Thanks Michael. I think it is very important that people give this some thought. I appreciate that NIST are being pragmatic in getting a Zero Trust architecture approach together. I am a senior architect, and this approach has been tried a number of times. Inheriting architecture from vendors' deployments provides for baking in weaknesses that are in the vendor's products. On the other hand, NIST has to do something, and they have started with a traditional physical architecture that is found in many large corporations. Tick for relevance. The products they have chosen are fairly widely used. Tick for applicability.
However it is important not to tie ZT Architecture into an infrastructure, platform, software and network architecture which has well known flaws and vulnerabilities.
This may be appealing from the let's get this done POV. However I would point out that the traditional network and server architecture (not particularly network well segmented and endpoint security mechanisms not particularly securely virtualized) plus identity management products the inherent vulnerabilities of which are well known, particularly by state sponsored threat actors, I am quite shocked.
Personally, I have been around this block a number of times during my career. Every iteration of architecture driven by vendor products has resulted in regret down the track, not only in terms of costs, but also in terms of cyber security. To mitigate this risk, I ask that senior security professionals comment on these documents pointing out the known and documented security vulnerabilities in this scenario.
Otherwise my view is that this exercise is in danger of kicking an own goal in terms of propagating vulnerabilities and widely instantiating single points-of-failure, and locking in technology that was once state of the art, but is being superceded by the enormous development money that has been spent on private cloud deployments by major corporations, that has produced simplification and stratification and cost reductions for best practice network, hosting, platform, software, identity and device virtualization. IMHO.
Sent: Aug 09, 2022 11:28:48 PM
From: Michael Roza
Subject: NIST SP 1800 35 C and D Implementing a Zero Trust Architecture Drafts for Comment
Open for Public Comment: Zero Trust Architecture Preliminary Draft Practice Guide (Vol. C-D)
The Zero Trust Architecture (ZTA) team at NIST's National Cybersecurity Center of Excellence (NCCoE) invites public comments on volumes C-D of a preliminary draft practice guide "Implementing a Zero Trust Architecture". This guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture. As the project progresses, the preliminary draft will be updated, and additional volumes will also be released for comment.
As an enterprise's data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device. The NCCoE is addressing these challenges by collaborating with industry participants to demonstrate several approaches to a zero trust architecture applied to a conventional, general purpose enterprise IT infrastructure on premises and in the cloud.
We Want to Hear from You!
The NCCoE is making volumes C-D available as a preliminary draft for public comment while work continues on the project. Review the preliminary draft and submit comments online on or before September 9, 2022.
Comment Here: https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture#publications_comment_form
@Jason A. Garbis
Michael Roza CPA, CISA, CIA, MBA, Exec MBA