Zero Trust

  • 1.  ATARC 2022 Zero Trust Summit Recording and Keynote (8/9 in DC)

    Posted Aug 22, 2022 12:38:00 PM
    Edited by Erik Johnson Aug 22, 2022 12:39:00 PM

    I was fortunate to be able to attend our partner's ATARC 2022 Zero Trust Summit, on August 9, 2022, at the Marriott Marquis, Washington D.C.  During the event, we heard several great panels and presentations focused on utilizing emerging technologies to help strengthen the integration of Zero Trust technology in Government, hosted by IT thought-leaders within government, academia and private industry.

    The visionary keynote was presented by John Kindervag, Creator of Zero Trust, Senior Vice President, Cybersecurity Strategy, ON2IT Group Fellow at ON2IT Cybersecurity, Zero Trust Executive Steering Committee, Cloud Security Alliance. The slides are available here -  https://learn.atarc.org/e/315131/08-ATARC-Zero-Trust-Slides-pdf/khg65/1858912828?h=1FxGlMY59zpHwX_kHMIZT2Ms66qL2QwW7-Eu2_LHglo

     The recording of the entire event is available on YouTube here -  https://learn.atarc.org/e/315131/owNWECFTlnU/khg62/1858912828?h=1FxGlMY59zpHwX_kHMIZT2Ms66qL2QwW7-Eu2_LHglo



    ------------------------------
    Erik Johnson CCSK, CCSP, CISSP, PMP
    Senior Research Analyst - Zero Trust & Financial Services
    Cloud Security Alliance
    ------------------------------


  • 2.  RE: ATARC 2022 Zero Trust Summit Recording and Keynote (8/9 in DC)

    Posted Aug 23, 2022 07:34:00 AM
    Good points.  The devil is in the detail.  I earbashed the SDP Working Group for five years that the network layer access, routing and DNS insecurities are the major problem enforcing secure network communications. Without success, I might add :)

    And while John Kindervag is correct  that network segmentation is a key measure, and that Identity Management is not Zero Trust I think we must redefine Identity Management at the network layer. I would not be using the application layer OAuth approach. 

    In cloudland, identity management policy enforcement is applied at the transport and session layer. AWS, Azure, GCP and IBM IAM policies are the key to enforcing network perimeters. This is OK as far as it goes.  There has to be improvements for hybrid cloud, I've noticed the holes in cloud-to-cloud, on premises-to-cloud etc communications are not being plugged.

    My thinking is that we must redefine identity management at the network layer, because all the old network layer token userid protocols from one part of the network to another are the vulnerabilities through which hackers are crawling, and moving laterally. Network layer protocols were developed last century.

    IMHO


    Nya Alison Murray
    Trac-Car Technology
    UK +44 208133 9249
    Australia +61 73040 1637
    Switzerland +41 22548 1747
    ----------------------------------------








  • 3.  RE: ATARC 2022 Zero Trust Summit Recording and Keynote (8/9 in DC)

    Posted 3 days ago
    Hello Eric,
    Sorry for being late to the game. I am the ZT lead in my organization and am working on engaging with various areas of the organization in building the ZT culture. As part of this effort I am working on the maturity levels. Across many documents, there are a variety of labels used for the 3 and 4 step approaches. In the NSTAC Report for ZT and Trusted Identity Management there is a reference to John Kindervag's Sept. 8, 2021 briefing (pg. 8 ref. 33 John Kindervag, ON2IT BV, "NSTAC ZT Briefing," Briefing to the NSTAC Zero Trust – Identity Management Subcommittee. Arlington, VA,
    September 8, 2021.
    ). John lists 5 levels of maturity that appear to align with the CMM's 5 levels, which is a model we currently use. My intention is not to introduce a new maturity model if I can align with an existing one.
    Any help is appreciated in locating this information.
    Advise if this is not the right thread and I can report as required.
    Cheers,

    Paul Lochbihler


    ------------------------------
    Paul Lochbihler
    Security Architect
    CSE
    ------------------------------



  • 4.  RE: ATARC 2022 Zero Trust Summit Recording and Keynote (8/9 in DC)

    Posted 3 days ago

    Paul,
    Aligning with existing ZT models and methodologies is definitely a sensible approach. There is some information on John's ZT deployment methodology guidance and perspective on ZT maturity in the slides and presentation recording I provided links to in the original post. There is a lot of additional info posted on the CSA Zero Trust Advancement Center's Resource Hub, including a link to the NSTAC report, the CISA ZT Maturity Model and a recording of another one of John's presentations. Additionally the CSA ZT working group will be developing materials to help illuminate and further elaborate guidance on these important topics in the coming months#. I hope this helps.




    ------------------------------
    Erik Johnson CCSK, CCSP, CISSP, PMP
    Senior Research Analyst
    Cloud Security Alliance
    Leesburg VA
    ------------------------------