 3
No ratings yet
PM - Unit 3
5 pages
Time Table MBA IV Sem 2023-25
No ratings yet
Time Table MBA IV Sem 2023-25
1 page
VEDIOCON
No ratings yet
VEDIOCON
29 pages
Mid-1 Answer - BUS 685
No ratings yet
Mid-1 Answer - BUS 685
4 pages
Il&Fs Crisis: Failure of Corporate Governance
No ratings yet
Il&Fs Crisis: Failure of Corporate Governance
9 pages
BSNL Broadband Error Codes Guide
No ratings yet
BSNL Broadband Error Codes Guide
4 pages
Auditing Theory Test Bank
No ratings yet
Auditing Theory Test Bank
26 pages
Mukta Drinking Water
No ratings yet
Mukta Drinking Water
13 pages
Bank Statement Oct 2021-Mar 2022
No ratings yet
Bank Statement Oct 2021-Mar 2022
7 pages
Chap 13 (Target Costing)
No ratings yet
Chap 13 (Target Costing)
7 pages
Corporate Governance and Accountability - (Corporate Governance and Accountability)
No ratings yet
Corporate Governance and Accountability - (Corporate Governance and Accountability)
1 page
Research Paper
No ratings yet
Research Paper
42 pages
Melissa Corkhill: Risk & Compliance Expert
No ratings yet
Melissa Corkhill: Risk & Compliance Expert
8 pages
Midterm IB
No ratings yet
Midterm IB
36 pages
Labour Economics (Lesson 1-14)
No ratings yet
Labour Economics (Lesson 1-14)
159 pages
Saran Project 1
No ratings yet
Saran Project 1
34 pages
Sports Industry in India
No ratings yet
Sports Industry in India
13 pages
ACCOMMODATION PURCHASE With
No ratings yet
ACCOMMODATION PURCHASE With
6 pages
Marketing Report: L’Oréal Paris
No ratings yet
Marketing Report: L’Oréal Paris
21 pages
Law Students' Case Digest Submissions
No ratings yet
Law Students' Case Digest Submissions
87 pages
In-App Configuration For SAP S4HANA Cloud Scope Item J58 (6PR) - How To Guide
No ratings yet
In-App Configuration For SAP S4HANA Cloud Scope Item J58 (6PR) - How To Guide
7 pages
SLIIT Academy Registration Guide
No ratings yet
SLIIT Academy Registration Guide
3 pages
Stock Listings by Sector and Exchange
No ratings yet
Stock Listings by Sector and Exchange
138 pages
Exhibit A-Coating of Line Pipe
No ratings yet
Exhibit A-Coating of Line Pipe
12 pages
Sbi Yono FINAL PROJECT
No ratings yet
Sbi Yono FINAL PROJECT
46 pages
Organizing Technical Activities
No ratings yet
Organizing Technical Activities
16 pages