Hi Jason and Abby .. exactly why we don't have or allow any 3rd party security aspects (in our solution). Further I think the Authentic Zero-Trust manifest should be seen from an end-user perspective - meaning ... once password vaults or other external authentic services are introduced in the architecture - you have to downgrade the level of ZT. But if you don't know there is a higher ZT bar - you believe your are on the 'highest' level. In our opinion, you are not.
Seen from a MSSP's perspective - a company like Okta would claim that they increase and help clients to a higher level of "ZT" - and sure they are once coming from nothing. We don't buy that - it the American way of looking at ZT concentrating around services and hooking the end-user up on your services - like Microsoft, Cisco, Zscaler, Crowdstrike, Okta etc. etc.
The European model - which we bank on - is different. We support the Authentic Zero-Trust manifest - and we let endusers stay agile and in control of their own data and security (which they can outsource in fact).
This an issue I briefly brought up in January when I participated in the workgroup meeting then ... and also something the Danish CSA chapter is looking into at the moment. We use the NIST maturity model (I think I have passed that around in a previous post) - but we are looking into a Zero-Trust classification model - like a 1-5 model - where solutions WITHOUT 3rd party dependencies get a level 4 and if you have 3rd party security dependencies you are classified to a level 3 .. if you reroute traffic and have 3rd party dependencies - you are a tlevel 2 etc.
Just some thoughts and ideas we had on the table in our last Danish CSA-chapter conversation - but we have a small work group established.
I will try to participate in the upcoming event - but I'm finishing a physical meeting at the time the workshop starts, so I could be delayed 5-10 minutes.
If questions - feel free to reach out.
------------------------------
Niels E. Anqvist
CEO/President
ZAFEHOUZE USA / ZAFEHOUZE EMEA
------------------------------
Original Message:
Sent: Mar 24, 2022 05:20:19 AM
From: Jason Garbis
Subject: Zero Trust Maturity Model initiative - March 24 working session (with meeting link)
Hi Abby - yes, we can talk about that as well. Definitely an interesting premise: Your identity provider (and MFA provider) is compromised...how bad is this in a Zero Trust world?
------------------------------
Jason Garbis, CISSP
Co-Chair, SDP Zero Trust Working Group
CPO, Appgate
Original Message:
Sent: Mar 23, 2022 07:28:59 AM
From: Abby Zhang
Subject: Zero Trust Maturity Model initiative - March 24 working session (with meeting link)
Thanks for your link . Can we also discuss Okta incident ?
Original Message:
Sent: 3/23/2022 9:25:00 AM
From: Jason Garbis
Subject: Zero Trust Maturity Model initiative - March 24 working session (with meeting link)
Hello all – our next working session for the Zero Trust Maturity Model initiative is March 24 at 8pm Eastern Time.
This corresponds to:
March 24 at 5pm Pacific Time
March 25 at 12.00 midnight UTC
March 25 at 8.00am China Standard Time
The March 24 meeting will be a continuation of our discussion and analysis of the USA Dept of Defense Zero Trust Reference Architecture
Zoom meting link:
https://appgate.zoom.us/j/89985207757?pwd=K241ZHE3L2NZQmgzcDJ3L1lSeklPZz09&from=addon
As always, our meeting meeting and working notes are in the shared Google doc, starting on page 13: https://docs.google.com/document/d/1DPKLBe9MkPnTMYaFYXY56arUI4FnVB5N/edit#
------------------------------
Jason Garbis, CISSP
Co-Chair, SDP Zero Trust Working Group
CPO, Appgate
------------------------------