Workstream 9 - April 17 Meeting Recap, and Next Steps
Hello all - thanks for a productive working session today.
Notes, plans, and homework:
Human-Generated Meeting Summary and Next steps:
- Quick reminder of three recent Zero Trust-related documents published by the NSA that are worth reading:
1. Advancing Zero Trust Maturity Throughout the Network and Environment Pillar
https://media.defense.gov/2024/Mar/05/2003405462/-1/-1/0/CSI-ZERO-TRUST-NETWORK-ENVIRONMENT-PILLAR.PDF
2. Advancing Zero Trust Maturity Throughout the Data Pillar
https://media.defense.gov/2024/Apr/09/2003434442/-1/-1/0/CSI_DATA_PILLAR_ZT.PDF
3. Implement Network Segmentation and Encryption in Cloud Environments
https://media.defense.gov/2024/Mar/07/2003407861/-1/-1/0/CSI-CloudTop10-Network-Segmentation.PDF
Recommendation - read these
Potential Action - Erik - Consider a 1-hour webcast to have a SME talk through these
- Priority for this Workstream: Writing the Whitepaper on Step 3 of the 5-step process; Build a Zero Trust Architecture
Plan:
* For Workstream Meeting - May 1
Homework :
Review NIST 800-207 Zero Trust Architectures https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
Review NIST 800-215 : Guide to a Secure Enterprise Landscape https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-215.pdf
Meeting Topic: we will talk through these from the POV of Zero Trust Architecture patterns and approaches
* For Workstream Meeting - May 15
Homework :
Review first 2 CSA whitepapers on the 5 step process :
Meeting Topic: we will talk through these two papers
Thanks all
--Jason
AI-generated Meeting Summary:
Next steps |
• All team members will review the MSAC report and relevant design architectures in NIST 802.07 before the next working session. |
• In the next working session, the team will discuss and define a 0 Trust Architecture, considering the principles and considerations outlined in the MSAC report and NIST 802.07. |
• Jason will post links to all the relevant documents and clearly outline the next steps and action items for the team. |
|
|
Summary |
Cybersecurity Reports and Guidance Update |
Jason started the meeting with Eric's limited participation due to a conflict, and Chris Steffen's attendance yet to be confirmed. Jason emphasized the importance of staying updated with the latest cybersecurity reports and guidance, specifically the 'Cybersecurity Information Sheet' series from the NSA. He highlighted these reports as a valuable source of information not covered in the 'CSA' document, and encouraged everyone to download and review them, especially the identity and devices pillars. Osama confirmed finding the reports useful. |
Developing White Paper on 0 Trust Architecture |
Jason stressed the importance of creating a white paper outlining the development of a 0 trust architecture across nine prioritized work streams. The discussion focused on the concept of the 'protect surface', its variation among enterprises, and the need for refining it through practical application. Jason also advocated for a debated scope for the white paper, referencing the CSA's first white paper and suggesting a spectrum of possibilities. Perry concurred with Jason's points, emphasizing the importance of a principles-focused approach. |
Designing Protect Surface Analysis for Network Protocols |
Perry, Jason, and Joel discussed the challenges and considerations in designing a protect surface analysis for different types of network protocols. Jason emphasized the importance of understanding different entry points into an ERP system, such as a web interface, direct operating system access, and hypervisor administration. Perry stressed the need to balance web-focused examples with other protocols and highlighted the problems that can arise with certain types of workloads, such as real-time streaming and server-to-user traffic. Both agreed on the necessity of considering niche use cases that could impact enterprise deployments. |
Clarifying '0 Trust Architecture' Concepts |
Joel questioned the team's understanding of '0 trust architecture' in the context of their security practices. Jason clarified that there is no clear definition of '0 trust architecture' in their current documentation, and the concept is open to debate. He explained that it pertains to the policy enforcement point capabilities in their environment, the devices used, and the identity information available, which directly impacts the creation of a '0 trust policy'. Jason also mentioned that they are not starting from scratch, referencing the NIST 802.07 document on '0 trust architectures', but emphasized the need to define their own interpretation. |
Architectural Patterns and Policy Enforcement |
Jason proposed focusing on architectural patterns and policy enforcement capabilities in their upcoming work, emphasizing the importance of defining these concepts. Joel agreed, suggesting they needed to work on pattern definitions from sources like NIST. Perry recommended the overlooked document, 800-215, for its detailed definitions of ZTNA and micro-segmentation, which Jason agreed was a valuable resource. They decided to review this and NIST 802.07 in upcoming working sessions, with Jason encouraging the team to use the information as a starting point and not as current facts. |
Defining Zero Trust Architecture and Guidelines |
Jason led a discussion on the architecture and scope of a yet-to-be-defined document. He suggested that the team review the MSAC report, the 180215, and relevant design architectures in 80207 in the upcoming working session. He proposed to define a 'Zero Trust Architecture' and develop guiding principles for the white paper. Jason also recommended reviewing two white papers that define the Protect Service and map the transaction flows, as they would be foundational to their work. He assigned Eric as the note taker and committed to sharing links to all the documents and outlining the tasks for the next sessions. |
Next Working Session and Framework Integration |
Jason announced that the next working session was scheduled for May 1st, which would not conflict with the RSA conference. Perry suggested incorporating a problem-solution-impact framework inspired by Mitel into their project. Jason agreed to consider this and planned to establish a clear pathway and action items for the next meeting. The focus of the upcoming sessions would be reviewing existing documents and discussing the 5-step process, with the aim of applying these learnings to their current project. Jason emphasized the value of diverse perspectives and thanked everyone for their participation. |
AI-generated content may be inaccurate or misleading. Always check for accuracy |