Zero Trust

 View Only
Expand all | Collapse all

CISA Trusted Internet Connections 3.0 Cloud Use Case - open for public review

  • 1.  CISA Trusted Internet Connections 3.0 Cloud Use Case - open for public review

    Posted Jul 01, 2022 12:11:00 PM

    Hello all – The United States Cybersecurity and Infrastructure Security Agency
    (CISA) is requesting feedback and comments on their new Trusted Internet Connections 3.0 Cloud Use Case document, through July 22, 2022. 

     The document is here:

    https://www.cisa.gov/sites/default/files/publications/CISA%20TIC%203.0%20Cloud%20Use%20Case%20Draft_0.pdf 

    We are coordinating response on behalf of the working group.

    Please review the CISA document, and

    1. Engage here for a discussion about the overall approach / feedback
    2. Add specific comments in this shared spreadsheet:

     https://docs.google.com/spreadsheets/d/1UP5Pc9sfTsQR3lmsc5jbSQjS1LsBCVLJF6F2zn-_oS4/edit#gid=0

     Please follow the spreadsheet format, so we can track who submitted what comments, for our review and editing process. We will remove individuals' names before submitting to CISA.

    Please also just append your comments – don't change other peoples' entries.
     

    We'll plan to have a meeting to review and discuss during the week of July 11-15.

    This will give us time to edit and consolidate before the July 22 submission deadline. 

    Thanks to Nya for helping lead this response!

     




  • 2.  RE: CISA Trusted Internet Connections 3.0 Cloud Use Case - open for public review

    Posted Jul 08, 2022 09:43:00 AM
    Thanks to the folks who, so far, have contributed their comments to the spreadsheet. Please keep adding them. We'll be scheduling a review session to discuss and consolidate. 

    Proposed time:  Monday July 18 at 3pm ET

    Let me know via DM or reply here is that works for you


  • 3.  RE: CISA Trusted Internet Connections 3.0 Cloud Use Case - open for public review

    Posted Jul 12, 2022 10:00:00 AM
    Thank you, Jason.

    Would it be possible to speak at 4 ET on Monday or Tuesday after 11 ET? I have a conflict that I would rather not miss but I will if this time works for everyone else.

    Cheers,
    alex.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------



  • 4.  RE: CISA Trusted Internet Connections 3.0 Cloud Use Case - open for public review

    Posted Jul 18, 2022 04:50:00 AM

    Alex, sorry, we have some conflicts with moving the time slot today. 
    I will post the meeting link shortly - for 3pm ET today.

    thanks

    jason




  • 5.  RE: CISA Trusted Internet Connections 3.0 Cloud Use Case - open for public review

    Posted Jul 18, 2022 12:08:00 PM
    Was the link posted for today's meeting? What I have is not working and Circle is responding with an error.

    Sorry for any inconvenience.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------



  • 6.  RE: CISA Trusted Internet Connections 3.0 Cloud Use Case - open for public review

    Posted Jul 18, 2022 12:41:00 PM
    I posted this to CIrcle in a separate thread - apologies if you missed it. And it appeared that the Circle platform was down just at 3.00pm - neither Erik nor I could access it.  

    Sorry for the SNAFU. I am editing the spreadsheet now, to consolidate and normalize the comments. Look for another post a bit later today with a summary of where we are in the process.

    regards
    Jason


  • 7.  RE: CISA Trusted Internet Connections 3.0 Cloud Use Case - open for public review

    Posted Jul 18, 2022 12:49:00 PM
    Oh well, stuff happens. I will keep an eye out for the post. Let me know if there is anything I can do. Always willing to help.

    Cheers,
    alex.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------



  • 8.  RE: CISA Trusted Internet Connections 3.0 Cloud Use Case - open for public review

    Posted Jul 18, 2022 02:18:00 PM
    Thanks folks for your comments in the spreadsheet
     https://docs.google.com/spreadsheets/d/1UP5Pc9sfTsQR3lmsc5jbSQjS1LsBCVLJF6F2zn-_oS4/edit#gid=0

    I am working to consolidate / deduplicate / comment on your feedback- this is in the Reviewed and Edited (WIP) worksheet - if you submitted, please review/comment further.
    if you are making further edits, add them to the Feedback - Add here worksheet so we can distinguish.

    Thanks. I am planning to get this consolidated and completed by Weds July 20, so that we can submit it on Thursday July 21 in advance of the deadline.


    Hello all – The United States Cybersecurity and Infrastructure Security Agency
    (CISA) is requesting feedback and comments on their new Trusted Internet Connections 3.0 Cloud Use Case document, through July 22, 2022. 

     The document is here:

    https://www.cisa.gov/sites/default/files/publications/CISA%20TIC%203.0%20Cloud%20Use%20Case%20Draft_0.pdf 

    We are coordinating response on behalf of the working group.

    Please review the CISA document, and

    1. Engage here for a discussion about the overall approach / feedback
    2. Add specific comments in this shared spreadsheet:

     https://docs.google.com/spreadsheets/d/1UP5Pc9sfTsQR3lmsc5jbSQjS1LsBCVLJF6F2zn-_oS4/edit#gid=0

     Please follow the spreadsheet format, so we can track who submitted what comments, for our review and editing process. We will remove individuals' names before submitting to CISA.




  • 9.  RE: CISA Trusted Internet Connections 3.0 Cloud Use Case - open for public review

    Posted Jul 20, 2022 11:52:00 AM
    Wasn't exactly sure where to respond to your question about my comments to ensure you would see it so I thought it best to respond to this thread.

    Regarding Separation of Duties.  In practice, Separation of Duties limits the blast radius and seriously affects the economics for the hacker.  If you look at the major Government losses like Snowden and the OMB hack, they would have been prevented, at least significantly less impactful if SOD was incorporated.

    I would like to see SOD included in 4.2.2.4 Identity and Access Control, tables 2, 3, 4, 5, 8, 10, 11, 14, 19, and 20.

    Please let me know if you would like anything else.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------



  • 10.  RE: CISA Trusted Internet Connections 3.0 Cloud Use Case - open for public review

    Posted Jul 21, 2022 08:44:00 AM
    Thanks, Alex - that's very helpful. I am consolidating all the comments in the spreadsheet today, and submitting to CISA on behalf of the group.

    thanks again for your input.


  • 11.  RE: CISA Trusted Internet Connections 3.0 Cloud Use Case - open for public review

    Posted Jul 21, 2022 01:25:00 PM
      |   view attached
    Thanks everyone for your input and comments over the past couple weeks. I submitted the following email (and attached spreadsheet) feedback to CISA today, on the TIC draft Cloud Use Case document. I made some relatively minor edits to the submitted comments - consolidating, de-duplicating, and clarifying in some cases - trying to maintain the essence of each response. I did remove contributors' names, as promised. 

    Here's the email: 

    Hello TIC team – thanks for publishing the draft TIC Cloud Use Case document, and for the opportunity to provide feedback. The comments and feedback in this email and in the attached spreadsheet are on behalf of the Cloud Security Alliance's Zero Trust Working Group, of which I am co-chair. It's sourced from multiple people across multiple organizations, with different perspectives and opinions. I've tried to consolidate and normalize, but you will see, especially in the spreadsheet, some different points of view.

     Overall, this document contains a great deal of useful information, organized in an understandable way. We recognize and appreciate the challenge of creating a document that provides useful, prescriptive and specific advice while still remaining applicable and relevant across all types of environments and infrastructures.

    In particular, we found the Security Capabilities tables to be quite valuable – providing definitions and prescriptive guidance on how to approach each of the many areas. Readers will be able to follow the "should" and "may" guidance to drive their agency's specific Zero Trust journey, based on their specific requirements and constraints.  We also found the security patterns to be useful depictions of the ways in which different components interact, across PEPs. 

    However, we struggled with the Trust Zones in two ways. First, some of our reviewers were unclear that the assigned levels assigned to the Trust Zones, in Table 1 and in the Security Patterns are example trust levels, not normative or prescriptive. We noted the "Implementation Consideration" on page 8 that explained this, but perhaps this section could more explicitly refer back to the Trust Level definitions from the TIC Reference Architecture document.

    Secondly, and perhaps more importantly, we think the document is missing an explanation of what an agency needs to do differently for PEPs at different trust levels. The Trust Levels, as defined in the TIC Reference Architecture, page 8 – do a good job of defining "Control Levels" rather than "Trust Levels". In fact, taken literally (and perhaps pedantically), there should be zero trust in a Zero Trust system.  Putting that aside -- what we think is missing is clear guidance on how the PEP enforcement mechanisms should be different depending on the Trust Level of the environments they are protecting. The Zero Trust philosophy really aims for having a high level of enforcement everywhere – for example, mandating the use of encrypted protocols everywhere. We shouldn't, for example, recommend that in a High Trust zone, that requirement is relaxed. On the other hand, there are some aspect of the PEPs that should be modulated based on the zone's Trust Level. For example, a user on a device in a High Trust environment, such as in an agency office, may not need to be prompted for MFA, while a remote user working in an airport, should be. Overall, Zero Trust argues that in fact you should treat users and services running in a "High Trust" environment as exactly the same as if they were running in a "Low Trust" environment, at least from an access and network perspective. We're not sure if this is a planned topic for a future document – if not, we think it'd be interesting and worthwhile.




  • 12.  RE: CISA Trusted Internet Connections 3.0 Cloud Use Case - open for public review

    Posted Jul 22, 2022 05:47:00 AM
    Thanks Jason, we'll articulated.

    Kind regards

    ------------------------------
    Bernard Coetzee
    Capitec Bank

    ------------------------------



  • 13.  RE: CISA Trusted Internet Connections 3.0 Cloud Use Case - open for public review

    Posted Jul 22, 2022 08:00:00 AM
    Thanks Jason, good job!  Final comments are really thought provoking, and show up some strengths and weaknesses of current state of play.  Best Nya.

    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------