Hello TIC team – thanks for publishing the draft TIC Cloud Use Case document, and for the opportunity to provide feedback. The comments and feedback in this email and in the attached spreadsheet are on behalf of the Cloud Security Alliance's Zero Trust Working Group, of which I am co-chair. It's sourced from multiple people across multiple organizations, with different perspectives and opinions. I've tried to consolidate and normalize, but you will see, especially in the spreadsheet, some different points of view.
Overall, this document contains a great deal of useful information, organized in an understandable way. We recognize and appreciate the challenge of creating a document that provides useful, prescriptive and specific advice while still remaining applicable and relevant across all types of environments and infrastructures.
In particular, we found the Security Capabilities tables to be quite valuable – providing definitions and prescriptive guidance on how to approach each of the many areas. Readers will be able to follow the "should" and "may" guidance to drive their agency's specific Zero Trust journey, based on their specific requirements and constraints. We also found the security patterns to be useful depictions of the ways in which different components interact, across PEPs.
However, we struggled with the Trust Zones in two ways. First, some of our reviewers were unclear that the assigned levels assigned to the Trust Zones, in Table 1 and in the Security Patterns are example trust levels, not normative or prescriptive. We noted the "Implementation Consideration" on page 8 that explained this, but perhaps this section could more explicitly refer back to the Trust Level definitions from the TIC Reference Architecture document.
Secondly, and perhaps more importantly, we think the document is missing an explanation of what an agency needs to do differently for PEPs at different trust levels. The Trust Levels, as defined in the TIC Reference Architecture, page 8 – do a good job of defining "Control Levels" rather than "Trust Levels". In fact, taken literally (and perhaps pedantically), there should be zero trust in a Zero Trust system. Putting that aside -- what we think is missing is clear guidance on how the PEP enforcement mechanisms should be different depending on the Trust Level of the environments they are protecting. The Zero Trust philosophy really aims for having a high level of enforcement everywhere – for example, mandating the use of encrypted protocols everywhere. We shouldn't, for example, recommend that in a High Trust zone, that requirement is relaxed. On the other hand, there are some aspect of the PEPs that should be modulated based on the zone's Trust Level. For example, a user on a device in a High Trust environment, such as in an agency office, may not need to be prompted for MFA, while a remote user working in an airport, should be. Overall, Zero Trust argues that in fact you should treat users and services running in a "High Trust" environment as exactly the same as if they were running in a "Low Trust" environment, at least from an access and network perspective. We're not sure if this is a planned topic for a future document – if not, we think it'd be interesting and worthwhile.