Zero Trust

 View Only
Expand all | Collapse all

NIST Open for Public Comment: Preliminary Draft Practice Guide (Vol. B) From the ZTA Team

  • 1.  NIST Open for Public Comment: Preliminary Draft Practice Guide (Vol. B) From the ZTA Team

    Posted Jul 07, 2022 11:03:00 PM
      |   view attached
    Hi All,

    The Zero Trust Architecture (ZTA) team at NIST's National Cybersecurity Center of Excellence (NCCoE) has published volume B of a preliminary draft practice guide titled "Implementing a Zero Trust Architecture" and is seeking the public's comments on its contents. This guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA example implementations that align with the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture. As the project progresses, the preliminary draft will be updated, and additional volumes will also be released for comment.

    As an enterprise's data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device. The NCCoE is addressing these challenges by collaborating with industry participants to demonstrate several approaches to a zero-trust architecture applied to a conventional, general-purpose enterprise IT infrastructure on-premises and in the cloud.

    The NCCoE is making volume B available as a preliminary draft for public comment while work continues on the project. Review the preliminary draft and submit comments online on or before August 8th, 2022.

    Submit Comments Here: https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture

    @Daniele Catteddu
    @Anna Schorr
    @Jason Garbis
    @Nya Murray



    ​​​​​​​​

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------


  • 2.  RE: NIST Open for Public Comment: Preliminary Draft Practice Guide (Vol. B) From the ZTA Team

    Posted Jul 08, 2022 12:40:00 AM
    Thanks @Michael Roza . I think this is a very important paper, it is practical and can be applied to the many cloud migration programs underway in governments and enterprises.  Happy to comment, can you set up a spreadsheet for the comments. Similar to the one Jason has set up a simple shared sheet for comments on the CISA Cloud Use Cases.

    Looking forward to reviewing and commentary. 



    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 3.  RE: NIST Open for Public Comment: Preliminary Draft Practice Guide (Vol. B) From the ZTA Team

    Posted Jul 08, 2022 01:06:00 AM
    Hi All,

    Here is the link to the NIST's Implementing a Zero Trust Architecture Preliminary Draft Practice Guide (Vol. B) comment sheet
    https://docs.google.com/spreadsheets/d/18Rh_ukj0XBRSoJZsFPrmP6jTBUstY0o1H9uvtnuvw8c/edit#gid=0 

    @Daniele Catteddu
    @Anna Schorr
    @Jason Garbis
    @Nya Murray

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------



  • 4.  RE: NIST Open for Public Comment: Preliminary Draft Practice Guide (Vol. B) From the ZTA Team

    Posted Jul 11, 2022 04:11:00 PM

    Thanks for sharing this, @Michael Roza. I added this to the ZTA agenda for tomorrow's meeting. ​

    Best,



    ------------------------------
    Anna Campbell Schorr
    Training Program Manager
    Cloud Security Alliance
    aschorr@cloudsecurityalliance.org
    ------------------------------



  • 5.  RE: NIST Open for Public Comment: Preliminary Draft Practice Guide (Vol. B) From the ZTA Team

    Posted Jul 12, 2022 11:18:00 AM
    What meeting is this?  Will details be posted?

    ------------------------------
    Sai Honig
    ------------------------------



  • 6.  RE: NIST Open for Public Comment: Preliminary Draft Practice Guide (Vol. B) From the ZTA Team

    Posted Jul 12, 2022 12:45:00 PM





  • 7.  RE: NIST Open for Public Comment: Preliminary Draft Practice Guide (Vol. B) From the ZTA Team

    Posted Jul 13, 2022 05:13:00 AM
    Hi all

    For this interesting document that is a consolidated view of industry players (leading by example?) I think it is important to comment from a cloud security point of view, particularly a Software Defined Perimeter POV.  Because I see quite a lot of marketing assumptions have crept into an architecture guide.  Perhaps a part of the replacement of technology perspective with a people and process approach?

    I've set up a commentary spreadsheet on Google Drive https://drive.google.com/drive/folders/1XqXnJ0jxWV0KIf_FHFb7yngn7o_5CSEh?usp=sharing because it is easier to get views across when they are consolidated. 

    I'll be submitting the comments, closing date 8th August. 

    Welcome to add your comments to mine, I'll sort by Line Number before submission.  I've made this NIST drive public, and also included the guide where I mapped security principles to the NIST Cybersecurity Framework for reference.


    @Daniele Catteddu
    @Anna Schorr
    @Jason Garbis


    Best Nya


    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 8.  RE: NIST Open for Public Comment: Preliminary Draft Practice Guide (Vol. B) From the ZTA Team

    Posted Jul 18, 2022 04:26:00 AM
    Apologies Michael - had not noticed you already had set up a spreadsheet - I've updated my commentary into the sheet you've set up.  Fortunately not too many people have commented to date. 

    Come on, architects! This architecture guide deserves commentary. I note that most contributors are vendors. I am not sure they are as detached and impartial as they might be :)

    https://docs.google.com/spreadsheets/d/18Rh_ukj0XBRSoJZsFPrmP6jTBUstY0o1H9uvtnuvw8c/edit#gid=0

    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 9.  RE: NIST Open for Public Comment: Preliminary Draft Practice Guide (Vol. B) From the ZTA Team

    Posted Jul 18, 2022 06:17:00 AM
    Comments added for consideration and discussion.

    Thanks.



    --
    Alistair Cockeram





  • 10.  RE: NIST Open for Public Comment: Preliminary Draft Practice Guide (Vol. B) From the ZTA Team

    Posted Aug 08, 2022 07:52:00 AM
      |   view attached
    Thanks everyone for your input and comments over the past few weeks. I submitted the following email (and attached spreadsheet) feedback to NIST today, on the Implementing a Zero Trust Architecture Volume B document. I made some relatively minor edits to the submitted comments - consolidating, de-duplicating, and clarifying in some cases - trying to maintain the essence of each response. I did remove contributors' names, as promised. 

    Hello NIST team – thanks for publishing the draft Special Publication 1800-25B, Implementing a Zero Trust Architecture, and accepting public comments. The comments and feedback in this email and in the attached spreadsheet are on behalf of the Cloud Security Alliance's Zero Trust Working Group, of which I am co-chair. It's sourced from multiple people across multiple organizations, with different perspectives and opinions. I've tried to consolidate and normalize, but you will see, especially in the spreadsheet, some different points of view.

    Overall, we recognize and appreciate the tremendous amount of work that went into this document, and into the definition and creation of the underlying architectures and use cases. We believe that this large process will be very beneficial to the industry. We also recognize that this is one step of many, and that the NCCoE team is driving multiple additional use cases and phases, which will grow in their complexity and value.

     Thanks, and we look forward to continued collaboration on this.



    ------------------------------
    Jason Garbis, CISSP
    Co-Chair, SDP Zero Trust Working Group
    CPO, Appgate
    ------------------------------