I think we need to examine the word "Trust" carefully - from a human being context:
Trust is a central part of all human relationships, including romantic partnerships, family life, business operations, politics, and medical practices. If you don't trust your doctor or psychotherapist, for example, it is much harder to benefit from their professional advice.
But what is trust? Here are some possibilities:
- Trust is a set of behaviors, such as acting in ways that depend on another.
- Trust is a belief in a probability that a person will behave in certain ways.
- Trust is an abstract mental attitude toward a proposition that someone is dependable.
- Trust is a feeling of confidence and security that a partner cares.
- Trust is a complex neural process that binds diverse representations into a semantic pointer that includes emotions.
The importance of trust is becoming more dependent on complex, often invisible, connected technologies, data streams and third parties. But people instinctively distrust things they can't see, touch or understand.
And yet, we are talking fundamentally about technical trust of machines, devices, networks, applications, users and data
For zero trust: For zero trust to be effective, it needs to consider not only the user, but the risks of the resources themselves.
It does not. You would never grant access in a zero trust model if the assets have remotely exploitable critical flaws. Zero trust ignores the resources risk, while focusing inordinately on access controls. Hence we should not use the term "Trust Access", especially if the resources risk has been ignored or the assets have already been compromised aka Fireeye/Solarwinds lessons.
Regards
------------------------------
John Martin
Senior Security Architect
IBM New Zealand Limited
------------------------------
Original Message:
Sent: Dec 09, 2020 08:19:44 AM
From: Girish Jorapurkar
Subject: Zero Trust, Coffee & Dave Lewis
@Paul Simmonds, you put it so well that I had to 'like' your reply.
As a Software Security architect, I view Zero Trust not as (only) Infrastructure Security or Enterprise Security problem, but as a way to sharpen Security mindset/thinking. You will never have Zero trust.. as far as I understand how security works in technical implementation; there is always a root trust store. However, the goal of 'Zero Trust' architecture/implementation sets you on a journey of continuously improving security posture that risk-based and self-aware.
Any level of secure implemented is founded on 'Trust Access'; I think, where we security purist have an issue with is - There is too much trust flowing through the system. 'Zero Trust', even though technically absurd, is a good war-cry to express our zest for setting the highest bar for the identity security.
Thank you @Dave Lewis for triggering interesting conversation. Definitely matched the energy of my morning coffee!
------------------------------
Girish Jorapurkar
Security Architect
.
Original Message:
Sent: Dec 08, 2020 02:27:13 PM
From: Paul Simmonds
Subject: Zero Trust, Coffee & Dave Lewis
So I'm going to fundamentally disagree with your renaming; ZT was already a bad (and incorrect) term, but was snappier that "de-perimiterisation" (the breakdown of the corporate perimeter as an effective security boundary.
There is no such thing as "Trusted Access" - that implies being able to replace "Trust in the internal network" with "Trust in your access system" which we should all know is BS.
So what is ZT? - I'd argue that;
- It's an (architectural) state of mind
- A journey with quick wins, as well as long term strategy!
- Security architecture aligned with business strategy!
- A design for "Internet" and implemented on both Intranet & Internet!
More importantly it's about "risk-based" accessMaking a risk-based decision
★
About access to data and/or systems
★
Based on the trusted identity and attributes
★
Of all the entities and components in the transaction chain
The problems with "trusted access" is that you fall foul of the "locus-of-control" problem (Jericho Forum commandment #8) - in IT terms, you turn a variable "maybe Paul Simmonds, based on a number of factors) and the IT system turns it into a binary "IS Paul Simmonds" and passes that on to every system inside your organisation no matter whether it's the server with the lunchtime menu, the R&D Server with pre-patent research, or the server with the Corporate results going to the city.
And then of course there are all those pesky users that are in your identity system that you do not actually employ, or manage properly (contractors, JV partners, temp staff, cleaners, summer interns etc.).
Then there are the thirty audit staff from E&Y who just turned up to audit you. connecting their PC's to your network, requiring access, but their IAM system is different from yours!
The real-world examples are endless on why what we do is broken, and why just implementing an access system we "trust" is NOT the solution.
Light blue touch-paper and retire to a safe distance.......
Paul
References:
Jericho Forum Commandments, https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf
Jericho Forum "Identity" Commandments, https://collaboration.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdf
Identity 3.0 Principles https://www.globalidentityfoundation.org/downloads/Identity_30_Principles.pdf
https://downloads.cloudsecurityalliance.org/events/csa-congress-emea-2014/Paul-Simmonds.pdf
------------------------------
Paul Simmonds
CSA UK Chapter
Original Message:
Sent: Dec 08, 2020 12:16:55 PM
From: Dave Lewis
Subject: Zero Trust, Coffee & Dave Lewis
Hi folks,
Thanks for taking the time to stop by. I'm Dave Lewis. I work as a Global Advisory CISO with Duo Security which is now part of Cisco Systems. I have been in security in one form or another for over a quarter century having done everything from being a firewall admin through to being a CISO. It has been a wild ride over the decades and I've learned a lot of lessons along the way (mostly from falling on my own sword).
For the last three years I've been focused on Zero Trust or as I'd prefer to call it, Trusted Access. This discussion is more about reducing risk in your environment as opposed to chasing boxes with blinky lights.
I'm here to answer any and all questions about zero trust to the best of my ability. If I don't know the answer I'll be sure to track it down afterwards. Looking forward to our discussion.
Thanks,
------------------------------
Dave Lewis
Global Advisory CISO
Cisco Systems
------------------------------