The Cloud Security Alliance (CSA) is the leading authority dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Zscaler is proud to be a founding partner of its recently announced Zero Trust Advancement Center (ZTAC) to further the CSA’s mission by promoting zero trust standards that are research-based, vendor-neutral, and not muddied by marketing jargon.
To learn more about progress of the ZTAC, we recently caught up with CSA Co-founder and Chief Executive Officer Jim Reavis.
Editorial Team: Since the announcement of the ZTAC in March, what have CXOs been telling you they are most excited to see with this initiative?
Reavis: The most exciting thing we have heard from CXOs is that they want to help! They recognize that zero trust is an important mission and also a long-term journey and they want to make sure we get it right. Today a CXO within a company embarking on a zero trust future often must articulate their definition of what they are trying to accomplish repeatedly to all of their technology partners in isolation. They are telling us they look forward to pointing to an unbiased external source that explains the intent, philosophy, and required outcomes of zero trust in action.
Editorial Team: Whether it be endpoint security, user authentication, or zero trust, ZTAC is taking a strong stance to serve as the knowledgeable independent source of the changes occurring in the security industry. What gaps does the center plan to close that you have seen technology and security CXOs need for themselves and for their teams?
Reavis: There are a lot of core technologies fundamental to zero trust. Identity management is a good example. We plan to provide the research and education to help professionals see the core technologies in context and specifically how they can enable zero trust. Then you have every other technology in existence and technologies not invented yet that must be protected by a zero trust framework. It isn’t possible to provide detailed guidance about every technology, so clearly we have to do a good job of creating the right knowledge that enables CXOs to have strategies to break down business opportunities and challenges into the appropriate zero trust components and go from very general business needs to the very specific technologies and architecture. We feel that creating a lot of research around zero trust as a philosophy that informs strategy is the way to equip CXOs to tackle the next security concern on the horizon.
Editorial Team: While training and certifying your teams on zero trust is important, many of us on the call know that initiating a change to a zero trust solution and architecture is challenging, and undergoing the transformation can be daunting. What advice do you have for people, regardless of where they are in the zero trust journey, and what support does the ZTAC plan to provide to alleviate leaders' concerns?
Reavis: For CSA, research is not useful if it cannot be applied. Education must be pragmatic. While a full business digital transformation may be the goal for many, we have to also provide a lot of incremental tools to help leaders take steps forward in this journey. In my conversations with many CXOs, we are discussing “lowercase” zero trust, where we may look at solutions for a small but sensitive system rather than an enterprise-wide asset to build confidence in the methodology. We intend to catalog an extensive number of case studies to help create a knowledge base for the incremental successes as well as guidance for creating enterprise infrastructure by providing a zero trust “dial tone.”
Editorial Team: There are a lot of vendors hopping on the zero-trust bandwagon. How will the the CSA help enlighten on the standards that keep the term from becoming watered down or jargon?
Reavis: For 13 years, Cloud Security Alliance has been creating research that is vendor-neutral and highly credible, we take care to make sure that a diverse set stakeholders – enterprise customers, vendors, auditors, etc. – are involved in creating a strong consensus. When zero trust is defined as a strategy and the solutions are very contextual, I see that as taking the wind out of the sails of those trying to take shortcuts to the market versus solving customer zero trust problems holistically.
Editorial Team: Given this is a technology and security leader audience, what content does the ZTAC plan to issue in the coming months that should benefit this audience the most?
Reavis: Coming soon you can expect to see our “Zero Trust as Security Philosophy” whitepaper which helps cast zero trust as a set of principles beyond any flavor-of-the-month technology. We are very excited to share the results of our survey, “CISO Perspectives and Progress in Deploying Zero Trust” which provides an excellent view into the current state of Zero Trust. You will also see our curated ZT Resource Center online soon, which will catalog important best practices and case studies from across the industry, not just the original research CSA undertakes.
Editorial Team: In your wildest dreams, what does the ZTAC grow into? How does this initiative satisfy your founding ambitions for it?
Reavis: If you look at what we understand zero trust to mean: concepts such as nothing implicitly trusted, building explicit trust, implementing least privilege access and regularly validating entities, you realize that these are not new concepts and go back to the origins of what we have aspired to accomplish in computer security. When the internet was created, the original RFCs that defined it did not address security, which would have been ok if the internet didn’t proceed to consume every proprietary computer network in its way. My belief is that zero trust is nothing less than the blueprint for the next version of the internet and my hope is that the Zero Trust Advancement Center will be seen as a key catalyst for that outcome.
What to read next