The Inner Circle

 View Only
Expand all | Collapse all

Zero trust and cloud

  • 1.  Zero trust and cloud

    Posted Mar 03, 2021 12:41:00 PM
    Hi all, further to some interesting zero trust discussions on this forum, I had a specific question that I'm curious on the views of this group:

    Zero trust is about "never trust, always verify" - but how can you achieve that in the context of cloud services (SaaS in particular) where a lot of control rests with provider and not with user organisation (who have only limited visibility and must rely on compliance auditing).
    What are your views / some strategies?
    Thank you!

    ------------------------------
    Ivan Djordjevic
    security & identity architect
    salesforce
    ------------------------------


  • 2.  RE: Zero trust and cloud

    Posted Mar 03, 2021 08:39:00 PM

    Thanks for your post.

    Compared with IaaS/PaaS users, SaaS users tend to be more business-focused. 

    It seems very challenging for SaaS users to recognize pros and cons of "Zero Trust".

    A kind of "Translator" would be required between tech-oriented Cloud services providers and  business-oriented SaaS users.



    ------------------------------
    Eiji Sasahara
    Representative of the Directors
    Cloud Security Alliance Japan Chapter
    ------------------------------



  • 3.  RE: Zero trust and cloud

    Posted Mar 04, 2021 07:36:00 AM
    If you are providing cloud services, you will need to implement Zero Trust at that layer. SDP is a good implementation of Zero Trust for SaaS. If you are using a SaaS, ask the SaaS vendor how they are doing with their Zero Trust implementation and if you are large enough organization, you can add this to your SLAs. Which brings up a great project for us to work on. What do these Zero Trust SLAs look like?

    Juanita.

    ------------------------------
    Juanita Koilpillai
    CEO/Founder
    Waverley Labs
    ------------------------------



  • 4.  RE: Zero trust and cloud

    Posted Mar 05, 2021 04:39:00 AM
    Thank you @Juanita Koilpillai - "ask the SaaS vendor how they are doing" - that is exactly the point here, so there needs to be a level of trust and compliance validation (as @Paul Simmonds points below - the process controls).
    These are my thoughts as well, thanks for validation!
    ​​

    ------------------------------
    Ivan Djordjevic
    security & identity architect
    salesforce
    ------------------------------



  • 5.  RE: Zero trust and cloud

    Posted Mar 04, 2021 07:37:00 AM
    So I'm going to debate your "Zero trust is about "never trust, always verify" -"; Zero Trust is about;
    1. understanding what you do not control
    2. understanding where (in YOUR context) where YOUR risk is
    3. working out what controls* you need to put in place to mitigate YOUR risk** to an acceptable level
    *Remembering these can be technological controls, but can also be organizational, procedural controls or even assuring yourself that the 3rd party controls are adequate.
    ** A proper understanding of risk is notoriously had to define.

    Your list of things not to trust (what I'm coining "True Zero Trust") is as follows;
    • No trust in any network, including your own network
    • No trust in the Internet
    • No trust in the countries you operate in
    • No trust in any identity ecosystem
    • No trust in the server (other than for availability)
    • No trust in the operating system
    • No trust in the hardware
    • No trust in system administrators (yours or "theirs")
    • No trust in a (secure) server location
    • No trust in the systems physical security
    • No trust in the endpoint
    As far as your specific "what about SaaS" - it depends - I'm reasonably happy to trust my personal email to a SAAS service and with taking certain procedural and technical mitigations (implement 2FA) that its secure enough to meet my risk appetite.  Your mileage may vary!

    Paul

    ------------------------------
    Paul Simmonds
    CSA UK Chapter
    ------------------------------



  • 6.  RE: Zero trust and cloud

    Posted Mar 05, 2021 04:41:00 AM
    @Paul Simmonds, I like your list :-)
    Would you add 'no trust in supply chain' and 'no trust in users (in general)' ?​

    ------------------------------
    Ivan Djordjevic
    security & identity architect
    salesforce
    ------------------------------



  • 7.  RE: Zero trust and cloud

    Posted Mar 05, 2021 06:15:00 AM
    At the risk of falling foul of the "never assume" rule - but rather keeping the list manageable I'd suggest that "supply chain" is covered by both hardware and software, and "users" are lumped into the endpoint.

    And strictly it's "entities" at the endpoint; not people. 
    1) you don't actually know whether it's a person, and AI or an IoT or just a system at the end (Enties are: People, Devices, Organizations, Code, Agent)   and
    2) you should not care - but should care about the fidelity at which they can assert who they claim to be, and the level of immutability between the entity and the device.

    Regards

    Paul

    ------------------------------
    Paul Simmonds
    CSA UK Chapter
    ------------------------------



  • 8.  RE: Zero trust and cloud

    Posted Mar 05, 2021 08:08:00 AM
    Edited by Rowan Sheridan Mar 05, 2021 01:20:25 PM

    I've seen that the NCSC have said there are 8 zero trust principles ( recently reduced from 10 )



    ------------------------------
    Rowan Sheridan
    it
    it
    ------------------------------



  • 9.  RE: Zero trust and cloud

    Posted Mar 05, 2021 10:23:00 AM

    Wow, what a disappointing list....

    Comments as follows;
    1. This is nothing to do with ZT, this should be mandatory for ANY architecture.
    2. Ditto
    3. Ditto
    4. Why, policies (depending on your definition) may just be one way to do this
    5. Nooooooooooooooooo - If I want to access the canteen menu why do I need to authenticate?  Level of authentication should be risk based
    6 Why? this depends on YOUR architecture and YOUR risk
    7. Bleeding obvious
    8. Why? a non-specific ZT solution may be more appropriate for your needs. 

    Better to go back to the root of where ZT came from:

    https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf

    Paul



    ------------------------------
    Paul Simmonds
    CSA UK Chapter
    ------------------------------



  • 10.  RE: Zero trust and cloud

    Posted Mar 06, 2021 05:49:00 AM
    I thought that recent NSA guidance also had some sensible points - https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF

    ------------------------------
    Ivan Djordjevic
    security & identity architect
    salesforce
    ------------------------------



  • 11.  RE: Zero trust and cloud

    Posted Mar 05, 2021 03:28:00 PM
    Noting these are provided as BETA model at this stage. You can discuss and provide feedback on the UK NCSC ZT Principles on their Github site (using links in Rowan's post.

    ------------------------------
    Phil Cutforth
    Manager, INFOSEC Policy and Research
    NZ GCISO
    ------------------------------



  • 12.  RE: Zero trust and cloud

    Posted Mar 05, 2021 03:32:00 PM
    I agree with your thinking here, Ivan. 
    Though I had further refined the supply chain category to principally the 3rd party's GRC processes/maturity.
    Could be extended to their Service Management processes as well, such as Patching and other critical maintenance activities?

    ------------------------------
    Phil Cutforth
    Manager, INFOSEC Policy and Research
    NZ GCISO
    ------------------------------



  • 13.  RE: Zero trust and cloud

    Posted Mar 06, 2021 05:39:00 AM
    Edited by Ivan Djordjevic Mar 06, 2021 05:40:48 AM
    Thank you.
    IMHO one of the challenges is that SaaS providers (or supply chain parties more generally) are not always able to share the level of detail needed to verify (e.g. think of techops or csirt logs) without potentially compromising themselves and other tenants of the service.
    In many cases compliance reports are used as process controls to build that trust (here's an unfortunate use of the word...) - but is SOC2 every 6 months good enough? Could a more continuous auditing help and is it realistic?

    ------------------------------
    Ivan Djordjevic
    security & identity architect
    salesforce
    ------------------------------