Zero Trust

Expand all | Collapse all

Zero Trust Maturity Model initiative - March 24 Meeting Notes

  • 1.  Zero Trust Maturity Model initiative - March 24 Meeting Notes

    Posted Mar 28, 2022 11:55:00 AM

    Hello all – Thanks for joining the most recent Zero Trust Maturity Model working session on March 24. We had a good discussion about the recent breach at Okta, and what it means in a Zero Trust system when an identity provider is compromised.

    Meeting recording (mp4): https://drive.google.com/file/d/1NVWbC_922O0dPkBykbj6KICpCcVkkVcS/view?usp=sharing

    Meeting notes:

    • Okta breach – as a concept not specifically about this vendor - talking about what it means when an Identity Provider is breached and untrustworthy
    • Someone with credentials (or an access token) is no longer trustworthy – authentication is no longer sufficient
    • Other security aspects that should be in play
      • MFA – making passwords less valuable
        • What is MFA provider is the same as the IAM provider, so it's comprised as well. It could be beneficial to have this from a different provider than IAM
      • Zero Trust can help facilitate this – as an integration point
      • Device posture check and validation
        • g. is there a corporate-issued certificate on the device
      • Trust and interdependencies between systems
        • Does this reduce the trust /value of a Zero Trust system?
        • One perspective: yes
        • Another perspective: not realistic, enterprises have many interconnected systems that must be carried forward to Zero Trust
      • Third party risk mgmt.
        • Logs as source of information – from the IdP?
        • Transmit logs to separate system rather than storing locally
        • And/or encrypt/sign logs for integrity
      • Passwordless –
        • Authentication via alternative mechanisms, plus attributes
      • ABAC – part of ZT
      • SSO from IdPs
        • Compromised system – could create valid token for authentication into 3rd party applications
        • How to defend against this?
        • Bringing additional attributes (Zero Trust context) to the applications?
        • Authentication token only is good as far as the token and cert can be trusted
      • ZT – resiliency against a sophisticated attacker with credentials, spoofed geolocation, etc.

     

    Zero Trust Maturity Model

    • Quick final review of the DoD Maturity Model 

    Next Meeting:

    Thursday April 7 at 8am ET / 12.00 UTC / 8pm China Standard Time / 1400 Central European Summer Time (CEST)

    Topic: Walkthrough of CISA Zero Trust Maturity Model:

    https://www.cisa.gov/sites/default/files/publications/CISA%20Zero%20Trust%20Maturity%20Model_Draft.pdf

     

    Meeting link to be provided within 24 hours of the meeting time.

     

    Working Document:

    https://docs.google.com/document/d/1DPKLBe9MkPnTMYaFYXY56arUI4FnVB5N/edit#

     



    ------------------------------
    Jason Garbis, CISSP
    Co-Chair, SDP Zero Trust Working Group
    CPO, Appgate
    ------------------------------


  • 2.  RE: Zero Trust Maturity Model initiative - March 24 Meeting Notes

    Posted Mar 30, 2022 06:49:00 PM
    Thanks Jason and the group, clearly an excellent discussion about making identity management secure. Thanks for making the issues clear and concise.

    ------------------------------
    Nya Murray
    CEO
    Trac-Car
    ------------------------------