Software Defined Perimeter

  • 1.  Zero Trust Maturity Model initiative - March 24 working session (with meeting link)

    Posted Mar 23, 2022 06:25:00 AM

    Hello all – our next working session for the Zero Trust Maturity Model initiative is March 24 at 8pm Eastern Time.

    This corresponds to:
    March 24 at 5pm Pacific Time
    March 25 at 12.00 midnight UTC
    March 25 at 8.00am China Standard Time

    The March 24 meeting will be a continuation of our discussion and analysis of the USA Dept of Defense Zero Trust Reference Architecture

    Zoom meting link:
    https://appgate.zoom.us/j/89985207757?pwd=K241ZHE3L2NZQmgzcDJ3L1lSeklPZz09&from=addon


    As always, our meeting meeting and working notes are in the shared Google doc, starting on page 13: https://docs.google.com/document/d/1DPKLBe9MkPnTMYaFYXY56arUI4FnVB5N/edit#



      ------------------------------
      Jason Garbis, CISSP
      Co-Chair, SDP Zero Trust Working Group
      CPO, Appgate
      ------------------------------



    • 2.  RE: Zero Trust Maturity Model initiative - March 24 working session (with meeting link)

      Posted Mar 23, 2022 07:29:00 AM
      Thanks for your link . Can we also discuss Okta incident ?





    • 3.  RE: Zero Trust Maturity Model initiative - March 24 working session (with meeting link)

      Posted Mar 24, 2022 05:20:00 AM
      Hi Abby - yes, we can talk about that as well. Definitely an interesting premise: Your identity provider (and MFA provider) is compromised...how bad is this in a Zero Trust world?

      ------------------------------
      Jason Garbis, CISSP
      Co-Chair, SDP Zero Trust Working Group
      CPO, Appgate
      ------------------------------



    • 4.  RE: Zero Trust Maturity Model initiative - March 24 working session (with meeting link)

      Posted Mar 24, 2022 05:44:00 AM
      Hi Jason and Abby .. exactly why we don't have or allow any 3rd party security aspects (in our solution). Further I think the Authentic Zero-Trust manifest should be seen from an end-user perspective - meaning ... once password vaults or other external authentic services are introduced in the architecture - you have to downgrade the level of ZT. But if you don't know there is a higher ZT bar - you believe your are on the 'highest' level. In our opinion, you are not. 

      Seen from a MSSP's perspective - a company like Okta would claim that they increase and help clients to a higher level of "ZT" - and sure they are once coming from nothing. We don't buy that - it the American way of looking at ZT concentrating around services and hooking the end-user up on your services - like Microsoft, Cisco, Zscaler, Crowdstrike, Okta etc. etc.

      The European model - which we bank on - is different. We support the Authentic Zero-Trust manifest - and we let endusers stay agile and in control of their own data and security (which they can outsource in fact). 

      This an issue I briefly brought up in January when I participated in the workgroup meeting then ... and also something the Danish CSA chapter is looking into at the moment. We use the NIST maturity model (I think I have passed that around in a previous post) - but we are looking into a Zero-Trust classification model - like a 1-5 model - where solutions WITHOUT 3rd party dependencies get a level 4 and if you have 3rd party security dependencies you are classified to a level 3 .. if you reroute traffic and have 3rd party dependencies - you are a tlevel 2 etc. 

      Just some thoughts and ideas we had on the table in our last Danish CSA-chapter conversation - but we have a small work group established.

      I will try to participate in the upcoming event - but I'm finishing a physical meeting at the time the workshop starts, so I could be delayed 5-10 minutes. 

      If questions - feel free to reach out.



      ------------------------------
      Niels E. Anqvist
      CEO/President
      ZAFEHOUZE USA / ZAFEHOUZE EMEA
      ------------------------------



    • 5.  RE: Zero Trust Maturity Model initiative - March 24 working session (with meeting link)

      Posted Mar 24, 2022 05:49:00 AM
      :-) .. sorry ... 5pm Pacific Time the 24th is 1am Central European Time the 25th (I have no physical meeting ending at 1am)

      ------------------------------
      Niels E. Anqvist
      CEO/President
      ZAFEHOUZE USA / ZAFEHOUZE EMEA
      ------------------------------



    • 6.  RE: Zero Trust Maturity Model initiative - March 24 working session (with meeting link)

      Posted Mar 24, 2022 07:37:00 AM
      Jason and group; very much would like to participate but have last minute deliverable for client. Im doing work with Canadian military surrounding selecting specific software soltutions to meet their ZT requirements and aiasedm interested in "un-biased" opinions from the group.
      Is the session being recorded that I could listen to afterwards?

      ------------------------------
      Keith Patterson
      President
      Malpaso Consulting
      ------------------------------



    • 7.  RE: Zero Trust Maturity Model initiative - March 24 working session (with meeting link)

      Posted Mar 24, 2022 10:36:00 AM
      Hi guys ,

      Please check the below blog . It has a good background and analyst for this okta incident. This incident is a good Zero Trust case study. Can we discuss how our new zero trust guides can address and mitigate this kind of incident happen? It is not happening from technical reason . Our ZT definitely can map and improve to avoid this incident happen again in the future.Okta has perfect internal control framework and is a good idiot for zero trust company. 


      Thanks,
      Abby