Zero Trust

 View Only
  • 1.  NIST SP 1800 35 C and D Implementing a Zero Trust Architecture Drafts for Comment

    Posted Aug 09, 2022 11:29:00 PM
    Hi All,

    Open for Public Comment: Zero Trust Architecture Preliminary Draft Practice Guide (Vol. C-D)

    The Zero Trust Architecture (ZTA) team at NIST's National Cybersecurity Center of Excellence (NCCoE) invites public comments on volumes C-D of a preliminary draft practice guide "Implementing a Zero Trust Architecture". This guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture. As the project progresses, the preliminary draft will be updated, and additional volumes will also be released for comment.

    As an enterprise's data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device. The NCCoE is addressing these challenges by collaborating with industry participants to demonstrate several approaches to a zero trust architecture applied to a conventional, general purpose enterprise IT infrastructure on premises and in the cloud.
    We Want to Hear from You!

    The NCCoE is making volumes C-D available as a preliminary draft for public comment while work continues on the project. Review the preliminary draft and submit comments online on or before September 9, 2022.

    Comment Here:

    @John Yeoh
    @Daniele Catteddu
    @Jason A. Garbis
    @Anna Schorr
    @Nya Murray


    Michael Roza CPA, CISA, CIA, MBA, Exec MBA

  • 2.  RE: NIST SP 1800 35 C and D Implementing a Zero Trust Architecture Drafts for Comment

    Posted Aug 10, 2022 08:26:00 AM
    Thanks Michael.  I think it is very important that people give this some thought.  I appreciate that NIST are being pragmatic in getting a Zero Trust architecture approach together.  I am a senior architect, and this approach has been tried a number of times.  Inheriting architecture from vendors' deployments provides for baking in weaknesses that are in the vendor's products. On the other hand, NIST has to do something, and they have started with a traditional physical architecture that is found in many large corporations.  Tick for relevance.  The products they have chosen are fairly widely used. Tick for applicability.

    However it is important not to tie ZT Architecture into an infrastructure, platform, software and network architecture which has well known flaws and vulnerabilities.

    This may be appealing from the let's get this done POV.  However I would point out that the traditional network and server architecture (not particularly network well segmented and endpoint security mechanisms not particularly securely virtualized) plus identity management products the inherent vulnerabilities of which are well known, particularly by state sponsored threat actors, I am quite shocked. 

    Personally, I have been around this block a number of times during my career.  Every iteration of architecture driven by vendor products has resulted in regret down the track, not only in terms of costs, but also in terms of cyber security.  To mitigate this risk, I ask that senior security professionals comment on these documents pointing out the known and documented security vulnerabilities in this scenario.

    Otherwise my view is that this exercise is in danger of kicking an own goal in terms of propagating vulnerabilities and widely instantiating single points-of-failure, and locking in technology that was once state of the art, but is being superceded by the enormous development money that has been spent on private cloud deployments by major corporations, that has produced simplification and stratification and cost reductions for best practice network, hosting, platform, software, identity and device virtualization.  IMHO. 

    Best Regards


    Nya Murray

  • 3.  RE: NIST SP 1800 35 C and D Implementing a Zero Trust Architecture Drafts for Comment

    Posted Aug 10, 2022 10:28:00 AM
    Hi Nya,

    Unfortunately, I can't like your answer more than once.

    Michael Roza CPA, CISA, CIA, MBA, Exec MBA

  • 4.  RE: NIST SP 1800 35 C and D Implementing a Zero Trust Architecture Drafts for Comment

    Posted Aug 11, 2022 07:39:00 AM
    Excellent comments!
    My question is - do people have a clear vision of what ZTA buys them?  Not saying we can't raise the bar on endpoint, IDM and service access controls,  I worry too many are focused on the buzzword and not enough attention is being paid to how this will enable the mission/derive value/etc.

  • 5.  RE: NIST SP 1800 35 C and D Implementing a Zero Trust Architecture Drafts for Comment

    Posted Aug 17, 2022 11:34:00 AM

    Although in general I agree with you, I believe there are a few more specific pros and cons that must be teased out in order for these documents to provide material benefit to organizations (not just marketing benefit).

    I believe this effort is similar to what John's Hopkins IACD project accomplished (actual demonstration of working systems). Vague reference implementations aren't very helpful without embracing the vendor community, setting up labs, giving demonstrations on exactly how (and whether) products can interoperate to approach desired goals. I would urge any/all parties involved here to avoid a major pitfall of the IACD program - they never offered hard evaluations on the products that vendors brought forward on their "completeness" of the job they claim to accomplish. In other words, does a product accomplish all of the elements of the task it was installed for? How complete is the integration both upstream and downstream? Does the product provide adequate visibility into its actions? Does the vendor deliver secure by default? Or is the vendor offering marketing more than substance?

    Without this level of introspection on each vendor implementation demonstration, your observations will haunt us. It is critical that organizations move forward with their eyes open. I would also make one counter-argument to your post, and that is that ALL software has vulnerabilities. Some more than others, but all software has vulnerabilities. I think a better approach would be to talk about weakness patterns rather than vulns. The Common Architectural Weakness Enumeration catalog would be a good place to start. The mapping from that to ZTA would be instructive in terms of "qualifying" vendor claims.

    A specific observation of the NCCOE documents (which I will also share with them) is that they simply show "how" to integrate, but they don't address what specific element of the ZTA architecture each specific action implements? In other words, you know what buttons to click to perform an implementation, but you don't know how complete that is - and worse - you don't know what is still missing.

    In summary - I agree with your sentiment - but perfect is the enemy of good. We must move forward with real products to get away from the pure marketing buzz word atmosphere currently associated with ZTA.

    George Johnson, CISSP

    George Johnson
    Domandus LLC

  • 6.  RE: NIST SP 1800 35 C and D Implementing a Zero Trust Architecture Drafts for Comment

    Posted Aug 18, 2022 01:48:00 AM
    Excellent comments by both Lee and George.  And I agree with the sentiments in both posts.

    To clarify my position, what disturbs me is the virtual infrastructure.  In the past few years the public cloud providers have accelerated R&D for network, hosting, platform and software infrastructure, hugely enhanced performance, and folded security by design into their offerings, both private and public.  I would be using the cloud as the lab. At an AWS Reinvent conference, I heard a representative from Morgan Chase explain how they went private cloud, only to change over to public cloud within a short space of time. Why?  Because the accelerated pace of cloud infrastructure innovation and development meant that their private cloud was out of date within a year.

    So what is stopping the use of the cloud as the lab?  It is more secure, more transparent, more cost effective, and is already a generation beyond the standard corporate data center.  And why risk an insecure data center when a highly secure infrastructure that is the driving force behind all our technology innovation and much much cheaper. 


    Nya Murray

  • 7.  RE: NIST SP 1800 35 C and D Implementing a Zero Trust Architecture Drafts for Comment

    Posted Aug 12, 2022 01:27:00 PM

    Thanks for sharing, Michael. I have added this to the ZT EG Agenda.


    Anna Campbell Schorr
    Training Program Manager
    Cloud Security Alliance
    [email protected]