Cloud Security Alliance CCZT - Certificate of Competence in Zero Trust (CCZT)

In Zero Trust Architecture, collecting logs from various sources is vital for supporting security investigations, creating comprehensive dashboards, and making informed policy adjustments. By maintaining integrity-protected logs of all security-related events and proofs, organizations can analyze patterns, detect anomalies, and respond to incidents more effectively. This continuous logging and analysis support the Zero Trust principle of never assuming trust and always verifying, enabling a dynamic and responsive security posture that can adapt to emerging threats and changing conditions​​.

The rule-based security policies configured on the Policy Decision Point (PDP) are designed to define rules that specify how information can flow within an organization's network. These rules are integral to implementing the principle of least privilege and ensuring that data is accessed only by authorized entities under strict conditions. By controlling information flow, the PDP helps in mitigating the risk of data breaches and unauthorized access, reinforcing the Zero Trust model's emphasis on stringent access control and continuous verification of trust.

ABAC is an access control method that uses attributes of the requester, the resource, the environment, and the action to evaluate and enforce policies. ABAC allows for fine-grained and dynamic access control based on the context of the request, rather than predefined roles or privileges. ABAC is suitable for SaaS and PaaS, where the features within a service may vary depending on the customer’s needs, preferences, and subscription level. ABAC can help implement ZT by enforcing the principle of least privilege and verifying every request based on multiple factors.

References =

Attribute-Based Access Control (ABAC) Definition

General Access Control Guidance for Cloud Systems

A Guide to Secure SaaS Access Control Within an Organization

In a ZTA, a policy decision point (PDP) is a logical component that evaluates the incoming signals from an entity requesting access to a resource against a set of access determination criteria, such as identity, context, device, location, and behavior1. A PDP then makes a decision to grant or deny access, or to request additional information or verification, based on the policies defined by the policy administrator1. A policy enforcement point (PEP) is a logical component that uses the incoming signals from the PDP to open or close a connection between the entity and the resource1. A PEP acts as a gateway or intermediary that enforces the decision made by the PDP and prevents unauthorized or risky access2.

References =

Zero Trust Architecture | NIST

Policy Enforcement Point (PEP) - Pomerium

The ZT tenet of assume breach is based on the notion that malicious actors reside inside and outside the network, and that any user, device, or service can be compromised at any time. Therefore, ZT requires continuous verification and validation of all entities and transactions, and does not rely on implicit trust or perimeter-based defenses

A critical product of the gap analysis process is the implementation’s requirements, which are the specifications and criteria that define the desired outcomes, capabilities, and functionalities of the ZTA. The implementation’s requirements are derived from the gap analysis, which identifies the current state, the target state, and the gaps between them. The implementation’s requirements help to guide the design, development, testing, and deployment of the ZTA, as well as the evaluation of its effectiveness and alignment with the business objectives and needs.

References =

Zero Trust Planning - Cloud Security Alliance, section “Scope, Priority, & Business Case”

The Zero Trust Journey: 4 Phases of Implementation - SEI Blog, section “Second Phase: Assess”

Planning for a Zero Trust Architecture: A Planning Guide for Federal …, section “Gap Analysis”

ZTA models in terms of access decisions are based on the principle of “never trust, always verify”, which means that each access request is handled just-in-time by the policy decision points. The policy decision points are the components in a ZTA that evaluate the policies and the contextual data collected from various sources, such as the user identity, the device posture, the network location, the resource attributes, and the environmental factors, and then generate an access decision. The access decision is communicated to the policy enforcement points, which enforce the decision on the resource. This way, ZTA models apply a consistent access model throughout the environment for all assets, regardless of their location, type, or ownership.

References =

Certificate of Competence in Zero Trust (CCZT) prepkit, page 14, section 2.2.2

What Is Zero Trust Architecture (ZTA)? - F5, section “Policy Engine”

Zero trust security model - Wikipedia, section “What Is Zero Trust Architecture?”

Zero Trust Maturity Model | CISA, section “Zero trust security model”

To respond quickly to changes while implementing ZT Strategy, an organization requires a mindset and culture of continuous risk evaluation and policy adjustment. This means that the organization should constantly monitor the threat landscape, assess the security posture, and update the policies and controls accordingly to maintain a high level of protection and resilience. The organization should also embrace feedback, learning, and improvement as part of the ZT journey.

References =

Certificate of Competence in Zero Trust (CCZT) prepkit, page 7, section 1.3

Cultivating a Zero Trust mindset - AWS Prescriptive Guidance, section “Continuous learning and improvement”

Zero Trust architecture: a paradigm shift in cybersecurity - PwC, section “Continuous monitoring and improvement”

ZTA uses micro-segmentation to divide the network into smaller, isolated segments that can prevent unauthorized access and contain lateral movement. ZTA also uses encryption to protect data in transit and at rest from eavesdropping and tampering.