Thank you for taking the time to answer questions on Zero Trust. Can you please explain what Zero Trust is, what business solution it solves, and the market you serve? How does Zero Trust reduce risk in a given environment?Thanks!
Keith,I'm afraid you you are a victim of "fake news" or "revisionist history". The term "de-perimiterisation" was coined by Jon Measham, a former employee of the UK's Royal Mail in a research paper, and subsequently used by the Jericho Forum of which the Royal Mail was a founding member.Ref: https://en.wikipedia.org/wiki/De-perimeterisationIt's first appearance on the scene was at the 2003 RSA Conference (Europe), see attached press coverage.
Also the opening keynote for Blackhat 2003 (Europe) and Blackhat 2004 (USA).It resulted in the formation of the Jericho Forum (eventually run by the OpenGroup):
https://en.wikipedia.org/wiki/Jericho_ForumThe correct timeline is here (from a webinar I did a couple of week ago with KuppingerCole and Duo Security) - see attachment; and shows the intertwining with the work of the CSA.in 2010 John Kindervag presented a document called "Zero Trust Network Architecture" (note the full title) which proposed "Segmented, Parallelized, and Centralized" internal networks as a solution to the de-perimiterisation problem (I was there in the audience, in Boston, at its launch, where he credited Jericho for the original thinking and problems statement).Note that; if you read the original paper by John, whereas the term may have survived, the concepts proposed by him are all about fixing the internal network and bear little, if any, relevance to the problem(s) today.Whereas I'd argue that the original Jericho Forum "commandments" from 2006 are as relevant, if not more relevant, today
Thanks for the coffee-talk conversation around Zero Trust Network Architecture (ZTNA). Many solutions tout Zero Trust and take different approaches to achieving it. So, it can be confusing for an enterprise looking to implement ZTNA as their future security architecture. NIST recently published SP800-207 Zero Trust Architecture, in hopes of providing clarity. Can you provide your opinion on SP800-207 (scope and effectiveness). Can you also conjecture on how enterprises can best leverage that NIST standard at scale?
Thanks and best,
------------------------------Shamun MahmudStandards Officer, Sr. Research AnalystCloud Security AllianceWA------------------------------
------------------------------Shamun MahmudStandards Officer, Sr. Research AnalystCloud Security AllianceWAOriginal Message:Sent: Dec 08, 2020 12:16:55 PMFrom: Dave LewisSubject: Zero Trust, Coffee & Dave LewisHi folks,Thanks for taking the time to stop by. I'm Dave Lewis. I work as a Global Advisory CISO with Duo Security which is now part of Cisco Systems. I have been in security in one form or another for over a quarter century having done everything from being a firewall admin through to being a CISO. It has been a wild ride over the decades and I've learned a lot of lessons along the way (mostly from falling on my own sword).For the last three years I've been focused on Zero Trust or as I'd prefer to call it, Trusted Access. This discussion is more about reducing risk in your environment as opposed to chasing boxes with blinky lights.I'm here to answer any and all questions about zero trust to the best of my ability. If I don't know the answer I'll be sure to track it down afterwards. Looking forward to our discussion.Thanks,------------------------------Dave LewisGlobal Advisory CISOCisco Systems------------------------------
The problems with "trusted access" is that you fall foul of the "locus-of-control" problem (Jericho Forum commandment #8) - in IT terms, you turn a variable "maybe Paul Simmonds, based on a number of factors) and the IT system turns it into a binary "IS Paul Simmonds" and passes that on to every system inside your organisation no matter whether it's the server with the lunchtime menu, the R&D Server with pre-patent research, or the server with the Corporate results going to the city.And then of course there are all those pesky users that are in your identity system that you do not actually employ, or manage properly (contractors, JV partners, temp staff, cleaners, summer interns etc.).Then there are the thirty audit staff from E&Y who just turned up to audit you. connecting their PC's to your network, requiring access, but their IAM system is different from yours!The real-world examples are endless on why what we do is broken, and why just implementing an access system we "trust" is NOT the solution.Light blue touch-paper and retire to a safe distance.......Paul
Jericho Forum Commandments, https://collaboration.opengroup.org/jericho/commandments_v1.2.pdfJericho Forum "Identity" Commandments, https://collaboration.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdfIdentity 3.0 Principles https://www.globalidentityfoundation.org/downloads/Identity_30_Principles.pdfhttps://downloads.cloudsecurityalliance.org/events/csa-congress-emea-2014/Paul-Simmonds.pdf