Zero Trust architecture, Implementation & Maturity Model

 View Only
Back to discussions
Expand all | Collapse all

Recap: Workstream 9 - working session recap, August 21

  • 1.  Recap: Workstream 9 - working session recap, August 21

    Posted Aug 22, 2024 10:34:00 AM

    Hello all - thanks for a productive working session, on August 21.

    We reviewed the Goals and Non-Goals of the Step 3 Whitepaper (Architect a Zero Trust Environment).

    Our next meeting is Wednesday, September 4 at 11am ET

    AI-generated Notes:

    The group is working on the third paper in a 5-part series on the 5-step zero trust process. The first two papers have already been published, defining the protection surface and mapping transaction flows. This paper aims to provide in-depth guidance on designing zero trust architectures.


    Goals and non-goals for the paper @ 6:32
    The group discussed the key goals for the paper, including:

    Providing guidance on designing enterprise security architectures to support zero trust

    Exploring the concept of "protect surface components" and how to map them to policy enforcement capabilities

    Introducing the idea of "protect surface classes" to manage policies at scale

    The non-goals include avoiding creating a new reference architecture or maturity model, and not providing vendor recommendations or code samples.


    Exploring zero trust architectures @ 39:29
    The group plans to review the 800-207 zero trust architecture, but also explore other common architectural patterns like cloud-routed, service mesh, and micro-segmentation approaches. The goal is to map these architectures to the policy enforcement capabilities that organizations will need to implement zero trust policies.


    Defining a policy enforcement capability model @ 41:39
    A key focus of the paper will be defining a model for understanding the different policy enforcement point (PEP) capabilities that organizations may have, and how those map to the protect surfaces they need to secure. This will help organizations assess their current capabilities and identify gaps to address.


    Next steps @ 48:32
    The group plans to flesh out the outline over the next few weeks, with different members taking responsibility for expanding on specific sections. They will then circulate the outline for feedback from key stakeholders like John Kindervag before beginning the writing process.

    Zoom recording link: https://cloudsecurityalliance.zoom.us/rec/share/gsz-HTJxw6B7jkTj5yaQ_QhFS3TD3rG_koXEdJZhaauWgiePGJZa-OGiqM3rZQJI.JniS-tdz7T7Jotq6



    ------------------------------
    Jason Garbis, CISSP
    Co-Chair, Zero Trust Working Group
    Principal, Numberline Security
    Author: Zero Trust Security: An Enterprise Guide
    ------------------------------