ZTA is based on the principle of never trusting any user or device by default, regardless of their location or ownership. ZTA policies can use various methods to verify the identity and context of third-party users and devices, such as tokens, certificates, multifactor authentication, device posture assessment, etc. ZTA policies can also enforce granular and dynamic access policies that grant the minimum necessary privileges to third-party users and devices for accessing specific resources, while hiding all other assets from their view. This reduces the attack surface and prevents unauthorized access and lateral movement within the network.

The ZT tenet of assume breach is based on the notion that malicious actors reside inside and outside the network, and that any user, device, or service can be compromised at any time. Therefore, ZT requires continuous verification and validation of all entities and transactions, and does not rely on implicit trust or perimeter-based defenses

Risk assessment is the process of identifying, analyzing, and evaluating the risks that an organization faces in achieving its objectives. Risk assessment helps to determine the scope of the target state definition for ZT planning, as it identifies the critical assets, threats, vulnerabilities, and impacts that need to be addressed by ZT capabilities and activities. Risk assessment also helps to prioritize and align the ZT planning with the organization's risk appetite and tolerance levels.

SDP mitigates the risk of broken access control by mandating micro-segmentation and implementing least privilege. Micro-segmentation divides the network into smaller, isolated segments that can prevent unauthorized access and contain lateral movement. Least privilege grants the minimum necessary access to users and devices for specific resources, while hiding all other assets from their view. This reduces the attack surface and prevents attackers from exploiting weak or misconfigured access controls

Data and asset classification should be based on the sensitivity of data, which is the degree to which the data requires protection from unauthorized access, modification, or disclosure. Data sensitivity is determined by the potential impact of data loss, theft, or corruption on the organization, its customers, and its partners. Data sensitivity can also be influenced by legal, regulatory, and contractual obligations.

Reference =

Certificate of Competence in Zero Trust (CCZT) prepkit, page 10, section 2.1.1

Identify and protect sensitive business data with Zero Trust, section 1

Secure data with Zero Trust, section 1

SP 800-207, Zero Trust Architecture, page 9, section 3.2.1

SOAR is a collection of software programs developed to bolster an organization's cybersecurity posture. SOAR tools can automate the response to security events and incidents by executing predefined workflows or playbooks, which can include tasks such as alert triage, threat detection, containment, mitigation, and remediation. SOAR tools can also orchestrate the integration of various security tools and data sources, and provide centralized dashboards and reporting for security operations.

Reference=

Certificate of Competence in Zero Trust (CCZT) prepkit, page 23, section 3.2.2

Security Orchestration, Automation and Response (SOAR) - Gartner

Security Automation: Tools, Process and Best Practices - Cynet, section ''What are the different types of security automation tools?''

Introduction to automation in Microsoft Sentinel

Different SDP deployment models have different advantages and disadvantages depending on the organization's use case, such as the type of resources to be protected, the location of the clients and servers, the network topology, the scalability, the performance, and the security requirements. Network architects should consider their use case before selecting an SDP model that best suits their needs and goals.

Reference=

Certificate of Competence in Zero Trust (CCZT) prepkit, page 21, section 3.1.2

6 SDP Deployment Models to Achieve Zero Trust | CSA, section ''Deployment Models Explained''

Software-Defined Perimeter (SDP) and Zero Trust | CSA, page 7, section 3.1

Why SDP Matters in Zero Trust | SonicWall, section ''SDP Deployment Models''

The policy engine (PE) is the component in a ZTA that is responsible for deciding whether to grant access to a resource. The PE evaluates the policies and the contextual data collected from various sources, such as the user identity, the device posture, the network location, the resource attributes, and the environmental factors, and then generates an access decision. The PE communicates the access decision to the policy enforcement point (PEP), which enforces the decision on the resource.

Reference=

Certificate of Competence in Zero Trust (CCZT) prepkit, page 14, section 2.2.2

What Is Zero Trust Architecture (ZTA)? - F5, section ''Policy Engine''

What is Zero Trust Architecture (ZTA)? | NextLabs, section ''Core Components''

[SP 800-207, Zero Trust Architecture], page 11, section 3.3.1

Rule-based security policies are a type of attribute-based access control (ABAC) policies that define rules that control the entitlements to assets, such as data, applications, or devices, based on the attributes of the subjects, objects, and environment. The policy decision point (PDP) is the component in a zero trust architecture (ZTA) that evaluates the rule-based security policies and generates an access decision for each request.

Reference=

Certificate of Competence in Zero Trust (CCZT) prepkit, page 14, section 2.2.2

A Zero Trust Policy Model | SpringerLink, section ''Rule-Based Policies''

Zero Trust architecture: a paradigm shift in cybersecurity - PwC, section ''Security policy and control framework''