Zero Trust

 View Only
  • 1.  Interesting Article: Zero-trust has changed cybersecurity forever

    Posted 19 days ago
    Concise and to the point. A quick but worthwhile read: 
    https://www.scmagazine.com/perspective/zero-trust/zero-trust-has-changed-cybersecurity-forever

    ------------------------------
    Erik Johnson CCSK, CCSP, CISSP, PMP
    Senior Research Analyst
    Cloud Security Alliance
    Leesburg VA
    ------------------------------


  • 2.  RE: Interesting Article: Zero-trust has changed cybersecurity forever

    Posted 18 days ago
    Interesting article indeed.  While I don't disagree with much of what's been put forward here, there is this pervasive omission of one key element in almost every article I read about ZT.  With all the focus on the security aspects, there remains a near total absence of discussion about deploying workloads in a manner that's consistent with the L7 controls required to instrument a proper ZT environment.

    To me, this is all just talk until the echo chamber directly engages the SRE teams and begin to migrate their DAAS elements into an architecture that supports the ZT model, in partnership with the secops teams that will operate within that environment.  This has to be a team sport.

    ------------------------------
    Jonathan Flack Managing Director, ACM, CNCF, CSA
    ------------------------------



  • 3.  RE: Interesting Article: Zero-trust has changed cybersecurity forever

    Posted 18 days ago
    I agree. I am starting to see industry people talking about needing to bring together 3 key groups, (1) network/security, (2) operations/SRE engineering, (3) application teams. Until all 3 are having a conversation on how to deploy ZT you only have a partial solution.

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 4.  RE: Interesting Article: Zero-trust has changed cybersecurity forever

    Posted 17 days ago

    Philip,

     

    I would go further and suggest that you need to break apart the element of Network/ Security because ZT need to focus more on the other pillars of Apps and Data.  There is still much of a focus on the network access to the application and network access to the data.   

     

    Just as we segment networks, we need to thinking about how to segment data at rest physically and cryptographically based on the criticality and business function of the data.  So yes this starts with identity, access controls and authorisation and that data in transit is encrypted, but we need to be driving for more controls with the on-prem, IaaS and SaaS environments.  Which is where as a security community we need to build better links with the SRE and Dev Ops teams and well as enabling the traditional SOC teams to rethink their practical and business engagement across the business/ org.  

     

    Recent reading I have found through the DevSecOps community here in London introduced me to :

     

    DevSecops - Glen Wilson - https://www.amazon.co.uk/DevSecOps-producing-compromising-continuous-improvement/dp/1781335028

    Chaos Engineering – Casey Rosenthal & Nora Jones - https://www.amazon.co.uk/Chaos-Engineering-System-Resiliency-Practice/dp/1492043869

     

    These are not books on ZT but what they say should talk directly to the ZT community objectives as their ethos of continuous experimentation in complex systems is a parallel to the continuous verification of ZT.

     

    Richard