Zero Trust Implementation PDF
Document Details
Uploaded by CooperativeJacksonville
Nanyang Technological University
2023
Tags
Summary
This document is a study guide for a zero trust implementation training course. It provides information on zero trust training, security, and governance practices. It is an educational resource for security and governance professionals and outlines the course structure and learning objectives.
Full Transcript
The official location for SDP and Zero Trust Working Group is https://cloudsecurityalliance.org/research/working-groups/zero-trust/ Disclaimer Cloud Security Alliance designed and created this Zero Trust Training course study guide (the “Work”) primarily as an educational resource for security an...
The official location for SDP and Zero Trust Working Group is https://cloudsecurityalliance.org/research/working-groups/zero-trust/ Disclaimer Cloud Security Alliance designed and created this Zero Trust Training course study guide (the “Work”) primarily as an educational resource for security and governance professionals. Cloud Security Alliance makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment. Version Number: 20230822 © 2023 Cloud Security Alliance – All Rights Reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security Alliance at https://cloudsecurityalliance.org subject to the following: (a) the draft may be used solely for your personal, informational, noncommercial use; (b) the draft may not be modified or altered in any way; (c) the draft may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the draft as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance. © Copyright 2023, Cloud Security Alliance. All rights reserved. ii About Cloud Security Alliance The Cloud Security AllianceSM (CSA) (www.cloudsecurityalliance.org) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Cloud Security Alliance harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. Cloud Security Alliance activities, knowledge and extensive network benefit the entire community impacted by cloud—from providers and customers, to governments, entrepreneurs and the assurance industry— and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. CSA Address 709 Dupont St. Bellingham, WA 98225, USA Phone: +1.360.746.2689 Fax: +1.206.832.3513 Contact us: [email protected] Website: https://cloudsecurityalliance.org/ Zero Trust Training Page: https://knowledge.cloudsecurityalliance.org/page/zero-trust-training Zero Trust Advancement Center: https://cloudsecurityalliance.org/zt/ Provide Feedback: [email protected] CSA Circle Online Community: https://circle.cloudsecurityalliance.org/ Twitter: https://twitter.com/cloudsa LinkedIn: www.linkedin.com/company/cloud/security/alliance Facebook: www.facebook.com/csacloudfiles CSA CloudBytes Channel: http://www.csacloudbytes.com/ CSA Research Channel: https://www.brighttalk.com/channel/16947/ CSA Youtube Channel: https://csaurl.org/youtube CSA Blog: https://cloudsecurityalliance.org/blog/ © Copyright 2023, Cloud Security Alliance. All rights reserved. iii Acknowledgments Dedicated to Juanita Koilpillai, a pioneer in software-defined perimeters whose contributions to the Zero Trust Training and CSA are immeasurable. The Zero Trust Training was developed with the support of the Cloud Security Alliance Zero Trust Training (ZTT) Expert Group, whose members include volunteers from a wide variety of industries across the globe. Made up of subject matter experts with hands-on experience planning and implementing ZTT, both as cloud service consumers and providers, the ZTT Expert Group includes board members, the technical C-suite, as well as privacy, legal, internal audit, procurement, IT, security and development teams. From cumulative stakeholder input, the ZTT Expert Group established the value proposition, scope, learning objectives, and curriculum of the Zero Trust Training. To learn more about the Zero Trust Training and ways to get involved please visit: https:// cloudsecurityalliance.org/zt/ We would also like to thank our beta testers, who provided valuable feedback on the Zero Trust Training. Lead Developers: Clement Betacorne, CISSP, One Step Beyond Group, France Heinrich Smit, CISSP, CISA, CRISC, Semperis, USA Mark Schlicting, CISSP, CCSP, BPM, USA Michael Roza, CPA, CISA, CIA, MBA, Exec MBA, CSA Research Fellow, Consultant, Belgium Prasad T, OCSP, Head - Information Security, Verse Innovation, India Shruti Kulkarni, CISA, CRISC, CISSP, CCSK, ITIL v3 Expert, ISO27001 LA, 6point6, UK Contributing Editors: AJ (Alexander) Stein, NIST Ledy Eng, CISSP, CCSP, CCSK, CASP+, CySA+, Security+, Contractor - Undisclosed, Indonesia Richard Lee, CISSP, CCSP, WCP, MITRE, USA Robert Morris, CISSP, GDSA, GCIH, MITRE, USA Roland Kissoon, MBA, MSc, CCSK, CISSP, CRISC, CISA, PMP, Microsoft, USA Ross Kovelman, Merck © Copyright 2023, Cloud Security Alliance. All rights reserved. iv Expert Reviewer: Abbas Kudrati, Microsoft, Australia Adish Jain, Policybazaar, India Amit Butail, Wells Fargo, India Andy Radle, MITRE, USA Ashwini Siddhi, Threat Modeling Service Owner, Dell EMC, India Aunudrei Oliver, CISSP,CCSP,CWNE,CWDP,CCISO,CDPSE,CGEIT, CISCO, USA Charlie Soto, CISSP, CISM, CDPSE, CIAM, TOGAF, C|CISO, Mandiant Strategic Services (APJ) Now Part of Google Cloud, Thailand Chris Willman, MITRE, USA David Skrdla, CamGen Partners/American Fidelity, USA Donald Byers, Cisco Systems, Inc., USA Gustavo Vallejo, University in Peru, Peru Jaye Tillson, CCSK, MBA, Axis Security, UK John Kindervag, ON2IT Cybersecurity, USA Karthik Ramamurthy, KNEIP (Deutsche Börse Group), India Madhav Chablani, India Matt Lee, CISSP, CCSP, CCSK, CFR, Pax8, USA Matt Meersman (Dr.), MITRE, USA Michael Herndon, CCSP, CISSP, CRISC, CGEIT, CIPP/US, CIPT, AWS Certified Solution Architect, Bayer Business Services, USA Naresh Kurada, Deloitte, Canada Philip TM Pearson, Aqua Security Software Inc., UK Reto Kaeserm, Astarios, Switzerland Roeland van Zeijst, Dutch National Police, Netherlands Ron Kearns, SCF, CISSP, CCSP, GCSA, Charter Communications, USA Ron Martin (Dr.), PhD, CPP, Capitol Technology University, USA Sakthiswaran Rangaraju, Pure Storage, USA Shain Singh, F5, Australia Shinesa Cambric, Microsoft, USA Sky Hackett, CISSP, CISA, Amazon Web Services, USA Vani Murthy, CISSP, CDPSE, CCSK, CRISC, PMP, ITIL, MBA, MS, Akamai Technologies, USA CSA Staff: Adriano Sverko, Cloud Security Alliance, USA Anna Campbell Schorr, MBA, CCSK, Cloud Security Alliance, USA Chandler Curran, Cloud Security Alliance, USA Daniele Catteddu, CISM, Cloud Security Alliance, Italy Hannah Rock, Cloud Security Alliance, USA Noelle Sheck, Cloud Security Alliance, USA Stephen Smith, Cloud Security Alliance, USA © Copyright 2023, Cloud Security Alliance. All rights reserved. v Table of Contents About Cloud Security Alliance iii Acknowledgments iv List of Figures viii Course Introduction 1 Course Structure 1 1 Continuing the ZT Journey 1 1.1 Training Assumptions 2 2 ZT Project Implementation Considerations 3 2.1 Gap Analysis Report 3 2.2 Aligning Information Security Policies with ZT 3 2.3 Migration From Existing Architectures to ZTA 4 2.4 Managed Service & In-House Implementation 4 3 Implementation Preparation Activities 5 3.1 Defining ZT Project Deliverables 5 3.2 Communicate ZT Change to Users 6 3.3 Create an Implementation Checklist 6 3.3.1 Organization’s Governance 6 3.3.2 Compliance 7 3.3.3 Risk Management 7 3.3.4 Operational Requirements 7 3.3.5 Visibility & Analytics Integration 7 3.3.6 Vulnerability Scanning & Patch Management 8 3.3.7 Change Management Process 8 3.3.8 Problem Management Process 9 3.3.9 Incident Management 9 3.3.10 Business Continuity Planning & Disaster Recovery 9 3.3.11 Training & Awareness Programs 9 4 ZT Target Architecture Implementation 10 4.1 Zero Trust Pillars & Cross-Cutting Capabilities 12 4.1.1 Identity 14 4.1.1.1 PDP Identity 15 4.1.2 Applications & Workloads 15 4.1.3 Networks & Environments 15 © Copyright 2023, Cloud Security Alliance. All rights reserved. vi 4.1.3.1 Initial Client Authentication Request 16 4.1.3.2 Authentication Request/Validation Request 17 4.1.3.3 Decision Transmission 17 4.1.3.4 Session Establishment or Termination 17 4.1.3.5 Micro-Segmentation 17 4.1.3.6 PEP Installation & Access Configuration 18 4.1.4 Data 18 4.1.5 Devices 19 4.1.5.1 Deploying Agent-Based Access 19 4.1.5.2 Deploying Agentless Access 20 4.1.6 Visibility & Analytics 20 4.1.7 Automation & Orchestration 20 4.1.8 Governance 21 4.1.8.1 ZT Policies 21 4.2 Transaction Flow Architecture Review 22 4.2.1 Transaction Flow Mapping 22 4.2.2 Converting Flow Maps to Transaction Lists 23 4.3 Testing 24 4.4 Continual Improvement 25 4.5 Project Closure 25 Conclusion 26 Glossary 26 Acronym List 27 © Copyright 2023, Cloud Security Alliance. All rights reserved. vii List of Figures Figure 1 General ZTA Reference Architecture 11 Figure 2 Zero Trust Maturity Evolution 12 Table 1 Implementing ZT Across Pillars & Cross Capabilities 13-14 Figure 3 Enclave Gateway Model 16 Figure 4 Transaction Inventory 23 Table 2 Transaction Configuration Management Inventory 24 © Copyright 2023, Cloud Security Alliance. All rights reserved. viii Course Introduction Welcome to Zero Trust Implementation by Cloud Security Alliance (CSA). This training module is part of a larger series titled Zero Trust Training (ZTT). It builds upon and extends the concepts discussed in the CSA Zero Trust Planning1 and Introduction to Zero Trust Architecture2 courses. In this course, learners get an in-depth look at the crucial facets of Zero Trust (ZT) implementation, from creating project kick-off documents and disaster planning, to setting up the network environment, deploying agents to devices, and adding automation. Course Structure This course consists of four units, each geared towards gaining increased competency in the following topics: 1. Continuing the ZT journey 2. ZT project implementation considerations 3. Implementation preparation activities 4. ZT target architecture implementation Course Learning Objectives After completing this course, learners will be able to: Identify the assumptions and considerations for continuing the ZT journey Explain the main ZT project implementation preparatory activities Outline Zero Trust Architecture (ZTA) implementation steps Leverage ZT pillars and cross-cutting capabilities to define and prioritize implementation tasks Visualize and document security workflow architecture using transaction flow diagrams and tables Design testing procedures that can be repeated and generate audit trails Define success criteria and review the success of ZT implementation 1 Continuing the ZT Journey Before we jump into the content of the Zero Trust Implementation course, let’s recap a few key points that we already addressed in the Zero Trust Planning3 module. The ZT project plan is the roadmap that serves as the team’s checklist to implement this plan. 1 https://knowledge.cloudsecurityalliance.org/zero-trust-planning 2 https://knowledge.cloudsecurityalliance.org/introduction-to-zero-trust-architecture 3 https://knowledge.cloudsecurityalliance.org/zero-trust-planning © Copyright 2023, Cloud Security Alliance. All rights reserved. 1 The Zero Trust Planning module covered: Starting the ZT journey Planning considerations Scope, priority, and business case Gap analysis Defining the protect and attack surfaces Documenting transaction flows Defining ZT policies Developing a target architecture Before diving into implementation of ZT, it’s important to set the stage and make some general assumptions, which we cover in the next section. This is due to the varying types of industries and companies that exist; there isn’t enough room in this course to delve into all the specifics for each industry, such as healthcare, finance, or energy. 1.1 Training Assumptions This training assumes that the learner reviewed and understood the preceding Zero Trust Trainings (ZTT): Introduction to Zero Trust Architecture and Zero Trust Planning. Together, they form a body of work, including defining ZTA, ZT pillars (Identity, Devices, Networks, Applications and Workloads, and Data), and ZT cross-cutting capabilities (Visibility and Analytics, Automation and Orchestration, and Governance). For this training, our ZT implementation is designed around the ZT pillars and ZT cross-cutting capabilities, defined in the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model4. Additionally, this training assumes the student knows and understands basic software project management and can create a project plan for implementation. Let’s quickly review the main ZT project management implementation steps we have already covered: 1. Project organization (covered in Zero Trust Planning): A company defines the protect surfaces and priorities, determines what objectives must be met and by whom, and identifies the steering committee. 2. Project design (covered in Zero Trust Planning): The project team maps the transaction flow, defines the ZT policies, and designs the ZT environment. 3. Implementation (covered in Zero Trust Implementation): During ZT implementation, the solution is set up and documented. Frequent status updates are needed for the project manager and the steering committee to ensure the project is on time and within budget. During this phase, the security team also creates a plan to monitor and maintain the ZT policies and network. 4. Testing (covered in Zero Trust Implementation): After implementation, various types of tests are run to prove acceptance criteria are met. These can be classified as systems readiness testing (SRT) and operational readiness testing (ORT). Lastly, given the comprehensive, enterprise-wide scope of ZT, implementations are usually 4 CISA. (2023). Zero Trust Maturity Model (Version 2.0). © Copyright 2023, Cloud Security Alliance. All rights reserved. 2 incremental and iterative (as opposed to entirely new or cut-over implementations). In alignment with project management practices, this course refers to a single iteration of implementation as a project, and a collection of implementation projects pertaining to the ZTA goal and scope as a program. The following unit will discuss the ZT project implementation tasks that should be considered before beginning your implementation preparation activities. 2 ZT Project Implementation Considerations Before implementing ZT, a list of tasks and requirements should be considered: The gap analysis report should be consolidated and approved by stakeholders. Organizational security policies must include ZT-related security objectives. Migration from existing architecture to ZTA requirements needs to be addressed. Stakeholders must determine what part of ZT implementation will be done in-house. 2.1 Gap Analysis Report5 When you are ready to implement ZT, let’s revisit the gap analysis your organization put together during the planning phase (see ZT Planning). Simply put, a gap analysis looks at what you have and compares it to what you need, reminding you to focus on each individual protect surface. By looking at each protect surface and what needs to be done, you can prioritize accordingly and start with your ZTA implementation–one protect surface at a time. This makes implementing ZT much more manageable than trying to do it all at once. The gap analysis report identifies the steps needed to build a target ZTA, which should be prioritized and agreed upon by stakeholders who must coordinate their alignment with the ZT plan and its associated pillars and cross-cutting capabilities. For instance, those concerned with the Identity pillar might identify a security control missing from authentication and opt to introduce multi-factor authentication (MFA) as an appropriate measure to bridge the gap in authentication requirements. In a later section, we delve further into the details of ZT pillars and cross-cutting capabilities. 2.2 Aligning Information Security Policies with ZT It is important to understand how information security policies connect with ZT principles. ZT is a concept that helps organizations strengthen their security measures. When you align ZT with information security policies, you need to consider the risks that ZT addresses and the security requirements of its core pillars. By considering these factors, you can develop stronger policies that enhance your organization’s security posture. 5 Learn more about “Gap Analysis” here: https://knowledge.cloudsecurityalliance.org/zero-trust- planning © Copyright 2023, Cloud Security Alliance. All rights reserved. 3 Let’s take the example of the ZT Identity pillar. To ensure alignment, you should examine your organization’s identity and access management policies, procedures, and processes. Check if all the necessary elements, like the access control review procedure, are in place. If any of these elements are missing, or if ZT requires additional procedures, you may need to create new ones or make changes to existing ones. 2.3 Migration From Existing Architectures to ZTA To effectively implement a ZTA, it’s crucial to clearly understand the project scope and communicate it effectively with your team. This includes determining whether we are implementing an entirely new architecture or migrating from an existing one. In this training, we assume that ZTA will be implemented in an already-existing environment with controls, whether on-premises, hybrid, or in a cloud-only scenario. To successfully achieve the desired ZTA, assessing the impacts and requirements of the technology involved is essential. When evaluating the architecture for any technology gaps, the team should consider the following: Weighing the benefits and costs of introducing new technologies versus collaborating with existing vendors to enhance their product or service capabilities Finding ways to simplify the environment if it becomes overly complex, aiming for a more streamlined approach Moving beyond simply replacing technology, but instead advancing capabilities in a manner that aligns with the organization’s goals and growth path By considering these factors, you’ll be better equipped to make informed decisions, ensure a successful ZTA implementation, and avoid unnecessary complexity. Similar considerations apply in IT environments that have not yet implemented ZT; however, these systems have fewer dependencies on existing business systems and can be implemented more quickly. When the ZT system or modifications are operational, existing (and now redundant) systems should be decommissioned. This training applies to both situations. 2.4 Managed Service & In-House Implementation ZTA is a combination of in-house and managed services. In-house implementation can be achieved internally by leveraging teams, such as InfoSec, identity and access management (IAM), and infrastructure, with possible contributions from specialized implementation consultants. A managed services approach includes various vendors that can provide solutions designed to support ZT strategies. While your team may strive to keep the implementation of ZTA in-house, there will always be a level of shared responsibility that needs to be orchestrated and considered. © Copyright 2023, Cloud Security Alliance. All rights reserved. 4 To choose the best method, the following list identifies some considerations for ZTA implementation planners: Cost/benefit Capability Resource availability and your organization’s skill-set availability Support Shared responsibility Policy Proof of concept and business proposal 3 Implementation Preparation Activities Although we previously discussed implementation preparation in Zero Trust Planning, we summarize some essential kick-off activities here: Define ZT project deliverables Communicate ZT changes to users Create an implementation checklist 3.1 Defining ZT Project Deliverables Prior to starting the ZT implementation, the overarching ZT project team must build some common deliverables that apply across the entire organization (or in-scope target architectures, if the scope is narrower than organization-wide) for each ZT pillar. By doing this with an agile approach, you can work quickly and efficiently, especially in areas that incorporate new automation or involve the development team. Due to the high likelihood that third-party stakeholders will be involved, use waterfall-based project planning models to help you develop milestones, where partial payments can be made for the percentage of work completed. Ideally, all pillars and cross-cutting capabilities should be worked on simultaneously while following the five-step process6 outlined in the Zero Trust Planning training: Define the protect surface Map the transaction flows Build a ZTA Create a ZT policy Monitor and maintain the network 6 NSTAC. (2022). NSTAC Report to the President on Zero Trust and Trusted Identity Management. © Copyright 2023, Cloud Security Alliance. All rights reserved. 5 3.2 Communicate ZT Change to Users All-hands meetings should be held on a regular cadence to ensure everyone is aware of the collective progress when it comes to implementing ZT pillars. Moving forward, ensure users are informed about upcoming operational changes, such as bringing in a new external consultant or introducing a cloud-based service. Communicating the exposed assets and their priority level will help with the successful adaptation of the ZT solution. Changes to workflows should be communicated early, which has these and other benefits: Teams can plan for any adoption impacts Implementation teams can reach out to the group to ensure that testing covers all use cases Impact on infrastructure access during vital deliveries or engineering cycles can be minimized 3.3 Create an Implementation Checklist Before kicking off the implementation, create a checklist of milestone activities that maps, where appropriate, the changes required. The list should include changes that will need to be made to: Organization’s governance Compliance Risk management Operations and maintenance Visibility and analytics Incident management Change management Vulnerability and patch management Problem management Business continuity planning (BCP) and disaster recovery (DR) Training and awareness 3.3.1 Organization’s Governance ZT will likely require an update to the organization’s governance approach and organizational policies, procedures, guidelines, and security controls. As the organization implements a ZTA, governance practices will guide the implementation functions, activities, and outcomes. The organization’s senior leadership will rely on the technical expertise of functional technicians to develop and implement security controls that involve input validation, session management, and password storage. Integration examples of these controls are authentication, authorization, cryptography, input validation, output encoding, auditing and logging, and monitoring and alerting. Organizational governance assures sound stewardship of resources throughout the implementation process. © Copyright 2023, Cloud Security Alliance. All rights reserved. 6 3.3.2 Compliance When implementing ZT, it’s crucial to remember that existing change control processes, compliance, and auditing requirements are followed, even if changes are needed. Whenever an information system within the scope of ZT undergoes changes, it’s essential to follow established change control processes to ensure compliance. As you keep working on implementing and refining your ZT approach, brace yourself for future laws, standards, rules, and regulations likely to impose more stringent requirements on ZT. Keep a keen eye out for changes in the compliance landscape as governments and organizations increase their insistence on security. 3.3.3 Risk Management The implementation of a ZT strategy can change an organization’s risk posture and risk management approach. To respond quickly to changes in the risk landscape, organizations must have a culture of continuous risk evaluation and policy adjustment. This means that the existing risk analysis and assessment process should include the following elements: An assessment frequency that allows for the rapid identification of new risks and new threats Metrics (tailored to the organization’s networking trends), which are easy to spot in reports and monitoring tools, and that should also be able to send out alerts in extreme cases Data from various sources should be pooled together for more useful analysis 3.3.4 Operational Requirements Operational or business-as-usual requirements promulgated by one or several departments will impose conditions or restrictions on ZT. To ensure that the ZT implementation stays within budget and on schedule, it is important to be prepared by identifying these processes and requirements before the start of an implementation. For example, integration between ZT automation and a configuration database must be agreed-upon and then installed and tested to ensure the operational readiness of agents or API calls. 3.3.5 Visibility & Analytics Integration Log management and monitoring of cyber events drive visibility, which in turn supplies analytics that ‘inform policy decisions, facilitate response activities and build a risk profile to develop proactive security measures7. For logs to be useful and to provide value when monitored, the following needs to be identified: Log scoping: for example, domain name system (DNS) logs, network address translation (NAT) logs, and intrusion detection systems/intrusion prevention systems (IDS/IPS) Log sources: for example, the identity provider (IdP), policy enforcement point/policy decision point (PEP/PDP) 7 CISA. (2023). Zero Trust Maturity Model (Version 2.0). April 2023, page 11. © Copyright 2023, Cloud Security Alliance. All rights reserved. 7 Security events that need to be monitored: for example, failed authentication requests Anomalies that need to be detected: for example, five failed authentications within five minutes Correlation rules to identify threats or potential threats: for example, an identity that drops a production database is deleted Dashboards for visualization of logs: for example, a dashboard that shows privileged activities carried out by all administrators Monitoring: for example, continuous monitoring of any network connections made to a known command-and-control Alerting: for example, using emails, SMS, security information and event management (SIEM), or security orchestration, automation, and response (SOAR) The above planning and design ensures that your implementation team leverages all log sources, collects and sends security events to SIEM, and identifies SIEM interfaces (e.g., add-on applications, API calls, and event collectors). These activities prevent mishaps caused by implementers scrambling to get these interfaces together during the implementation phase. 3.3.6 Vulnerability Scanning & Patch Management While vulnerability scanning and patch management are standard IT practices, ZT acts as a control gate to ensure all systems are patched and business operations can only be performed on a patched system. Identifying the vulnerability scanning and patching requirements for components, such as IdP or PEP, of ZT implementation ensures that implementation services become part of the existing patching process that the organization has. By identifying vulnerability checks and tests, wherever possible, your organization can continue to work quickly and harvest all the benefits of technology without leaving the organization vulnerable to a hack. By identifying patching requirements, you can build patching checkpoints that monitor for unpatched or vulnerable software components within your environment and ensure all components are kept up to date. It may also assess the current security status of an operating system or application, identifying any available patches and upgrades, testing these to ensure compatibility with existing applications, implementing necessary updates, and monitoring for successful patch installation. The absence of vulnerability scanning and patch management may defeat the very purpose of implementing ZT because a vulnerability may diminish the objective of authentication before authorization. 3.3.7 Change Management Process ZT needs to be included in the change management process. During this activity, it is important to design and track separate workflows for: A service request A change request For example, the onboarding of a device can be treated as a service request. However, adding a policy to the PEP, also known as a gateway, may be treated as a change request. Suppose a change © Copyright 2023, Cloud Security Alliance. All rights reserved. 8 request is needed because an unforeseen gap has been found during the ZT implementation. This change may require an emergency budget, developer- or engineering-based redesign, or consulta- tion from a third party. This type of change may need modifications to the code, the network, or the environment and will need to be queued into the problem management process. 3.3.8 Problem Management Process ZT should be integrated into the organization’s problem management process to address any recur- ring incidents, future incidents, and methods for reducing the impact of incidents that cannot be prevented. Problem management processes should cover problem detection, problem logging, error control, and root cause analysis, to name a few. 3.3.9 Incident Management Incident management is focused on addressing incidents in real-time and may need to be revised based on the changes the ZT approach will bring to the organization. As part of this, the ZT imple- mentation team needs to define what constitutes a security incident in a ZT solution and what con- stitutes a significant security incident. The team also needs to identify the list of people that must be contacted in the event of a significant incident, along with their contact info. 3.3.10 Business Continuity Planning & Disaster Recovery BCP and DR are important processes that should be aligned with ZT implementations. As ZT deals with access to resources to carry out IT activities, existing access processes may not work as ex- pected due to ZT implementation activities. Business continuity activities should be planned during implementation such that disaster recovery can be addressed during this phase. 3.3.11 Training & Awareness Programs New technologies, architectures, and solutions introduce new workflows and ways of working. While preparing for ZTA implementation, it is important to keep training requirements in focus. An imple- mentation solution will be productive and effective if assigned teams are comfortable using it, which comes from regular training and awareness-building. To do this, list all ZT implementation training and awareness programs that need to be scheduled. Also, identify the frequency at which the programs need to be scheduled. This will help organize and budget training. While the details will vary, depending on what the implementation entails and the nature of your organization, training requirements may be categorized into two groups: Business and operational goals Technical goals © Copyright 2023, Cloud Security Alliance. All rights reserved. 9 Business and operational goals include items, such as: Training and awareness that publicizes the ZT implementation business goals Building awareness about responsibilities, such as the budget owner, asset and process owner, legal team, architects, security team, and IT team Training architects Training support personnel Training for risk managers and compliance officers Training to understand new forthcoming operational processes, such as change management, incident management, BCP drills, and so on Technical goals include items, such as: Enrolling endpoints to ZT architecture Creating and maintaining policies PEP and PDP maintenance Creating and maintaining micro-segmentation Maintaining identity provider services and databases by working with identity creation, access control reviews, and suspension of identities belonging to offboarded employees Feedback should be obtained during these training sessions so that updates can be made to the training and awareness program. 4 ZT Target Architecture Implementation We have just explored a series of milestone activities that must be reviewed and considered to support a ZT target architecture implementation. With the above objectives in mind, this section will explore the following implementation themes: ZT helps in reducing access related compromises by authenticating and validating the access request. Organizations must have the right personnel and systems to monitor suspicious activity and policy violations. Integrate ZT testing efforts into the cybersecurity program and promote collaboration between departments to ensure the organization maintains secure operations. Prioritize risk management, review transaction flows, continual improvement, and project closure. Imagine a real-life scenario: We have planned and prepared the following ZT reference architecture, as shown in the diagram below.8 8 Note: Please refer to CSA trainings: Introduction to Zero Trust Architecture and Zero Trust Planning for a review of the components depicted in this diagram and their respective functions. These components are also defined in CSA’s Cloud Security Glossary. © Copyright 2023, Cloud Security Alliance. All rights reserved. 10 Figure 1: General ZTA Reference Architecture9 This diagram captures the flow of operations when the subject accesses a resource. When a valid subject wants access to a resource, the request is initiated from the endpoint to the PEP in the following steps: 1. An initial client authentication request is sent from an endpoint to the PEP. NOTE: The operation may repeat based on the identified ZT requirements. 2. Information required to verify the subject and endpoint is collected by the PEP and shared with the PDP. 3. The PDP validates the device and subject authentication. At the final, advanced stages of ZTA implementation, this point can be integrated with various policy information point (PIP) solutions and technologies. If the validation succeeds, the PDP decides on the type or level of authorization needed. 4. The PDP informs the PEP about the authentication status for the connection and authorization details if obtained. 5. The session established to check a user’s credentials or endpoint is now terminated. The established sessions will undergo periodic validations and terminate per the predefined rules. It is important to note that this flow of operations is separated by the control and data plane. The control plane decides the path for sending packets or frames and directs how these packets should be forwarded. The data plane is where the action takes place; it’s all about the functions and processes that move those packets from one interface to another. Having discussed the ZTA reference architecture above, let us dive into the ZT pillars and cross- cutting capabilities with the intent of studying their attributes in more detail. This will help us better design the ZT implementation across all pillars and cross-cutting capabilities. 9 Figure adapted from: NIST. (2022). Implementing a Zero Trust Architecture (SP 1800-35B). Second preliminary draft. © Copyright 2023, Cloud Security Alliance. All rights reserved. 11 4.1 Zero Trust Pillars & Cross-Cutting Capabilities One way ZTA implementation can be coordinated is within and across the ZT pillars and cross- cutting capabilities. As ZT functions are added, each pillar should mature and evolve from the traditional level at the start to the optimal level as you near the final implementation phases. Figure 2: Zero Trust Maturity Evolution10 As displayed above, the five ZT pillars are: Identity Devices Networks Applications and Workloads Data Cutting across these pillars are capabilities, referred to as cross-cutting capabilities, that improve at every maturity level and interact with each pillar: Visibility and Analytics, primarily by aggregating output Automation and Orchestration Governance, by introducing governance and compliance software In some diagrams (i.e., from the US Department of Defense11), the cross-cutting capabilities (Visibility and Analytics, Automation and Orchestration, and Governance), are depicted as foundational pillars. This representation emphasizes the significance of incorporating these capabilities into the implementation process as they assist in defining objectives for the five pillars. 10 Figure adapted from: CISA (2023). Zero Trust Maturity Model (Version 2.0). 11 U.S. Department of Defense. (2022). DoD Zero Trust Strategy. © Copyright 2023, Cloud Security Alliance. All rights reserved. 12 Before covering each pillar and cross-cutting capability in depth, the relevant attributes for each pillar and cross-cutting capability should be identified and defined, as noted in the following table. Pillar Pillar Attribute Notes P Identity Identify all the identities that are This should be treated as required to be part of the ZTA infrastructure components Identify the identities that requireaccess to the protect surface Define permissions for identities according to least privilege using custom roles (a group of individual permissions) and assigned to a role (group), except in situations where access may be restricted to a single service account or other non-human identity Monitor modification/drift for the membership in the role/group as well as the individual permissions associated in the custom role P Devices Identify all devices that need to be enrolled Identify business & security applications running on devices P Networks Identify the necessary macro- Micro-segmentation between hosts segmentation in data centers& within the: micro-segementation VLAN VPC CNet P Application & Identify your applications and Workloads workloads that exist in your on- prem or cloud infrastructure P Data Identify data sources that are part of your protect surface Identify transaction flows C Visibility & Identify the registry (logs) Analytics repository in all entities (users/ identities, devices/endpoints, network and environment, and applications and workload) Identify the external data that you need to enrich the visibility Identify the parameters you need to monitor the performance, behavior, and activity of the ZT deployment © Copyright 2023, Cloud Security Alliance. All rights reserved. 13 C Automation & Identify the security operations to Orchestration perform when a policy allows or denies actions Identify the standards that support the security and non-security technologies to communicate with others Identify the conditions and technologies of the security playbooks C Governance Identify the governance structure that ZTrequires Policies and procedures Organizational security policies: Identify the information security policies that ZT deployment needs to adhere to Controls Identify the security controls that need to be applied to the devices, network, applications and workloads, and data This should not be confused with the transaction flow controls Identify the controls to be implemented across the user agent, such as authentication, authorization and various other aspects Identify the rule-based access policies that are part of the PDP, also referenced as the controller, and have been identified in the planning session Risk management Identify the risk managment requirements Compliance Identify the risk compliance requirements Table 1: Implementing ZT Across Pillars & Cross Capabilities Now that we have seen overviews and attribute summaries of the pillars and cross-cutting capabilities, the remainder of this unit will discuss implementation-specific details and considerations that tie these to executing the implementation. 4.1.1 Identity Identity is the pillar involving authentication and authorization, including privileged access management (PAM). Effective use of identity as a data source will include centralized directories (as © Copyright 2023, Cloud Security Alliance. All rights reserved. 14 well as related onboarding strategies) and federation between enterprises. The rules and validations related to identity are implemented at the PDP, where a predefined IdP provides user management and other validations, such as risk assessments and device posture validations. The IdP can be within the enterprise or external to the enterprise (e.g., as a SaaS application). When the IdP is within the organization’s network, the PDP can reach the IdP through the PEP. 4.1.1.1 PDP Identity PDP users that monitor and manage the PDP–we can call them PDP admins–must create policies and perform maintenance on the ZTA at the control plane. To reduce the impact radius of potential cyber- attacks, each of these PDP administrators, and any other user with elevated permissions, needs at least two identity profiles: One for their day-to-day activities, such as reading emails, surfing the web, or using the ticketing system. This primary identity should hold no elevated entitlements or roles. Another is for elevated access, such as ZTA management permissions (for creating ZT and software- defined perimeter [SDP] policies, applying patches–often automated with a PAM system, and reading logs). 4.1.2 Applications & Workloads Imagine that the ZT implementation team tasked with determining the organization’s current state has identified the IPs, applications, and workloads during the planning phase (see Zero Trust Planning). To satisfy access needs, these elements should be configured and organized separately at a PDP (also referred to as a controller) for onboarding, and it should be organized based on access needs. This will require centralized authentication, authorization, and monitoring, as well as segmentation of application groups. Policies are defined at the policy administrator level to provide the high-level access needed for these assets. At the traditional stage, access needs are often organized by job function or role. This should be revamped as ZTA implementations mature through the stages; traditional, initial, advanced, and optimal, and permissions and work should instead be organized according to access needs, enabling efficient organization based on security policies. 4.1.3 Networks & Environments To ensure the security of networks and environments from malicious actors, unauthorized visibility, and unauthorized access, organizations should embrace ZTA security best practices. These include identity-based policies, session establishment and termination, micro-segmentation, installation of PDPs (to validate authentication) and PEPs (access configuration and enforcement decisions), as well as redundant PEPs for failover and load balancing so that services can be continued even if one component fails. The ZTA diagram below summarizes one way to structure the various security components, dividing them between what is handled in the control plane versus what is handled in the data plane. © Copyright 2023, Cloud Security Alliance. All rights reserved. 15 Figure 3: Enclave Gateway Model12 To assist in fulfilling the goals of this pillar, break down the network and environment considerations into these six types of network signals, which we discuss in more detail in the remainder of this section: Initial client authentication request reaching from agent to PEP Authentication request validation request (AR/VR) from PEP to PDP Decision transmission from PDP to PEP Session establishment and termination from client to resources Micro-segmentation PEP installation and access configuration 4.1.3.1 Initial Client Authentication Request Establishing a secure connection between the application and server is essential to ensure mutual authentication. This ensures that both parties are verified before communicating with applications with sensitive data access. To initiate client authentication safely for PEP, you should: Position the PEP at the network perimeter while keeping other components, such as PDP and resources, on separate network segments Ensure that the agent can send the initial authentication request to PEP which will, in turn, forward the request to PDP Configure an encrypted channel for authentication request transmission Building ZTA with user-agent-initiated access at PDP for user authentication is also possible. 12 Figure adapted from: NIST. (2020). Zero Trust Architecture (SP 800-207). © Copyright 2023, Cloud Security Alliance. All rights reserved. 16 4.1.3.2 Authentication Request/Validation Request AR/VR is an important part of ZTA. AR/VRs help ensure that only authorized requests can be processed and approved by authorized entities, helping to prevent identity spoofing and other malicious activities. The user agent can securely share their credentials with the PEP, which will be forwarded to the PDP for validation. The PDP then verifies the user or subject’s credentials and initiates an additional MFA process. Once verification is complete, the authorization data is shared with the PEP. To ensure secure communication between the PEP and PDP, network access should be configured to allow for incoming and outgoing transmissions only between these two parties. Additionally, authentication and a secure channel of communication should be established. 4.1.3.3 Decision Transmission Decision transmission is an essential component of ZTA, as it enables the PDP to make an informed decision about access based on user- and context-based information. This ensures that users are granted only the least amount of access required to perform their job duties, protecting data from unauthorized access. To ensure secure transmission of data between the PDP and the PEPs, you must: Configure your network access to accept incoming and outgoing transmissions from only the PDP and PEPs Set up authentication between the two Perform periodic re-authentication challenges Doing so will help to guarantee that data is kept safe and secure. 4.1.3.4 Session Establishment or Termination To ensure secure access to their network, organizations must establish and terminate client sessions in a way that verifies the identity of clients, validates session data, and prevents person-in-the- middle attacks. Session termination is particularly important for businesses that allow privileged professionals such as company directors or medical doctors to log on from any machine within the work environment. To properly establish and terminate client sessions requesting resources, organizations should: Configure their PEPs to respond only to the initial authentication request Manage client sessions according to the authorization decided by the PDP 4.1.3.5 Micro-Segmentation Micro-segmentation is a key component of ZTA solutions, which helps improve network security and simplify its management. Instead of creating multiple rules based on addresses, identity-based policies can be used to secure segments effectively. It is achieved by dividing resources into several © Copyright 2023, Cloud Security Alliance. All rights reserved. 17 distinct network segments using either network devices, such as switches and routers, or by using host-based micro-segmentation with software agents and endpoint firewalls. The security gateway then grants access based on authorization obtained from identity attributes and must be managed to act as a PEP for protecting resources from unauthorized access. The ultimate aim of micro-segmentation is to establish boundaries between resources within the same network zone and ensure that only authorized entities have access to secured assets. 4.1.3.6 PEP Installation & Access Configuration Once the PEP is installed, the following checks should be conducted to improve the security stack which already supports ZT, such as port knocking and single packet authorization (SPA) for obfuscation: assess the accessibility of the device to both the PDP and endpoints at the edge of the network. The following checks can be done once the PEP is installed: PEPs should be able to enforce the identified authorization for access based on the policies defined at the PDP Ensure the PEP receives policy updates from the PDP/policy engine (PE) User endpoints at each in-scope location are able to reach the PEP through the network Ensure all in-scope PEPs and data feeds are integrated Establish redundant PEPs of the same kind for failover and load balancing based on scale and requirements. Similar to running a next-generation firewall (NGFW) in high availability mode, this ensures that if one PEP component fails, a second one will take over It is important to continuously monitor the network for suspicious activity and regularly review access controls to ensure that your system’s security remains intact. 4.1.4 Data An important part of the protect surface is data (along with other resources). All data (not just information) can be better protected with a ZT implementation because ZT mandates that access decisions be made as close to the resource as possible. To apply ZT to data, it is necessary to discover, inventory, categorize (or label), and control data. The implementations that are part of the Data pillar are done at the PDP. Using the data inventory to identify where data is located, the identity store to identify those who need access to it, and the PDP to define transaction flows for authentication and authorization of access, organizations can ensure that the necessary security measures are in place. Logs from the PDP and PEP should be shipped to a SIEM to maintain visibility for granted accesses. This allows organizations to understand better who has access to which data and when. Ultimately, this helps them maintain the security of their data and protect their data from any potential misuse. © Copyright 2023, Cloud Security Alliance. All rights reserved. 18 4.1.5 Devices ZT can be implemented or enabled for any device in an organization. These include but are not limited to PCs, servers, mobile devices, and any OT or IoT device, to name a few. The scope for supported devices is predefined in the planning. The architecture implementation can take one of two forms: 1. Agent-based access: when a software client is installed onto the device. This sometimes encompasses other features besides the ZT agent, bundling traditional endpoint security with productivity tools or business apps; or 2. Agentless access: agentless options are deployed to devices lacking the ability to have an agent installed but can also be deployed to devices that can accept an agent. Agentless can further be subdivided into two subsets: On devices that support browsers: In such scenarios, a connection using a secure tunnel to cloud/SaaS services is established through a plugin or manual configuration, which then handles all inspections. On devices that cannot support browsers and agents: The entire site or micro- segment is connected using a tunnel to the cloud or SaaS service. This option may be more applicable to OT and IoT devices. Agent-based access can also be configured on OT systems based on the implementation strategy and OT architecture. Sometimes, you will also encounter a bring your own device (BYOD) environment, which refers to employees being allowed, and sometimes encouraged, to use personal devices to complete their work for the employer. Whether your organization’s ZT policy is to use agent-based approaches or agentless access methods, BYOD scenarios will impact aspects of your ZT implementation. For example, deploying agents will require you to add a privacy notice if this agent is being installed on a personal device. Your team will need to coordinate with governance, compliance, and legal teams to confirm your messages are correct and in accordance with local law. When an employee-organization agreement terminates, you need to ensure that the decommissioning of ZT-related agents and apps involves the decoupling of security solutions from a BYOD device. To complete these tasks, employees need to know the policy and procedure. They may also need to be reminded that some of the protection that they previously relied upon is being removed. 4.1.5.1 Deploying Agent-Based Access In the case of agent-based approaches, a software agent must be installed and run on all endpoints. It is then the agent’s job to collect the user identity and share the security posture data of the device and connection. Agents must be regularly updated – either automatically or as part of the company’s patch process. To ensure compatibility with different device types, such as Mac OS, Linux, and Windows laptops, they should be tested appropriately before being deployed on end-user devices. The setup process and usability factor should also be evaluated prior to mass deployment. The available options will depend heavily on the target environment (e.g., Windows, Linux, Android, © Copyright 2023, Cloud Security Alliance. All rights reserved. 19 iOS), and the selected solution may vary in how the agent is finally deployed. Based on current IT trends, agent deployment will likely be based on unified endpoint management (UEM) and mobile device management (MDM). However, most vendors provide a download console for agent installs. 4.1.5.2 Deploying Agentless Access The agentless access method can be used to deploy ZT onto an endpoint device, such as with a browser or browser-based application. The browser is responsible for assessing the security posture and connection of the device prior to allowing access. This deployment method is also useful when dealing with light devices that do not have a browser available, like OT devices. In this case, a verified network with a proxy handling the agent load and building the connection can be established. After authentication of the user through an IdP (which may incorporate single sign-on [SSO] or MFA), they will then be redirected to their requested resources if authorization is granted. 4.1.6 Visibility & Analytics Implementing ZT requires a platform-based approach to security, empowered with analytic and visibility dashboards that authorized personnel can use to make policy changes. To achieve this, agents or APIs should be implemented to gather logs from various log sources. Depending on the requirements of the log aggregation tool, a log collector may be necessary. Aggregated logs enable event correlation that is more powerful in threat analysis and discovery than if the logs are kept separate and analyzed separately. The visualization component of the central log aggregation tool can provide dashboards, enabling visibility of the inner workings of each pillar. To achieve the above-mentioned set of goals: Implement agents or APIs to acquire logs from each of the logs’ sources. If required, implement a log collector. Ship the logs to the log aggregation tool using either a push or a pull mechanism, depending on the tool’s requirement. Implement a search tool that can provide a query language that can be used to search logs for events and event correlation. Design dashboards to view query and event correlation output. Once a visibility dashboard has been fully implemented, potential threats can be identified and monitored through careful observation of the dashboards. 4.1.7 Automation & Orchestration The ability to orchestrate and automate the deployment of the target architecture’s logical components is key to a successful ZTA implementation. This includes tasks such as updating the ZTA components’ security posture, dynamic access and authorization policy updates, patch © Copyright 2023, Cloud Security Alliance. All rights reserved. 20 management, and change management. These deployments can span on-premises, cloud, or hybrid implementations. Depending on the deployment model identified in the target architecture, two types of orchestration methods can be used for ZTA deployments: application pipeline and infrastructure as code (IaC) pipeline. In most cases, a combination of both is used. The IaC pipeline is typically used when the PEP is a single component acting as a gateway for the subject requests. In contrast, the application and pipeline are commonly used when an AuthZ module and other modules must be deployed directly on the component. This could include deployment within the application code. Depending on the orchestration methods and target architecture, different functional and non- functional orchestration requirements will exist. However, it is important to note automation and orchestration can be achieved in some cases but not all. For example, achieving it in OT or industrial control systems (ICS) is very challenging. It is important to factor in this while implementing ZT for such technologies. 4.1.8 Governance Governance of the ZT program and individual ZT projects is essential to ensure successful implementation and control over goals, requirements, and actions taken. A formal procedure for governance should be established through a review committee that will evaluate the progress made towards meeting objectives, ensuring that plans are funded, and assessing associated risks with future phases. As part of a successful ZTA implementation, it is essential to establish a formal review process headed by senior management. This committee will ensure that appropriate ZT requirements are observed and that the organization has the necessary resources to complete the ZTA plan. Their main objectives include: Verifying that each phase is completed with success Ensuring sufficient funding for the next phase Assessing the risks associated with continuing to the following phase13 At the start of implementation, metrics need to be defined and collected to measure set parameters. These metrics can range from high-level indicators, such as the number of goals achieved, budget consumption, and impact on organizational policies, to lower-level metrics, which include the number of support tickets raised, complaints by end-users, policy changes, failed policies, and downtime incurred. All these should be identified. 4.1.8.1 ZT Policies ZT policies are used to bridge the gap between a business’s mission and its risk management requirements. These policies are documented and set up within the ZT planning process. The PDP and PEP communicate in near real-time to ensure that authorization decisions made by the PDP, United States Department of Health and Human Services. (2012). Enterprise Performance Life 13 Cycle Framework. © Copyright 2023, Cloud Security Alliance. All rights reserved. 21 based on the policies defined at the PE, are enforced. Policies can be applied to users, applications, and workloads during the PDP onboarding stage. These policies will define access conditions for each user or device based on parameters such as location and time. To effectively manage a ZTA implementation, it is important to save some of your authorization work for the implementation stage. This is because a macro-level approach will focus too much on the overall architecture and will create extra work each time the overall architecture changes. Instead, your detailed policy rules should focus on each PDP and PEP technology separately. For example, a privileged access workstation (PAW) can only be accessed by a specific user or administrator from their approved device. In that case, there are various places where the policy could be updated. One could be the local permissions on the PAW host. Another could be the micro-segmentation firewall rules for the user and device hostname. Lastly, a network access control (NAC) or UEM solution could check the user’s local device posture. Attack surfaces change quickly, altering risk. Policies must be updated regularly by: Re-evaluating the updated transaction flows for changes in risk Re-implementing a macro- and micro-level approach to access and authorization policies Ensuring that updated policies are applied to the policy engine at the PDP 4.2 Transaction Flow Architecture Review Maintaining a transaction inventory allows you to reevaluate the behavior of the data within each transaction at regular intervals and, more importantly, detect any changes or abnormalities. In the planning phase (see Zero Trust Planning), we discussed the need for a detailed analysis and mapping of existing transaction flows. When the time comes to implement any identified changes to these transaction flows as part of your ZTA implementation, there will be some considerations to address, such as the addition of ZT nodes, services, and components. You will also need to address legacy controls that need to be replaced to protect existing transaction flows. Mappings may need to be reviewed against your planning notes. This will happen often, both during and after your implementation. As we discussed in the previous section (ZT Policies), you don’t want to focus too much on the overall architecture; not only will it be too complex to manage easily, but it will create extra work each time any part of the architecture changes. Instead, your detailed transaction flows should focus on each individual protect surface. By orienting your transaction flow diagrams or transaction inventory to each protect surface, you can easily manage change down the road. 4.2.1 Transaction Flow Mapping In the context of ZT, we could record the transactions that are part of the subject-initiated access to the applications and network or between the access-controlled applications, as long as we are centered on the surface we need to protect. © Copyright 2023, Cloud Security Alliance. All rights reserved. 22 The way that you map your flow is always unique to your implementation. More often than not, this process is manual. While some automation tools to help you with mapping are emerging, such technology is still catching up to the need. The best way to maintain a transaction inventory of the transactions you are managing, along with their dependencies, will depend on the unique characteristics of your team and the organization’s IT architecture. Nevertheless, in the next section, we provide you with a brief example. 4.2.2 Converting Flow Maps to Transaction Lists In the example below, the management team chose to invest the time to map all transactions involving their protect surfaces with a professional flowchart tool that their network engineers are proficient in. This will help them communicate with the vendors they use to receive security-oriented services. However, they also want to have each transaction listed because they plan on using this as a checklist during implementation and, down the road, as a potential set of requirements that can guide future development projects. The ZT implementation team determined that this particular protect surface involves six transactions, each with a unique identifier (see Figure below). Dependencies are shown. Figure 5: Transaction Inventory © Copyright 2023, Cloud Security Alliance. All rights reserved. 23 Next, each transaction path is assigned a Transaction ID. Any transaction it depends upon is entered in Input, and any transactions dependent upon that identified transaction are labeled Output (see Table below). The table can also include optional values, such as a Service ID, a Title (not shown), or Description (not shown). Transaction ID Input Output Service ID Transaction 1 (T1) T2 Service Baseline A Transaction 2 (T2) T3, T4, T5 T1 Service Baseline B Transaction 3 (T3) T6, T4 T2 Service Baseline C Transaction 4 (T4) T6, T5 T3, T2 Service Baseline D Transaction 5 (T5) T6 T4, T2 Service Baseline E Transaction 6 (T6) T3, T4, T5 Service Baseline F Table 2: Transaction Configuration Management Inventory This table can be entered into a configuration management system, unified modeling language (UML) tool, or programmable logic controller in reverse. Such tools can help provide indexable and searchable data that can help troubleshoot problems and document fixes. You can even use it to create more complex ladder or signaling diagrams. 4.3 Testing After an organization has completed implementation, it must develop and maintain relevant policies, procedures, and agile testing scripts that define how the ZT testing process works and should be conducted so that the testing methodology remains consistent from one implementation stage to the next. To ensure that the planned ZTA delivers the intended service levels, and before the legacy architecture can be decommissioned, a test cycle must be completed for ZT implementation, including testing on non-production and production environments. It is important to isolate whether a problem originates from the implementation itself or is the result of new technology merely catching a problem that existed in a pre-existing solution or data but was not caught due to weaknesses in the previous setup. Security testing must ensure that access controls are working correctly and the network is protected from threats. This testing includes vulnerability scans, penetration tests, application security assessments, system readiness testing, operational readiness testing, and other forms of security testing. Testing must: Confirm that the ZT objectives were achieved. Provide evidence that continuous authentication and authorization over all communications, users, systems, and networks is taking place. © Copyright 2023, Cloud Security Alliance. All rights reserved. 24 Provide evidence that employees are able to complete their work with a minimum of disruption. Create a secure baseline from which future changes can be monitored for potential threats or vulnerabilities. Confirm that there is a robust audit trail to monitor suspicious activity and policy violations. Ensure that the organization is on the path to maintaining effective communication between monitoring systems and personnel to ensure the efficiency and thoroughness of the ZT process. Regardless of the test type or environment you are testing, each testing activity must align or refer back to the ZT plan and strategy. Integrate ZT testing efforts into the overall cybersecurity program; doing so will provide enhanced protection. Additionally, each planning objective in each pillar needs to be sufficiently tested to confirm that your team has met its objectives. Finally, promote collaboration between departments to ensure ZT testing results in secure and efficient operations across the organization. When all test phases are completed, production can begin cut-over, also in phases. 4.4 Continual Improvement During implementation, the ZT project should proceed in a continuous feedback loop, with each pillar, sub-project, and related effort recorded in a task repository that can be analyzed by a project management expert and analysis tool. However, don’t stop with task monitoring. Additionally, organizations should perform regular audits to ensure their policies and practices are followed. These audits should test current security measures and identify any potential gaps in the system that malicious actors could exploit. This way, organizations can ensure their networks are secure and compliant with best practices. This feedback loop drives future ZT adjustments, as needed, in response to any encountered challenges, timeline modifications, or other reasons. ZT projects can take considerable time to implement. Any technology changes in the environment require review and consideration at the ZT project level to achieve the original goals and possibly make adjustments to those goals, with approval from all relevant stakeholders. A key component of any ZT project should be proper risk management. As the ZT project is implemented and adjustments are made upon encountering a changing environment, the feedback loop should trigger a re-evaluation of risks to the ZT project, which, in turn, triggers ZT-related change control. 4.5 Project Closure Successful ZT implementation would include a complete inventory of all transactions, dependencies, and services with associated IDs. Policies and procedures should be developed to ensure consistent testing methodology across different stages of the implementation. Security tests such as © Copyright 2023, Cloud Security Alliance. All rights reserved. 25 vulnerability scans, penetration tests, application security assessments, and system readiness testing should have been conducted to protect the network from potential threats. Tests should be carried out on both non-production and production environments to ensure the quality of the implementation. All legacy architecture should be decommissioned once all tests have been completed successfully. Finally, sufficient documentation must be created to ensure future troubleshooting is easier and fixes can be documented accurately. With all the project-related tasks completed, the project needs to be formally closed. For successful operations and maintenance, important policies, procedures, and processes must be reviewed and maintained. Final sign-offs must be obtained from key stakeholders, and a “go-live” date must be communicated to end users. From here, operations and maintenance cycles will then follow. Conclusion ZT is an important security strategy that must be planned, tested, and monitored for optimal effectiveness. ZT implementations must be iterative so that their efficacy can be evidenced while assessing results; this better prepares future implementations that lead to higher ZT performance levels with the ultimate goal of having proactive monitoring and logging feedback before a malicious actor can achieve a breach. Furthermore, organizations should integrate ZT testing into their overall cybersecurity program to provide enhanced protection. Additionally, regular audits of policies and practices should be conducted to identify potential security gaps in the system. A key component of any ZT project should also involve proper risk management and knowledge management to ensure lessons learned from incidents are not repeated. With the help of these strategies, organizations can increase their ZT efficiency and proactively protect their operations or security against malicious actors. Glossary Please refer to our Cloud Security Glossary, a comprehensive glossary that combines all the glossaries created by CSA Working Groups and research contributors into one place. © Copyright 2023, Cloud Security Alliance. All rights reserved. 26 Acronym List Acronym Term API Application programming interface AR/VR Authentication request/validation request BYOD Bring your own device BCP Business continuity planning CSA Cloud Security Alliance CISA Cybersecurity and Infrastructure Security Agency DR Disaster recovery DNS Domain name system IdP Identity provider ICS Industrial control systems IaC Infrastructure as code IoT Internet of Things IP Internet Protocol IDS Intrusion detection systems IPS Intrusion prevention systems MDM Mobile device management MFA Multi-factor authentication NAC Network access control NAT Network address translation NGFW Next-generation firewall OSI Open Systems Interconnection ORT Operational readiness testing OT Operational technology PC Personal computer PDP Policy decision point PEP Policy enforcement point © Copyright 2023, Cloud Security Alliance. All rights reserved. 27 PE Policy engine PIP Policy information point PAM Privileged access management PAW Privileged access workstation SIEM Security information and event management SOAR Security orchestration, automation, and response SMS Short message service SPA Single packet authorization SSO Single sign-on SaaS Software as a service SDP Software-defined perimeter SRT Systems readiness testing UEM Unified endpoint management UML Unified modeling language ZT Zero Trust ZTA Zero Trust Architecture ZTT Zero Trust Training © Copyright 2023, Cloud Security Alliance. All rights reserved. 28