CCZT Certificate of Competence in Zero Trust (CCZT) Questions and Answers

The scope of the target state definition in Zero Trust planning is significantly influenced by an organization's risk appetite. This entails a strategic evaluation of the level of risk an organization is willing to accept in pursuit of its objectives. Continuous authentication and authorization, integral to Zero Trust, adapt to the dynamic state of threats and the organization's risk posture, ensuring that authorization decisions align with the prevailing risk appetite and the changing security landscape​​.

SDP features, like multi-factor authentication (MFA), mutual transport layer security (mTLS), and device fingerprinting, protect against phishing attacks by verifying the identity and authenticity of both the user and the device before granting access to a resource. Phishing attacks are attempts to trick users into revealing their credentials or other sensitive information by impersonating a legitimate entity or service1. SDP features can prevent phishing attacks by:

• MFA: MFA is a security mechanism that requires a user to provide more than one piece of evidence to prove their identity, such as a password, a one-time code, a biometric factor, or a physical token2. MFA can protect against phishing attacks by making it harder for attackers to access a resource even if they manage to obtain the user’s password or other credentials2.
• mTLS: mTLS is a security protocol that enables mutual authentication and encryption between two parties, such as a client and a server3. mTLS can protect against phishing attacks by ensuring that both the client and the server have valid and trusted certificates, and by preventing attackers from intercepting or modifying the communication between them3.
• Device fingerprinting: Device fingerprinting is a technique that identifies and verifies a device based on its unique characteristics, such as its operating system, browser, IP address, or hardware configuration4. Device fingerprinting can protect against phishing attacks by allowing only authorized devices to access a resource, and by detecting any anomalies or changes in the device’s attributes that may indicate a compromise4.

References =

• What is Phishing? | How to Identify & Prevent Phishing Attacks | Cloudflare
• What is Multi-Factor Authentication (MFA)? | Cloudflare
• What is Mutual TLS (mTLS)? | Cloudflare
• What is Device Fingerprinting? | Cloudflare

The essential components of an organization’s ongoing risk analysis are assessment frequency, metrics, and data. Assessment frequency refers to how often the organization conducts risk assessments to monitor and measure the effectiveness of the zero trust architecture and policies. Metrics refer to the quantitative and qualitative indicators that are used to evaluate the security posture, performance, and compliance of the zero trust architecture. Data refers to the information that is collected, analyzed, and reported from various sources, such as telemetry, logs, audits, and feedback, to support risk analysis and decision making.

References =

• Zero Trust Planning - Cloud Security Alliance, section “Monitor & Measure”
• How to improve risk management using Zero Trust architecture | Microsoft Security Blog, section “Monitoring and reporting”
• Zero Trust Adoption: Managing Risk with Cybersecurity Engineering and Adaptive Risk Assessment - SEI Blog, section “Continuous Monitoring and Improvement”

The rule-based security policies configured on the Policy Decision Point (PDP) are designed to define rules that specify how information can flow within an organization's network. These rules are integral to implementing the principle of least privilege and ensuring that data is accessed only by authorized entities under strict conditions. By controlling information flow, the PDP helps in mitigating the risk of data breaches and unauthorized access, reinforcing the Zero Trust model's emphasis on stringent access control and continuous verification of trust.

One of the key purposes of leveraging visibility & analytics capabilities in a ZTA is to continually evaluate user behavior against a baseline to identify unusual actions. This helps to detect and respond to potential threats, anomalies, and deviations from the normal patterns of user activity. Visibility & analytics capabilities also enable the collection and analysis of telemetry data across all the core pillars of ZTA, such as user, device, network, application, and data, and provide insights for policy enforcement and improvement.

References =

• Certificate of Competence in Zero Trust (CCZT) prepkit, page 15, section 2.2.3
• Zero Trust for Government Networks: 4 Steps You Need to Know, section “Continuously verify trust with visibility & analytics”
• The role of visibility and analytics in zero trust architectures, section “The basic NIST tenets of this approach include”
• What is Zero Trust Architecture (ZTA)? | NextLabs, section “With real-time access control, users are reliably verified and authenticated before each session”

Different SDP deployment models have different advantages and disadvantages depending on the organization’s use case, such as the type of resources to be protected, the location of the clients and servers, the network topology, the scalability, the performance, and the security requirements. Network architects should consider their use case before selecting an SDP model that best suits their needs and goals.

References =

• Certificate of Competence in Zero Trust (CCZT) prepkit, page 21, section 3.1.2
• 6 SDP Deployment Models to Achieve Zero Trust | CSA, section “Deployment Models Explained”
• Software-Defined Perimeter (SDP) and Zero Trust | CSA, page 7, section 3.1
• Why SDP Matters in Zero Trust | SonicWall, section “SDP Deployment Models”

To detect and stop malicious access attempts in real-time within a Zero Trust Architecture, comprehensive audit logging and continuous monitoring are essential. These measures provide visibility into all access attempts and activities within the network, allowing for the early detection of suspicious behavior. By analyzing logs and monitoring network traffic, security teams can identify and respond to potential threats in real-time, preventing unauthorized access and minimizing the impact of any security incidents.

In a Zero Trust Architecture, the Policy Decision Point (PDP) is the primary entity responsible for crafting and maintaining policies, especially those that enforce the principle of least privilege for network access. The PDP evaluates all relevant information about an access request—including the identity of the requester, the context of the request, and the requested resource—and makes a decision on whether to grant or deny access based on predefined policies. This process ensures that access rights are strictly aligned with the necessity of the role and the minimum access required to perform a function, thereby adhering to the principle of least privilege​​.

In the context of a Software-Defined Perimeter (SDP) that incorporates Single Packet Authorization (SPA), after successful authentication and authorization, the client typically generates an SPA packet and sends it to the accepting host. This process involves the client creating a specially crafted packet that is designed to be recognized by the accepting host's SDP gateway. Upon receiving and validating the SPA packet, the gateway allows the client to establish a connection to the designated services or resources. This mechanism ensures that only authorized clients can initiate connections, enhancing security by preventing unauthorized access.

Data and asset classification should be based on the sensitivity of data, which is the degree to which the data requires protection from unauthorized access, modification, or disclosure. Data sensitivity is determined by the potential impact of data loss, theft, or corruption on the organization, its customers, and its partners. Data sensitivity can also be influenced by legal, regulatory, and contractual obligations.

References =

• Certificate of Competence in Zero Trust (CCZT) prepkit, page 10, section 2.1.1
• Identify and protect sensitive business data with Zero Trust, section 1
• Secure data with Zero Trust, section 1
• SP 800-207, Zero Trust Architecture, page 9, section 3.2.1

ZT project implementation requires prioritization as part of the overall ZT project planning activities. One area to consider is prioritization based on risks, which means that the organization should identify and assess the potential threats, vulnerabilities, and impacts that could affect its assets, operations, and reputation, and prioritize the ZT initiatives that address the most critical and urgent risks. Prioritization based on risks helps to align the ZT project with the business objectives and needs, and optimize the use of resources and time.

References =

• Zero Trust Planning - Cloud Security Alliance, section “Scope, Priority, & Business Case”
• The Zero Trust Journey: 4 Phases of Implementation - SEI Blog, section “Second Phase: Assess”
• Planning for a Zero Trust Architecture: A Planning Guide for Federal …, section “Gap Analysis”

Asset owners are the ones who will determine valid users, roles, and privileges for accessing data as part of data governance. Asset owners are responsible for defining the data classification, sensitivity, and ownership of the data assets they own. They also have the authority to grant or revoke access to the data assets based on the business needs and the Zero Trust policies.

References = Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 2: Data and Asset Classification

The ZT tenet of assume breach is based on the notion that malicious actors reside inside and outside the network, and that any user, device, or service can be compromised at any time. Therefore, ZT requires continuous verification and validation of all entities and transactions, and does not rely on implicit trust or perimeter-based defenses

ZTA using enhanced identity governance is an approach to ZTA that strongly emphasizes proper governance of access privileges and entitlements for specific assets. This approach focuses on managing the identity lifecycle, enforcing granular and dynamic policies, and auditing and monitoring access activities. ZTA using enhanced identity governance helps to ensure that only authorized and verified entities can access the protected assets based on the principle of least privilege and the context of the request.

References = Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 5: Enhanced Identity Governance

Network access control (NAC) typically operates at layer 2, the data link layer, of the open systems interconnection (OSI) model. The data link layer is responsible for transferring data between adjacent nodes on a network, such as switches and endpoints. NAC operates at this layer by inspecting and controlling the access of devices to the network based on their MAC addresses, device profiles, security posture, and compliance status.

References = Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 6: Micro-segmentation