Traditional approaches to security historically included perimeter-based defenses and an implicit trust of network insiders. Zero trust, a wholly different approach to security, treats all users and resources, wherever they are located, as equally untrusted. Organizations will need all hands on deck to implement zero trust, and that will require zero-trust certification and training.
"Zero trust is a team sport," said Holly Felicetta, senior product manager at Forrester, during the organization's 2020 Security & Risk Global summit.
A zero-trust team stretches across IT functions, including security, networking, applications and data, to finance, HR and C-suite executives because financial records and documents contain sensitive data that must be identified, mapped and safeguarded.
"People you have to involve in this may not be engaged in security. They may not even understand the value security has for the organization. But they do understand the value that their data has for the business," said Chase Cunningham, principal analyst at Forrester. "You need to get them involved as allies.
Understanding zero trust
To facilitate this coordination among different departments, security practitioners must be able to communicate what a zero-trust strategy is and why it's important to the business. But buyer beware: The strategic aspect can get lost in the zero-trust "vendor hype."
Equipped with the right training, business and IT leaders will be able to make smart decisions about how zero trust can fit into their organization, and they might be surprised what already exists in their enterprise that can foster zero-trust security.
"You have been doing things that work to enable zero trust whether you realize it or not," said Cunningham, in reference to firewalls, data loss prevention, endpoint security, and identity and access management programs. "What you need to do is take a step back and look at this strategically and programmatically and ask, 'What do I need to have to enable the concept of zero trust?' Focus on what you can fix at a micro level, and then work your way outward."
Zero-trust certification and training options
Organizations should invest in a specialized zero-trust training program to ensure the cross-functional team can speak the same language and collaborate on a comprehensive, enterprise-wide strategy.
Here are the top three zero-trust certifications and training courses available for security practitioners and teams from Forrester, Cybrary and Pluralsight.
1. Forrester's Zero Trust Strategy certification
Forrester offers two versions of its Zero Trust Strategy certification, one for individuals and one for teams, both priced at around $2,000 per person. This comprehensive, on-demand program spans eight weeks and is designed for experienced technologists. Among the instructors are Forrester principal analysts Chase Cunningham, Jinan Budge, Renee Murphy and Jeff Pollard, in addition to Stephanie Balaouras, vice president and group director, and research director Joseph Blankenship.
The six main topics covered in Forrester's Zero Trust Strategy program are the following:
- the Zero Trust eXtended (ZTX) framework
- five steps to a zero-trust network
- the business case for zero trust
- supporting zero trust
- leading change
- maturing zero trust
Successful completion of the program merits certification as a Forrester ZTX Associate (ZTX-AC) or a Forrester ZTX Strategist (ZTX-S). The ZTC-AC and ZTX-S certification requirements vary slightly. The participant's previous professional experience as a technology practitioner may determine which certification track to pursue.
To be awarded a ZTX-AC certification, one must do the following:
- earn the required 710 points; and
- complete the mandatory curriculum to-dos.
To become a certified ZTX-S, participants must do the following:
- earn the required 710 points;
- complete the required to-dos;
- complete three Strategist Assignments; and
- complete the Strategist Project.
Participants earn points by completing curriculum activities, watching course videos and engaging in discussions with other participant profiles. All exercises and assignments are submitted on Forrester's certification learning platform. The course also features a leaderboard, which displays top point earners to introduce competition in the learning process. Participants may also claim continuing professional education (CPE) credit with (ISC)2 for the hours spent working toward certification. Forrester advises between nine and 18 hours of coursework as a minimum to claim CPE credit.
Individuals seeking ZTX-AC should expect to spend one to two hours per week on the course requirements. Those seeking ZTX-S certification should expect to spend two to three hours per week and budget extra time to work on the Strategist Project independently. The additional Strategist Assignments and Strategist Project required of the ZTX-S certification are designed to arm the participant with an actionable zero-trust strategy and timeline that are ready to implement at their organization.
Participants who enroll in the full Zero Trust Strategy course are entitled to the downloadable ZTX Toolkit and ZTX Strategy Workbook. These resources include frameworks, templates and workbooks to help facilitate zero-trust implementation, including a board presentation template and zero-trust security vision blueprint.
If the course is purchased for a team of technology practitioners, Forrester offers optional analyst sessions to provide an additional hour of instruction on zero-trust strategy. Forrester recommends two analyst sessions per team per course, but this may vary based on the team's needs and goals.
2. Cybrary's Zero Trust Networks training course
In Cybrary's Zero Trust Networks training course, students will learn the fundamentals necessary to securely manage trust on users, devices, applications and network traffic. This beginner-level training covers the principles of zero trust, in addition to best practices for implementing this model in the enterprise. The course is instructed by Mario Bardowell, who holds a master's degree in cybersecurity and information assurance, in addition to CISSP, (ISC)2 Systems Security Certified Practitioner and CompTIA Security+ certifications, among others.
Cybrary's Zero Trust Networks training covers the following topics:
- Module 1
- 1.1 Introduction
- Module 2
- 2.11 Defining Zero Trust Networks
- Module 3
- 3.1 The Big Fundamentals, Part 1
- 3.2 The Big Fundamentals, Part 2
- 3.3 Zscaler Integration with Zero Trust, Part 1
- 3.4 Zscaler Integration with Zero Trust, Part 2
- 3.5 Trust Management, Part 1
- 3.6 Trust Management, Part 2
- 3.7 To Trust or Not To Trust, Part 1
- 3.8 To Trust or Not To Trust, Part 2
- 3.9 Pop Quiz and Summary
There is no prerequisite for this course; however, Cybrary recommends that students have a prior understanding of perimeter firewalls, traditional network security architecture, public key infrastructure and network zones. The training is best suited for individuals with the following IT roles: security architect, network operations specialist, system administrator and information systems security manager, among others.
The course can be accessed for free with a Cybrary subscription. Upon completing all components of the three modules -- which typically takes one hour and 17 minutes -- participants will receive two CPE/continuing education unit credits and a Certificate of Completion.
3. Pluralsight's Zero Trust Networking (ZTN): The Big Picture course
This course covers foundational knowledge that students will need to bolster their organization's network and better combat both internal and external malicious actors. This course explains how traditional network and security designs are ineffective at mitigating the complex challenges of today's IT landscapes and how the zero-trust architecture can help. Students will also learn about the security benefits of software-defined perimeter and microsegmentation, both integral to any enterprise zero-trust journey.
Pluralsight's Zero Trust Networking (ZTN): The Big Picture training covers the following topics:
- course overview;
- why we need zero-trust networking;
- creating a new network and security architecture;
- understanding how zero-trust networking works; and
- the zero-trust projects.
The course is instructed by Pluralsight author and independent networking and security consultant at Network Insight Matt Conran. It can be accessed for free with a Pluralsight subscription.