Zero Trust

 View Only
  • 1.  Zero Trust Maturity Model initiative - April 7 Meeting Notes

    Posted Apr 07, 2022 05:10:00 PM

    Hello all – Thanks for joining the most recent Zero Trust Maturity Model working session, on April 7.
    We had an engaging discussion about the CISA Zero Trust Maturity Model, with part 2 of the discussion queued up for next time. 

    Meeting recording (mp4): https://drive.google.com/file/d/1mVxrVC-oj8F6-rfabAhsR84PpiW4ORqb/view?usp=sharing

    Meeting notes:

      Topic: Walkthrough of CISA Zero Trust Maturity Model:

      https://www.cisa.gov/sites/default/files/publications/CISA%20Zero%20Trust%20Maturity%20Model_Draft.pdf

      CISA Model

      • This is the "Pre-Decisional Draft" of the CISA Zero Trust Maturity Model from June 2021, and an update is expected soon (rumored as soon as April 18)
      • CISA Pillars
        • Identity
        • Devices
        • Network / Environment
        • Application Workload
        • Data
      • Discussion
      • Network & Environment
        • We agree there is value of this as a separate pillar - versus some some models that omit it , or split it
      • Data and Application/Workload - as separate pillars - agreed
        • Different requirements and capabilities for these 2
        • Compliance reqs will differ as well
      • Summary pillar on page 5 -general agreement that this is high level and not specific enough
        • But - to get really specific would explode the size and scope of this document to be larger than we (as a volunteer initiative) could reasonably handle
      • Pillars as categories/ways to organize my specific security architecture, inventory, controls and systems
        • Application inventory & controls very different from data
      • Identity Pillar - look at details (page 6)
        • Authentication - not well defined - e.g. what do they mean by MFA?
        • Identity Store - for optimal, what is "identity awareness"?
      • Do Maturity Models by necessity avoid the "How" ?
        • Risk Assessment 
          • business risk?
          • Identity risk e.g. device posture, geolocation, 
      • Next time: Complete the walkthrough of the CISA MM

      Next Meeting Thursday April 21 at 8am ET /  12.00 UTC / 8pm China Standard Time / 1400 Central European Summer Time (CEST)

      Topic: Continued walkthrough of CISA Zero Trust Maturity Model:

      Note: On April 21 we are repeating the 8am meeting time due to scheduling constraints. We will return to the alternating meeting times in future meetings.

      Meeting link to be provided within 24 hours of the meeting time.

       

      Working Document:

      https://docs.google.com/document/d/1DPKLBe9MkPnTMYaFYXY56arUI4FnVB5N/edit#



      ------------------------------
      Jason Garbis, CISSP
      Co-Chair, SDP Zero Trust Working Group
      CPO, Appgate
      ------------------------------


    • 2.  RE: Zero Trust Maturity Model initiative - April 7 Meeting Notes

      Posted Apr 21, 2022 08:12:00 AM
      Is there a meeting tonight?

      ------------------------------
      shandy rao
      expert
      no
      ------------------------------



    • 3.  RE: Zero Trust Maturity Model initiative - April 7 Meeting Notes

      Posted Apr 21, 2022 08:33:00 AM
      Hi Shandy - we met this morning, at 8am ET. Sorry we missed you! I will post the meeting notes and recording link on this site by EOD tomorrow.
      Our next meeting will be in 2 weeks, on May 5 at 8pm ET ( which will be 8am on May 6 in your time zone).

      regards
      jason

      ------------------------------
      Jason Garbis, CISSP
      Co-Chair, SDP Zero Trust Working Group
      CPO, Appgate
      ------------------------------