Software Defined Perimeter

Expand all | Collapse all

Zero Trust Maturity Model initiative - April 21 Meeting Notes

  • 1.  Zero Trust Maturity Model initiative - April 21 Meeting Notes

    Posted Apr 26, 2022 05:48:00 PM

    Hello all – Thanks for joining the most recent Zero Trust Maturity Model working session, on April 21.
    We continued our discussion about the CISA Zero Trust Maturity Model, with part 3 of the discussion queued up for next time. 

    Meeting recording (mp4): https://drive.google.com/file/d/1hxIspG3tBOzQcNiNBfx6c96ZM8zfw1J5/view?usp=sharing

    Meeting notes:

      Topic: Walkthrough of CISA Zero Trust Maturity Model:

      https://www.cisa.gov/sites/default/files/publications/CISA%20Zero%20Trust%20Maturity%20Model_Draft.pdf

      CISA Model - Continued Discussion

      • Devices
        • Identity
          • We critiqued the CISA note on page 7: "​​As agencies migrate services to the cloud, their users will have identities among a variety of providers. To effectively manage these identities and align security protections holistically, agencies will need to integrate their on-premises identities with those in the cloud environments. These integrated identities, however, can increase the attack surface of the agency because a compromised identity or identity provider may permit access across the broader agency environment."
          • we felt like it's not obvious or automatic that centralizing into an integrated identity provider will increase the attack surface or risk - in fact, in many cases, because a single centralized IDP is typically better operated, such a setup can in fact improve security. 
        • Compliance monitoring
          • better to have percentages vs "limited" and  "most"
          • different types of devices - user devices, servers, IOT
        • Visibility / Asset Management
          • Very often a issue - most orgs don't do a great job with this
          • This lack of visibility represents a shortcoming
          • in the CISA doc, it shows the "how", not the "what"
          • This should be broader than just hardware & devices
            • Networks, data, cloud accounts, topologies, etc - all these are "assets" that are important from a ZT perspective
          • Asset status & attributes are important input into ZT access - the device posture
          • This device posture information could come from a ZT client running on the device itself, or from a separate system (e.g. EDR) as input into the PDP for deciding about access
          • ZTMMs can't be overly prescriptive because there are many ways to solve each problem, and diff orgs will already have elements in place
            • idea; ZTMM to include examples of these considerations and diff approaches, to analyze pros and cons
          • Likely we'd want to treat diff devices separately (e.g not lump together user devices, servers, IoT)
          • How much of the "how" should we include?
            • add "example technologies" for the rows (or even the levels)
            • How can we do this without making the document too detailed?
            • e.g. Visibility and Analytics mentioned "use an EDR tool"
          • CISA verbiage "make services and data available directly to users without routing through traditional access points. " is confusing and incorrect/misleading
        • Network/Environment
          • network segmentation
          • threat protection
          • Encryption
            • Optimal should require encryption everywhere - not "where possible"
            • If you aren't encrypting traffic, you aren't at "optimal"
          • Automation & Orch
            • progression is reasonable
            • change management  - reflected in this progression. Processes around this, need to be tied into asset & device inventory
            • Automation key to ensuring integrity of all these systems and processes
        • CISA needs to better define what they mean by "enabling agencies to make applications and services available directly to remote users and branch offices."



      Next meeting - Thursday, May 5 at 8pm ET - which is Friday May 6 at 00:00 UTC / 8am China Standard Time

      Note that we're switching back to the 8pm ET meeting time for our next meeting.

      Topic: Continued walkthrough of CISA Zero Trust Maturity Model:

      We will post the meeting Zoom link within 36 hours of the next meeting





      ------------------------------
      Jason Garbis, CISSP
      Co-Chair, SDP Zero Trust Working Group
      CPO, Appgate
      ------------------------------


    • 2.  RE: Zero Trust Maturity Model initiative - April 21 Meeting Notes

      Posted Apr 26, 2022 10:52:00 PM
      thanks for sharing