CCZT Certificate of Competence in Zero Trust (CCZT) Questions and Answers

One of the core principles of Zero Trust (ZT) is to “never trust, always verify” every request for access to a resource, regardless of where it originates or what resource it accesses 1 .  This means that ZT does not rely on implicit trust based on network perimeters, device types, or user roles, but rather on explicit verification based on multiple data points, such as user identity, device health, location, service, data classification, and anomalies 1 .

References  =

Zero Trust Architecture | NIST

Zero Trust Model - Modern Security Architecture | Microsoft Security

How To Implement Zero Trust: 5-steps Approach & its challenges - Fortinet

A common activity in the scope, priority, and business case steps of ZT planning is to determine the organization’s current state. This involves assessing the existing security posture, architecture, policies, processes, and capabilities of the organization, as well as identifying the key stakeholders, business drivers, and goals for the ZT initiative. Determining the current state helps to establish a baseline, identify gaps and risks, and define the scope and priority of the ZT transformation.

References  =

Zero Trust Planning - Cloud Security Alliance , section “Scope, Priority, & Business Case”

The Zero Trust Journey: 4 Phases of Implementation - SEI Blog , section “First Phase: Prepare”

Data and asset classification is a prerequisite action to understand the organization’s protect surface clearly because it helps to identify the most critical and sensitive data and assets that need to be protected by Zero Trust principles. Data and asset classification also helps to define the appropriate policies and controls for different levels of data and asset sensitivity.

References  =  Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance ,  Zero Trust Training (ZTT) - Module 2: Data and Asset Classification

During the monitoring and analytics phase of ZT transaction flows, organizations should collect statistics and profile the behavior of transactions to support a continuous assessment of all transactions. A continuous assessment of all transactions means that the organization constantly evaluates the security posture, performance, and compliance of each transaction, and detects and responds to any anomalies, deviations, or threats. A continuous assessment of all transactions helps to maintain a high level of protection and resilience in the ZTA, and enables the organization to adjust and improve the policies and controls accordingly.

References  =

Zero Trust Planning - Cloud Security Alliance , section “Monitor & Measure”

The role of visibility and analytics in zero trust architectures , section “The basic NIST tenets of this approach include”

Move to the Zero Trust Security Model - Trailhead , section “Monitor and Maintain Your Environment”

Data and asset classification should be based on the sensitivity of data, which is the degree to which the data requires protection from unauthorized access, modification, or disclosure. Data sensitivity is determined by the potential impact of data loss, theft, or corruption on the organization, its customers, and its partners. Data sensitivity can also be influenced by legal, regulatory, and contractual obligations.

References  =

Certificate of Competence in Zero Trust (CCZT) prepkit , page 10, section 2.1.1

Identify and protect sensitive business data with Zero Trust , section 1

Secure data with Zero Trust , section 1

SP 800-207, Zero Trust Architecture , page 9, section 3.2.1

Device validation helps establish a trusted connection based on certificate-based keys in a ZT deployment. Device validation is the process of verifying the identity and posture of the devices that request access to the protected resources. Device validation relies on the use of certificates, which are digital credentials that bind the device identity to a public key. Certificates are issued by a trusted authority and can be used to authenticate the device and encrypt the communication. Device validation helps to ensure that only healthy and compliant devices can access the resources, and that the connection is secure and confidential.

References  =

Certificate of Competence in Zero Trust (CCZT) prepkit , page 15, section 2.2.3

Zero Trust and Windows device health - Windows Security , section “Device health attestation on Windows”

Devices and zero trust | Google Cloud Blog , section “In a zero trust environment, every device has to earn trust in order to be granted access.”

The ZT tenet of assume breach is based on the notion that malicious actors reside inside and outside the network, and that any user, device, or service can be compromised at any time. Therefore, ZT requires continuous verification and validation of all entities and transactions, and does not rely on implicit trust or perimeter-based defenses

Business continuity and disaster recovery are the activities of the ZT implementation preparation phase that ensure the resiliency of the organization’s operations in the event of disruption. Business continuity refers to the process of maintaining or restoring the essential functions of the organization during and after a crisis, such as a natural disaster, a cyberattack, or a pandemic. Disaster recovery refers to the process of recovering the IT systems, data, and infrastructure that support the business continuity. ZT implementation requires planning and testing the business continuity and disaster recovery strategies and procedures, as well as aligning them with the ZT policies and controls.

References  =

Zero Trust Planning - Cloud Security Alliance , section “Monitor & Measure”

Zero Trust architecture: a paradigm shift in cybersecurity - PwC , section “Continuous monitoring and improvement”

Zero Trust Implementation , section “Outline Zero Trust Architecture (ZTA) implementation steps”

Rigorous testing of Zero Trust and Zero Trust Architecture (ZTA) implementations is crucial for validating their effectiveness. This testing should be an integrated part of the overall cybersecurity program. By incorporating ZT testing into the broader cybersecurity efforts, organizations can ensure a cohesive and comprehensive approach to security that encompasses all aspects of their network and systems. This integration facilitates continuous improvement, adherence to best practices, and alignment with organizational security objectives, thereby ensuring that the ZT implementation is robust, effective, and capable of protecting against evolving threats.

Asset owners are the ones who will determine valid users, roles, and privileges for accessing data as part of data governance. Asset owners are responsible for defining the data classification, sensitivity, and ownership of the data assets they own. They also have the authority to grant or revoke access to the data assets based on the business needs and the Zero Trust policies.

References  =  Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance ,  Zero Trust Training (ZTT) - Module 2: Data and Asset Classification

ZT project implementation requires prioritization as part of the overall ZT project planning activities. One area to consider is prioritization based on risks, which means that the organization should identify and assess the potential threats, vulnerabilities, and impacts that could affect its assets, operations, and reputation, and prioritize the ZT initiatives that address the most critical and urgent risks. Prioritization based on risks helps to align the ZT project with the business objectives and needs, and optimize the use of resources and time.

References  =

Zero Trust Planning - Cloud Security Alliance , section “Scope, Priority, & Business Case”

The Zero Trust Journey: 4 Phases of Implementation - SEI Blog , section “Second Phase: Assess”

Planning for a Zero Trust Architecture: A Planning Guide for Federal … , section “Gap Analysis”

One of the key purposes of leveraging visibility & analytics capabilities in a ZTA is to continually evaluate user behavior against a baseline to identify unusual actions. This helps to detect and respond to potential threats, anomalies, and deviations from the normal patterns of user activity. Visibility & analytics capabilities also enable the collection and analysis of telemetry data across all the core pillars of ZTA, such as user, device, network, application, and data, and provide insights for policy enforcement and improvement.

References  =

Certificate of Competence in Zero Trust (CCZT) prepkit , page 15, section 2.2.3

Zero Trust for Government Networks: 4 Steps You Need to Know , section “Continuously verify trust with visibility & analytics”

The role of visibility and analytics in zero trust architectures , section “The basic NIST tenets of this approach include”

What is Zero Trust Architecture (ZTA)? | NextLabs , section “With real-time access control, users are reliably verified and authenticated before each session”

SDP mitigates the risk of broken access control by mandating micro-segmentation and implementing least privilege. Micro-segmentation divides the network into smaller, isolated segments that can prevent unauthorized access and contain lateral movement. Least privilege grants the minimum necessary access to users and devices for specific resources, while hiding all other assets from their view. This reduces the attack surface and prevents attackers from exploiting weak or misconfigured access controls

 The protect surface in a ZTA is the collection of sensitive data, assets, applications, and services (DAAS) that require protection from threats 1 . One benefit of the protect surface in a ZTA for an organization implementing controls is that it allows the controls to be moved closer to the asset and minimize risk.  This means that instead of relying on a single perimeter or boundary to protect the entire network, ZTA enables granular and dynamic controls that are applied at or near the DAAS components, based on the principle of least privilege 2 .  This reduces the attack surface and the potential impact of a breach, as well as improves the visibility and agility of the security posture 3 .

References  =

Zero Trust Architecture | NIST

Zero Trust Architecture Explained: A Step-by-Step Approach - Comparitech

What is Zero Trust Architecture (ZTA)? - CrowdStrike

Multifactor authentication is a method of validating the identity of an entity by requiring two or more factors, such as something the entity knows (e.g., password, PIN), something the entity has (e.g., token, smart card), or something the entity is (e.g., biometric, behavioral). Multifactor authentication enhances the security of Zero Trust Architecture (ZTA) by reducing the risk of identity compromise and unauthorized access.

References  =  Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance ,  Zero Trust Training (ZTT) - Module 4: Identity and Access Management