Zero Trust

Expand all | Collapse all

Zero Trust Maturity Model initiative - March 10 working session (with meeting link)

  • 1.  Zero Trust Maturity Model initiative - March 10 working session (with meeting link)

    Posted Mar 09, 2022 04:42:00 PM
    Hello folks. 
     a reminder that our next Zero Trust Maturity Model working session is Thursday March 10 at 8am ET

    Meeting link: https://appgate.zoom.us/j/82060100045?pwd=QlkzOUxwaWd2VkEyVEV4Mm13UW9WUT09&from=addon

    Pre-meeting homework

    Our working document is here https://docs.google.com/document/d/1DPKLBe9MkPnTMYaFYXY56arUI4FnVB5N/edit#

    We will record this session, for those of you unable to attend.
    Note that our next meeting after this will be March 24 at 8pm ET.

    ------------------------------
    Jason Garbis, CISSP
    Co-Chair, SDP Zero Trust Working Group
    CPO, Appgate
    ------------------------------


  • 2.  RE: Zero Trust Maturity Model initiative - March 10 working session (with meeting link)

    Posted Mar 10, 2022 06:12:00 AM
    Hi Jason,

    Thanks for today meeting. Most of the industries use COBIT,ITIL,ISO2000X,NIST, internal group standards to map their operation activities. They will think about how the zero trust maturity model can address their current using framework,standards and situation,why they need to build the zero trust model or framework. It will be better and more user friendly to give them a guideline or assessment to address this situation.


    Thanks ,
    Abby





  • 3.  RE: Zero Trust Maturity Model initiative - March 10 working session (with meeting link)

    Posted Mar 10, 2022 06:43:00 AM
    Hi Jason et al.,

    Sorry I couldn't participate in todays call ... customer engagements came in the way :-)

    Have enclosed the latest DoD ZT Maturity Model outline. I generally think it is one of the first models I see that ticks a few boxes - but I'm still of the impression that these maturity models are still associated / having a dependency on legacy network "security support".

    I will go as far as to say ... you either take a Zero-Trust approach and walk the line i.e. no 3rd party dependency - which means you cannot let a 3rd party operate your security for you. You can have them manage your security - but the control has to say with the data-owner - which means data at rest should be encrypted and not something the "service provider" can use for anything of value i.e. compromize either.

    or
    ... you stick to network based security - and face the consequences. For 30 years devices have joined a network (IP address) and from there based om profile and privileges users beengrated access to resources. With NO perimeter anymore, this is a failed approach and what Zero-Trust can help fix to a large extend - IF it is done intelligently. But there are better and worse ways to implement a Zero-Trust Architecture (what does that really mean? ... and still too fluffy, as well). 

    We (our team) are just coming from another part of the world where our Zero-Trust manifest is not including some of the elements in the below model (like PAM, DLP, Add on crypto ... typically based on x.509 etc.). We don't need it, don't want it ... as well as a range of other things we believe our patent submitted to the US PTO, 5 years before Kindervag came up with the Zero-Trust concept :-) 

    Anyway ... we like the progress and the Zero-Trust wave - and finally feel being understood (sort of :-) )


     


    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------