Zero Trust

 View Only
  • 1.  FedRamp Subnets - What They Are and Why They Matter

    Posted Jun 27, 2022 02:43:00 AM
      |   view attached
    Hi All,

    FedRamp just recently published Subnets - What They Are and Why They Matter

    This white paper is to help our stakeholders understand FedRAMP subnetworks (subnets) requirements. The paper covers what are subnets, why do they matter, and actions cloud service providers (CSPs) should take to ensure compliance.

    @Daniele Catteddu
    @Jason Garbis​​

    Michael Roza CPA, CISA, CIA, MBA, Exec MBA


    FedRAMP_subnets_20220627.pdf   246 KB 1 version

  • 2.  RE: FedRamp Subnets - What They Are and Why They Matter

    Posted Jun 29, 2022 05:44:00 AM
    Good to see an easy-to-use guidelines to help network architects to design secure deployments. Useful definition of what constitutes a public subnet.

    Nya Murray

  • 3.  RE: FedRamp Subnets - What They Are and Why They Matter

    Posted Jun 29, 2022 07:41:00 AM

    I'm glad to see the forward-looking section (page 6) - in particular their acknowledgement that CSPs' use of security groups and /32 subnet masks can effectively make each host act as an isolated subnet from a compliance perspective. This is well aligned with how a ZT implementation would likely approach this -- with each host isolated from one another, with access controlled by a ZT PEP, even though the hosts may reside within a numerical subnet.

    However, they are not terribly flexible yet - as they state "until this future arrives, we will be looking for subnets as described above". This is representative of many of the compliance challenges I've seen - where compliance and auditors are backwards-looking, and can end up perpetuating outdated and ineffective security approaches in order to meet "checkbox compliance".

    Jason Garbis, CISSP
    Co-Chair, SDP Zero Trust Working Group
    CPO, Appgate

  • 4.  RE: FedRamp Subnets - What They Are and Why They Matter

    Posted Jun 30, 2022 03:41:00 AM
    Agreed Jason.  

    The industry does not understand that Zero Trust means denying access at the Network / Transport OSI layers before allowing access to the Presentation / Application layers because the industry does not want to give up the all of the detection software that is making them money. Collectively, the industry is making a lot of money from putting in nets and traps after DNS, identity, and application services are opened. It does not want to rethink the problem of policy enforcement prior to allowing access past the network gateway.  It does not want to interact with packets and network protocols.

    That's why we have all been so adamant in our support for the Software Defined Perimeter network approach over the past 5 years that we've been talking about this problem, during innumerable working group meetings.

    What does it take to change a mindset that is based on resistance to change, and reluctance to give up on past money spinners?  A regulatory framework for all network communications, run by an independent international united nations of networks?  Excluding Russia and China because they cannot be trusted to work for the common good? Putting caveats on countries that are known to do spyware on a grand scale?

    I am worried we are in disaster change territory, where successful attacks are the only change motivation.  That is our shared, collective, historical approach, from which we have failed to learn?

    I do not have any answers at this point in time.  



    Nya Alison Murray
    Trac-Car Technology
    UK +44 208133 9249
    Australia +61 73040 1637
    Switzerland +41 22548 1747