Cloud 101CircleEventsBlog
Join AT&T's experts & CSA's Troy Leach on April 4 to boost your cyber resilience in 2024!

Zero Trust Resource Hub

The latest in guidance, architectures, and more from industry leaders.

With the help of cybersecurity organizations and experts, this online center showcases the most important, curated Zero Trust publications and resources in the industry.

Browse Resources

Neutral Solution Provider

A resource is classified as vendor neutral when it does not pertain to any particular vendor product or service.

Single Solution Provider

A resource is classified as vendor-specific when it refers or pertains specifically to their product or service.

Multiple Solution Provider

A resource is classified as multi-vendor or multi-provider when it is developed by multiple vendors and refers specifically to their products or services.

Sort by
Publication date

Filter by
Content Type
Solution Provider Neutrality
Language
Organization
Add Zero Trust content to the Resource Hub
Submit here
Add Zero Trust content to the Resource Hub
Submit here

Enterprise adoption of Zero Trust is broad and growing. How is a mature Zero Trust program achieved? The NSTAC Report to the President on Zero Trust and Trusted Identity Management outlines a five-step implementation process. 

This publication by the CSA Zero Trust Working Group provides guidance on iteratively executing the first step of the Zero Trust implementation process, “Defining the Protect Surface.” Defining the protect surface entails identifying, categorizing, and assessing an organization's data, applications, assets, and services (DAAS); business risk; and current security maturity. In this document, readers will find valuable guidance that starts their Zero Trust security journey on the right path.

View

Release date: 03/07/2024
Guidance
Neutral
English
Cloud Security Alliance

The US NSA has published a Cybersecurity Information Sheet (CSI) that details curtailing adversarial lateral movement within an organization’s network to access sensitive data and critical systems. The CSI, entitled “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar,” provides guidance on how to strengthen internal network control and contain network intrusions to a segmented portion of the network using Zero Trust principles.

The network and environment pillar–one of seven pillars that make up the Zero Trust framework–isolates critical resources from unauthorized access by defining network access, controlling network and data flows, segmenting applications and workloads, and using end-to-end encryption. The CSI outlines the key capabilities of the network and environment pillar, including data flow mapping, macro and micro segmentation, and software defined networking.

View

Release date: 03/07/2024
Guidance
Neutral
English
US National Security Agency

The US Department of Homeland Security (DHS) has been implementing zero trust mandates for years. DHS leadership established a Zero Trust Action Group, and later a Zero Trust Integrated Product Team, incorporating technical leadership from across the Department—and together, these teams have made impressive progress.

This strategy establishes a shared vision that better protects resources, stabilizes cybersecurity budgets, and accelerates mission outcomes—all at the same time. This strategy will also allow the Department to pursue a shared zero trust vision while addressing shared challenges, including resource scarcity, legacy technology, and a nascent shared services environment.

View

Release date: 03/04/2024
Guidance
Neutral
English
US DHS/CISA

The Zero Trust playbook series guides you with specific role-by-role actionable information for planning, executing, and operating Zero Trust from the boardroom to technical reality. It provides simple, clear, and actionable guidance that fully answers your questions on Zero Trust using current threats, real-world implementation experiences, and open global standards. This first book in the series helps you understand what Zero Trust is, why it’s important for you, and what success looks like.

View

The Zero Trust model is quickly rising as the favored strategy to protect important assets. CSA’s Virtual Zero Trust Summit delivers knowledge needed to understand the core concepts of Zero Trust. Featuring prominent industry leaders such as John Kindervag, the founder of Zero Trust philosophy, the Summit will provide critical insights, tools, and best practices to develop and implement a Zero Trust strategy. With Zero Trust established as the future of information security, taking a Zero Trust based approach will inevitably become a requirement for organizations and a required skill for professionals. View the summit recordings to expand your Zero Trust knowledge and gain the necessary skills you need to implement the robust security measures required.  Click the link to access the session recordings. 

View

Release date: 12/01/2023
Recordings
Neutral
English
Cloud Security Alliance

Most security teams are moving toward the Zero Trust framework - widely accepted as the new standard in security – but it’s about more than just the right technology. Learn how to implement a comprehensive, ongoing approach to security in the e-book The Innovator’s Guide to Zero Trust Security.

View

Release date: 10/31/2023
Books
Single
English
Microsoft

This NSA cybersecurity information sheet (CSI) provides guidance to enable organizations to assess devices in their systems and be better poised to respond to risks to critical resources. The device pillar is a key component of the Zero Trust security framework. It ensures devices within or attempting to connect to resources in an environment are located, enumerated, authenticated, and assessed. The document provides recommendations for ensuring all devices meet an organization’s access criteria and security policies before they are authorized.  Recommendations to increase maturity levels of Zero Trust device pillar capabilities include device identification, inventory, and authentication, device authorization using real time inspection, and remote access protection.

View

Release date: 10/30/2023
Guidance
Neutral
English
US National Security Agency

Matching Google Cloud services with NIST 800-207

This guide is intended to provide readers with an understanding of the following: 

  • What is zero trust and why it matters 
  • How to build a project plan for a zero trust migration 
  • What Google Cloud services align to NIST 800-207 pillars 
Implementing zero trust is not something that can be done overnight, in a silo, with a sole vendor, or by one team. A successful journey is driven by significant amounts of detailed planning, cross-business unit collaboration, organizational buy-in, and stakeholder support; all accompanied by the right selection of vendors and capabilities. The end state of this journey is a paradigm shift that will fundamentally alter current approaches to securing an enterprise, as achieving zero trust impacts every user, device, workload, data source, asset, and service within an organization.

View

Release date: 10/16/2023
Guidance
Single
English
Google

This updated Snapshot document is intended to make public the direction and thinking about the path we are taking in the development of the Zero Trust Commandments Standard. This document is intended for executive leaders in business, security, and IT. The Commandments in this document originate from the principles contained in The Open Group White Paper: Zero Trust Core Principles. The Commandments are presented first together on a single page and then separately, each on its own page, with further detail.

View

Release date: 10/16/2023
Architecture
Neutral
English
The Open Group

Zero Trust is a major industry trend that is being adopted and promoted by security teams within many organizations around the globe, and for good reasons: it delivers improved security and can also reduce cost and improve business efficiency and agility. However, Zero Trust is also an industry buzzword that can be confusing and is often misunderstood by many, particularly non-technical and non-security people. Business leaders and non-security professionals are key stakeholders, budget holders, and gatekeepers in any enterprise’s journey to Zero Trust that can make the difference between successful and failed Zero Trust initiatives. This is because, fundamentally, adopting Zero Trust as an organizational strategy requires change, support, and investment of significant time, effort, and money across the enterprise. Therefore, security teams need to be able to communicate the value of Zero Trust to non-technical or non-security audiences, all the way up to the Board of Directors. We believe that the infosec industry has not sufficiently enabled security practitioners to clearly, succinctly, and directly communicate the business value that a Zero Trust strategy can bring. The goal of this CSA guidance is to fill that gap. 

View

Release date: 10/12/2023
Guidance
Neutral
English
Cloud Security Alliance

Identity and the ability to consume attributes and Zero Trust (ZT) signals across pillars is a key principle of zero trust architecture. ZT aims to reduce the success of cyber-attacks and data breaches using risk-based access requirements, including phishing resistant MFA and robust, fine grained, least privilege authorization.

ZT implements controls closer to the asset being protected (the protect surface). From an IAM perspective this increases the richness of the risk-based access control decision and avoids granting access based on binary trust of a single parameter.

View

Release date: 10/11/2023
Guidance
Neutral
English
Cloud Security Alliance

This document provides a clear understanding of what Zero Trust security is and the guiding principles that any organization can leverage when planning, implementing, and operating Zero Trust. These best practices remain consistent across all Zero Trust pillars, use cases, environments, and products. As expertise and industry knowledge mature, additional authoritative references such as guidance, policies, and legislation may be added.

View

Release date: 10/11/2023
Guidance
Neutral
Cloud Security Alliance

The need for board members to understand cyber risks has never been greater. This guide helps directors determine the maturity and cyber readiness of an organization. It offers seven clear steps for overseeing cyber issues and explains how zero trust architectures provide excellent risk mitigation.

View

Release date: 10/11/2023
Guidance
Single
English
Zscaler

A series of six half-hour recorded panel presentations about identity as it relates to both Cloud and Zero Trust: Understanding Identity (2 parts), Identity Challenges, Extending Identity into the Cloud, Leveraging identity for Zero Trust, Future challenges and pitfalls with Identity. Hosted on YouTube.

View

Release date: 10/10/2023
Recordings
Neutral
UBS

The objective of this publication is to provide guidance for realizing an architecture that can enforce granular application-level policies while meeting the runtime requirements of ZTA for multi-cloud and hybrid environments.

NIST Special Publication 800-207 lays out a comprehensive set of zero trust principles and referenced zero trust architectures (ZTA) for turning ZT concepts into reality. A key paradigm shift in ZTAs is the change in focus from security controls based on segmentation and isolation using network parameters (e.g., Internet Protocol (IP) addresses, subnets, perimeter) to identities. From an application security point of view, this requires authentication and authorization policies based on application and service identities in addition to the underlying network parameters and user identities. 

View

Acuity's Danny Toler and Sara Mosley (both former federal cyber leaders  who actively contributed to the development of the Zero Trust Maturity Model) recently completed a report that highlights the recent changes to CISA's Zero Trust Maturity Model - now V2.0. The report provides concrete advice for cybersecurity staff who are charting the transition to a Zero Trust architecture.

View

This book by Jason Garbis provides clear guidance on how to successfully get started with a Zero Trust initiative.  Zero Trust is a security strategy, and by definition is broad in scope and impact. As such, it can be overwhelming for security practitioners and enterprises. This book helps readers communicate Zero Trust's value, identify and eliminate barriers to success, and determine appropriate on-ramps for initial Zero Trust projects. 

View

Release date: 08/22/2023
Books
Neutral
Jason Garbis

This document introduces Zero Trust to Business, Security, and IT leaders. It described the drivers for Zero Trust, their implications, and the role of Zero Trust. In the Digital Age, the necessary seamless flow of data across myriad networks, applications, storages, and other resources introduces the dilemma that it is no longer feasible, or even possible, to consider all elements of the service topology as “trusted”. 

View

Release date: 07/28/2023
Guidance
Neutral
The Open Group

In 2005 the Jericho Forum and the OpenGroup did some foundational work for Zero Trust on the failure of the perimeter security model and the need for de-perimeterization, which is the inspiration for the Open Group's Zero Trust Commandments.

View

Release date: 07/26/2023
Reports
Neutral
The Open Group

Recorded presentation communicating the business value of Zero Trust to the CSA ZT workgroup by Yves Le Gelard, former EVP, Chief Digital Officer and Group CIO at ENGIE SA, a 70B revenue global energy company. Yves led the transformation journey at scale for network, security and cloud applications to reduce risk and improve quality of user experience. Yves speaks to many executives on how to get buy-in for zero trust, lessons learned from the journey and his experience on M&A as it relates to cyber risk.

Prior to his role at ENGIE, Yves served as Senior Vice President, Services EMEA at SAP and as Executive Vice President at Fujitsu America Inc. He is also a board member of Cigref which gathers the Group CIOs of the largest French companies.  Arranged by Zscaler. 

View

Release date: 07/19/2023
Recordings
Neutral
Cloud Security Alliance

The Cybersecurity and Infrastructure Security Agency (CISA) recently released an updated Zero Trust Maturity Model (ZTMM) to help organizations assess and improve their Zero Trust security posture. Zero Trust is built off the assumption that all users, devices, and network traffic are potentially malicious and requires continuous verification and authentication. CISA’s ZTMM provides an approach to achieve continued modernization efforts related to zero trust within a rapidly evolving environment and technology landscape. This blog post summarizes key maturity model concepts.

View

CSA Zero Trust and Industry Insights Blog Post by John Kindervag that compares and contrasts the new version of the CISA Zero Trust Maturity Model and the 2017 Forrester Maturity model that he developed in 2016 while working for Forrester. 

View

Release date: 05/18/2023
Blogs
Neutral
Cloud Security Alliance

CISA’s ZTMM is a roadmap that organizations can reference as they implement a zero trust architecture. It aims to assist organizations in the development of ZT strategies and implementation plans. It includes five pillars and three cross-cutting capabilities, is based on the foundations of zero trust. Within each pillar, the maturity model provides specific examples of traditional, initial, advanced, and optimal zero trust architectures. It is a foundational CSA ZT research source document.

View

Release date: 04/11/2023
Guidance
Neutral
US DHS/CISA

NSA is providing recommendations for Maturing Identity, Credential, and Access Management in Zero Trust to help system operators’ mature identity, credential, and access management (ICAM) capabilities to better mitigate cyber threats.

Cybersecurity incidents are on the rise due to immature ICAM capabilities of many mission critical systems. Adoption of a Zero Trust cybersecurity framework is part of the US National Cybersecurity Strategy and is directed by presidential Executive Orders. The Zero Trust model limits access to only what is needed and assumes that a breach is inevitable or has already occurred. 

View

Release date: 04/03/2023
Guidance
Neutral
US National Security Agency

Seven Questions Every CXO Must Ask About Zero Trust is a practical leadership guide for driving secure digital transformation. It helps executives identify Zero Trust use cases, deploy secure architecture, and learn to overcome organizational resistance to change. Insights by experts, for experts. 

View

Release date: 01/27/2023
Guidance
Single
Zscaler
Elevate your security posture with Zero Trust Training
Discover more Zero Trust resources