SDP mitigates the risk of broken access control by mandating micro-segmentation and implementing least privilege. Micro-segmentation divides the network into smaller, isolated segments that can prevent unauthorized access and contain lateral movement. Least privilege grants the minimum necessary access to users and devices for specific resources, while hiding all other assets from their view. This reduces the attack surface and prevents attackers from exploiting weak or misconfigured access controls

A common activity in the scope, priority, and business case steps of ZT planning is to determine the organization’s current state. This involves assessing the existing security posture, architecture, policies, processes, and capabilities of the organization, as well as identifying the key stakeholders, business drivers, and goals for the ZT initiative. Determining the current state helps to establish a baseline, identify gaps and risks, and define the scope and priority of the ZT transformation.

References  =

Zero Trust Planning - Cloud Security Alliance , section “Scope, Priority, & Business Case”

The Zero Trust Journey: 4 Phases of Implementation - SEI Blog , section “First Phase: Prepare”

ZTA planning can improve the developer experience by streamlining access provisioning to deployment environments. This means that developers can access the resources and services they need to deploy their applications in a fast and secure manner, without having to go through complex and manual processes. ZTA planning can also help to automate and orchestrate the access provisioning using dynamic and granular policies based on the context and attributes of the developers, devices, and applications.

References  =  Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance ,  Zero Trust Training (ZTT) - Module 10: ZTA Planning and Implementation

To ensure a successful ZT effort, it is important to engage stakeholders across the organization and at all levels, including functional areas. This helps to align the ZT vision and goals with the business priorities and needs, gain buy-in and support from the leadership and the users, and foster a culture of collaboration and trust. Engaging stakeholders also enables the identification and mapping of the critical assets, workflows, and dependencies, as well as the communication and feedback mechanisms for the ZT transformation.

References  =

Certificate of Competence in Zero Trust (CCZT) prepkit , page 7, section 1.3

Zero Trust Planning - Cloud Security Alliance , section “Scope, Priority, & Business Case”

The ‘Zero Trust’ Model in Cybersecurity: Towards understanding and … , section “3.1 Ensuring buy-in across the organization with tangible impact”

In a ZTA, policies should be created in the control plane, which is the logical component that defines and manages the policies for accessing resources.  The control plane consists of policy entities, such as policy administrators, policy engines, and policy decision points, that are responsible for crafting, maintaining, evaluating, and enforcing the policies 1 .  The control plane interacts with the data plane, which is the logical component that handles the data transmission and processing, and the network, which is the physical or virtual component that provides the connectivity and transport for the data plane 1 .  The endpoint is the device or system that requests or provides access to a resource 1 .

References  =

Zero Trust Architecture | NIST

In a ZTA, the logical combination of both the policy engine (PE) and policy administrator (PA) is called the policy decision point (PDP). The PE is the component that evaluates the policies and the contextual data collected from various sources and generates an access decision. The PA is the component that establishes or terminates the communication between a subject and a resource based on the access decision. The PDP communicates with the policy enforcement point (PEP), which enforces the access decision on the resource.

References  =

Certificate of Competence in Zero Trust (CCZT) prepkit , page 14, section 2.2.2

Zero Trust Architecture Project - NIST Computer Security Resource Center , slide 9

What Is a Zero Trust Security Framework? | Votiro , section “The Policy Engine and Policy Administrator”

Zero Trust Frameworks Architecture Guide - Cisco , page 4, section “Policy Decision Point”

One of the key purposes of leveraging visibility & analytics capabilities in a ZTA is to continually evaluate user behavior against a baseline to identify unusual actions. This helps to detect and respond to potential threats, anomalies, and deviations from the normal patterns of user activity. Visibility & analytics capabilities also enable the collection and analysis of telemetry data across all the core pillars of ZTA, such as user, device, network, application, and data, and provide insights for policy enforcement and improvement.

References  =

Certificate of Competence in Zero Trust (CCZT) prepkit , page 15, section 2.2.3

Zero Trust for Government Networks: 4 Steps You Need to Know , section “Continuously verify trust with visibility & analytics”

The role of visibility and analytics in zero trust architectures , section “The basic NIST tenets of this approach include”

What is Zero Trust Architecture (ZTA)? | NextLabs , section “With real-time access control, users are reliably verified and authenticated before each session”

The essential components of an organization’s ongoing risk analysis are assessment frequency, metrics, and data. Assessment frequency refers to how often the organization conducts risk assessments to monitor and measure the effectiveness of the zero trust architecture and policies. Metrics refer to the quantitative and qualitative indicators that are used to evaluate the security posture, performance, and compliance of the zero trust architecture. Data refers to the information that is collected, analyzed, and reported from various sources, such as telemetry, logs, audits, and feedback, to support risk analysis and decision making.

References  =

Zero Trust Planning - Cloud Security Alliance , section “Monitor & Measure”

How to improve risk management using Zero Trust architecture | Microsoft Security Blog , section “Monitoring and reporting”

Zero Trust Adoption: Managing Risk with Cybersecurity Engineering and Adaptive Risk Assessment - SEI Blog , section “Continuous Monitoring and Improvement”