Cloud Security Alliance Launches Zero Trust Credential
I got my start with information security, often called cybersecurity these days, back in the 1990s. My experience grew mostly out of developing, then teaching, then writing books about Microsoft Server and related networking environments.
Over the next 10 years I would get into ever more and varied security situations, along with the platforms and products that people used to make them work and keep them as safe as they could. Across the first six editions of The CISSP Study Guide (published in 2012, the year I dropped out of that group effort) the term "zero trust" didn't make it into the index.
Even then, however, the basic concept behind ZT (as it's often abbreviated) was already pretty well known and understood. That said, it wasn't until 2018 that cybersecurity researchers at the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) issued a publication entitled Special Publication 800-207 Zero Trust Architecture (SP800-207).
That is what really got the zero trust bus gassed up and out of the depot, and it's been rolling all over the security landscape ever since.
Getting from SP800-207 to CCZT
First, let me explain that CCZT stands for Certificate of Competence in Zero Trust. Its sponsor is Cloud Security Alliance (CSA), an industry organization that involves cloud industry professionals and practitioners, related professionals and technical associations, government arms and agencies, cloud technology focused companies — essentially a cornucopia of organizations and individuals with a mutual interest in safe and secure cloud computing.
The organization was founded in 2008 and began its work with a Wiki-style publication called Critical Areas of Focus in Cloud Computing. Current membership is estimated at 80,000 and includes individuals, companies, organizations, and institutions of all sizes and kinds.
The CSA has worked extensively to support cloud security initiatives and policy-making at NIST, the European Commission (EC), and many other bodies and agencies involved in data protection and security standards, regulations, and policies.
What About the CCZT
On Nov. 16, the CSA announced this first-ever training and certificate program in the area of Zero Trust. The idea is to prepare those who work in and with cloud technologies and platforms to understand and implement proper, well-thought-out zero trust approaches to creating, using, and managing cloud-based applications, services and data.
The InfoSecurity Magazine story about this announcement cites a Gartner estimate that "60 percent adoption [of Zero Trust security models] will occur by 2025." Dean Webb, a cybersecurity solutions engineer at security firm Merlin Cyber, endorses that estimate.
The same InfoSecurity story describes the CCZT program as follows: CCZT "provides a comprehensive education, drawing on best practices endorsed by industry experts, standards bodies and governments. Notably, it incorporates foundational principles from leading sources such as CISA and NIST, as well as innovative insights from CSA Research and the expertise of zero trust pioneer John Kindervag."
The home page for CCZT is a little more expansive and detailed. It asserts that the CCZT "provides an in-depth understanding of Zero Trust architecture, its components, and its functioning." The target audience is security professionals, for whom a CCZT should help them "advance their career" while supporting "organizations who must maintain strong security postures."
This is good and important stuff for security in general, but especially important in the cloud where (as I observed earlier) many parties, including many unknown and untrusted ones, come together to access and interact with resources, information, services and more.
Speeds and Feeds (of a Sort)
CSA offers a free prep kit for the CCZT that interested readers might want to download and peruse. The exam itself costs $175. It is open-book exam and runs 90 minutes, during which candidates must answer 50 multiple-choice questions from the subject domains that the CCZT covers.
These include ZT foundational concepts, ZT architecture, the software defined perimeter, NIST and CISA best practices, ZT planning and ZT implementation. CSA offers self-study training which includes materials from the free prep kit (knowledge guide, FAQ, and three "authoritative resources").
Purchasing an exam token also includes a digital copy of the CCZT Study Guide, with additional and extensive learning and test practice materials. Candidates may also opt for instructor-led training classes (but I really couldn't figure out who's offering the classes, nor how much they cost).
A $455 "Exam Bundle" is available that includes multiple training elements for each of the knowledge domain areas. It also appears to include an exam token as well — looks like a pretty good deal.
Long Story Short: Check It Out!
If you work in cybersecurity, then you can't help but work in and around the cloud. This certificate and its related training materials appear to be thoughtfully put together, well organized, and surprisingly affordable.
While not all the details are crystal clear as yet (to me anyway), I can see enough of value here to recommend to readers who already work in the security patch (or who'd like to move their careers in that direction) to check this offering out. It appears to be more than worth the time it will take you to dig in and decide whether it's something you'd like to pursue.