At the risk of falling foul of the "never assume" rule - but rather keeping the list manageable I'd suggest that "supply chain" is covered by both hardware and software, and "users" are lumped into the endpoint.
And strictly it's "entities" at the endpoint; not people.
1) you don't actually know whether it's a person, and AI or an IoT or just a system at the end (Enties are: People, Devices, Organizations, Code, Agent) and
2) you should not care - but should care about the fidelity at which they can assert who they claim to be, and the level of immutability between the entity and the device.
Regards
Paul
------------------------------
Paul Simmonds
CSA UK Chapter
------------------------------
Original Message:
Sent: Mar 05, 2021 04:40:53 AM
From: Ivan Djordjevic
Subject: Zero trust and cloud
@Paul Simmonds, I like your list :-)
Would you add 'no trust in supply chain' and 'no trust in users (in general)' ?
------------------------------
Ivan Djordjevic
security & identity architect
salesforce
Original Message:
Sent: Mar 04, 2021 07:37:14 AM
From: Paul Simmonds
Subject: Zero trust and cloud
So I'm going to debate your "Zero trust is about "never trust, always verify" -"; Zero Trust is about;
- understanding what you do not control
- understanding where (in YOUR context) where YOUR risk is
- working out what controls* you need to put in place to mitigate YOUR risk** to an acceptable level
*Remembering these can be technological controls, but can also be organizational, procedural controls or even assuring yourself that the 3rd party controls are adequate.
** A proper understanding of risk is notoriously had to define.
Your list of things not to trust (what I'm coining "True Zero Trust") is as follows;
- No trust in any network, including your own network
- No trust in the Internet
- No trust in the countries you operate in
- No trust in any identity ecosystem
- No trust in the server (other than for availability)
- No trust in the operating system
- No trust in the hardware
- No trust in system administrators (yours or "theirs")
- No trust in a (secure) server location
- No trust in the systems physical security
- No trust in the endpoint
As far as your specific "what about SaaS" - it depends - I'm reasonably happy to trust my personal email to a SAAS service and with taking certain procedural and technical mitigations (implement 2FA) that its secure enough to meet my risk appetite. Your mileage may vary!
Paul
------------------------------
Paul Simmonds
CSA UK Chapter
Original Message:
Sent: Mar 03, 2021 12:41:18 PM
From: Ivan Djordjevic
Subject: Zero trust and cloud
Hi all, further to some interesting zero trust discussions on this forum, I had a specific question that I'm curious on the views of this group:
Zero trust is about "never trust, always verify" - but how can you achieve that in the context of cloud services (SaaS in particular) where a lot of control rests with provider and not with user organisation (who have only limited visibility and must rely on compliance auditing).
What are your views / some strategies?
Thank you!
------------------------------
Ivan Djordjevic
security & identity architect
salesforce
------------------------------