Cloud Security Alliance – Zero Trust Guiding Principles PD

Organizations leverage Zero Trust to transform data and network cybersecurity management practices broadly. Many Zero Trust management concepts have emerged, including principles, tenets, pillars, architecture plans, and frameworks. While this evolution is a journey, transforming through ZT is not equated to a single project (business, operations, technology) or a specific product. Zero Trust is a mature methodology aimed at increasing the protection of critical assets in a highly distributed architecture. It requires upfront planning with all key stakeholders understanding that each ZT journey is
unique. The greater the alignment with the business, the greater the likelihood of success in the Zero Trust journey.
Many organizations have changed their operating models to foster cloud adoption and remote work.
Traditional security practices do not adequately address the new risk landscape this has created.
Organizations seeking to improve their cyber resilience can no longer rely on a hard outer shell or solely
on technical controls to mitigate their cyber risk. The cyber threat landscape continues to evolve and expand beyond the capabilities of a traditional fortress model to defend.
The scope of what needs to be protected has expanded as well. We are no longer dealing with just IT
assets and data. The scope has expanded to include devices, workloads, applications, and business
processes residing outside of IT. This is commonly referred to as Data, Applications, Assets, and Services, or DAAS for short.
By aligning the security architecture with the business operating model, organizations can transform their
business while providing proper security without hindering business processes. When accepted as a
foundational concept, Zero Trust supports many other enterprise efforts like privacy, compliance, and risk
management.
This document provides guiding principles that any organization can leverage when scoping or initiating a
move toward Zero Trust.