It's set for commenting access for all ZT workgroup members and read access for anyone with the link.
Original Message:
Sent: Sep 04, 2023 02:29:05 AM
From: Nya Murray
Subject: Open for Public Comment: NIST NCCoE Zero Trust Architecture Preliminary Draft Practice Guide (Vol D)
Can you make this accessible please Erik. For the benefit of the group, I believe there is a basic weakness in the Use Case A: Discovery and Identification of IDs, Assets, and Data Flows. Here is my comment, as clarity here is essential for subsequent sections. I would be interested in other ZTA practitioner views.
Scenario A-1: Discovery and authentication of endpoint assets – this section refers to a precondition that "The enterprise infrastructure is a macrosegmented local network with an "enterprise" segment with resources that can only be accessed by authorized Enterprise-IDs and a "guest" segment with access to the public internet only." This is now an out of date description for network segmentation. Enterprise segments and guest segments are no longer segregated by private network and public network. Network segmentation can apply to SaaS for both enterprise users and guest users. Third parties are often provided access by segment to functionality NOT over the public internet. For a start, the focus on network segment as being inferred from Enterprise ID and Guest ID is too vague. Presumably these are identity management precepts, not network segmentation access identifiers. As it currently reads, there is a confusion between network identification and access service identity management. This is important, because subsequently re-authentication is referred to. If authentication, authorization and access management are not adequately defined from the outset, the following sections are based on vague assumptions. This weakens the rest of the document.
------------------------------
Nya Murray
Director
Trac-Car
Original Message:
Sent: Aug 23, 2023 01:00:46 PM
From: Erik Johnson
Subject: Open for Public Comment: NIST NCCoE Zero Trust Architecture Preliminary Draft Practice Guide (Vol D)
Great. Here's a shared comment file that we can all use. Default access is Commenter. Let me know if you have comments you'd like to add in Edit mode.
CSA-zta-nist-sp1800-35-comment-form.xlsx
------------------------------
Erik Johnson CCSK, CCSP, CISSP, PMP
Senior Research Analyst
Cloud Security Alliance
[email protected]
Original Message:
Sent: Aug 23, 2023 08:07:13 AM
From: Richard Baker
Subject: Open for Public Comment: NIST NCCoE Zero Trust Architecture Preliminary Draft Practice Guide (Vol D)
Erik, I would think yes. I am currently collecting my own comments.
An overall comment is that section 2 reads like a compliance statement. There are a significant number of UC that are repetitive in that they enumerate a large number of permutations yet the expect outcome is the same for each line.
I think it also has questions for O&A and V&A in terms of granularity and sources of signals and api to enforce controls.
Richard
------------------------------
Richard Baker
Security Innovation Consultant
Original Message:
Sent: Aug 23, 2023 07:49:35 AM
From: Erik Johnson
Subject: Open for Public Comment: NIST NCCoE Zero Trust Architecture Preliminary Draft Practice Guide (Vol D)
Here's the link to the NIST landing page for info and context on the full set of NCCOE ZT docs: https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture
Is there any interest in compiling an aggregate and harmonized set of CSA comments on this?
------------------------------
Erik Johnson CCSK, CCSP, CISSP, PMP
Senior Research Analyst
Cloud Security Alliance
[email protected]
Original Message:
Sent: Aug 23, 2023 02:39:00 AM
From: Michael Roza
Subject: Open for Public Comment: NIST NCCoE Zero Trust Architecture Preliminary Draft Practice Guide (Vol D)
Hi All,
Open for Public Comment: NIST NCCoE Zero Trust Architecture Preliminary Draft Practice Guide (Vol D)
NIST's National Cybersecurity Center of Excellence (NCCoE) has released the third version of volume D of a preliminary draft practice guide titled "Implementing a Zero Trust Architecture" (ZTA) and is seeking the public's comments on its contents.
This guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture. Volume D provides a functional demonstration plan and the updated version includes demonstration results for ten builds.
As an enterprise's data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device. The NCCoE is addressing these challenges by collaborating with industry participants to demonstrate several approaches to a zero-trust architecture applied to a conventional, general-purpose enterprise IT infrastructure on-premises and in the cloud.
The NCCoE is making volume D available (https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture) as a preliminary draft for public comment while work continues on the project. Review the preliminary draft and submit comments by October 9th, 2023. Comments and questions for the team can be sent to [email protected].
@Erik Johnson
@Anna Schorr
@Chandler Curran
------------------------------
Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA
------------------------------