Hello all - thanks for a productive working session, on July 24.
We covered two topics:
> Shruti previewed the outline for a standalone Data Security whitepaper, and we discussed how it could align with our current Architeecture whitepaper. we agreed that there is good alignment, and that we will revisit this once we get a solid draft of the outline
> we talked through John Kindervag's CSA blog post on mapping zero trust maturity to protect surfaces
See https://cloudsecurityalliance.org/blog/2023/05/17/understanding-the-two-maturity-models-of-zero-trust
Lots of discussion - one of our takeways is that the "Zero Trust Architecture" in step 3 is really focused on the placement, capability, and maturity of the various Control Points (Policy Enforcement Points, or Segmentation Gateways (John's term))
Next steps
> Walkthrough of the CCZT training materials - how they can be incorporated or referenced in the white paper.
> Continued discussion of whitepaper goals
Thanks all - our next working session is on Wednesday, August 7 at 11am ET
Recording link:
https://cloudsecurityalliance.zoom.us/rec/share/uGFsOqqZ3vbEHXMstYalgfu_gg90EQfD6uqvuv0NPKCANKqu_mL_WTGqLfxSLsDW.fOUX4H_ELRjzucp5\
AI - generated Summary Below
Summary
Data pillar and identity pillar perspectives @ 0:00
Shruti Kulkarni shared an outline of the work her team has been doing to think about the data pillar and how it ties into zero trust architecture. Key topics included data loss prevention, data classification, sources of data exfiltration, and detective and preventive controls to mitigate data risks. The group discussed how this work could complement the "protect surface" document and potentially be a standalone white paper.
Mapping zero trust maturity to protect surfaces @ 14:07
The group reviewed a blog post by John Kindervag that discussed mapping zero trust maturity to specific protect surfaces, rather than assessing an entire organization's maturity. This led to a discussion about the pros and cons of this approach, and how to balance consistency in maturity models with the need for flexibility across different protect surfaces.
Architecting zero trust for protect surfaces @ 18:31
The group explored how the approach of focusing on specific protect surfaces, rather than a broad enterprise-wide zero trust architecture, could be incorporated into the step 3 "build zero trust architecture" deliverable. Key points included drilling down to the DAS element level, understanding control point capabilities, and iterating on a per-protect surface basis rather than a "big bang" approach.
Next steps and action items @ 57:10
The group agreed to review the CCSK version 5 and CCCT updates in the next meeting, as well as further discuss the insights from John Kindervag's blog post. Jason will reach out to John to get his perspective on some of the topics covered.
Detailed AI - generated Summary Below
The meeting centered on the development and implementation of Zero Trust Architecture, with a particular focus on the data pillar and its integration into the overall framework. Key discussions included the significance of data loss prevention (DLP) and the need for both preventive and detective controls to mitigate data exfiltration risks. Participants emphasized the importance of clarity in documentation and a project-specific approach to implementation, while also addressing concerns about monitoring practices and the complexity of maturity models. The group agreed on the necessity of mapping controls to protect surfaces and establishing baselines for sensitive systems, while also recognizing the need for consistency in the maturity model. Next steps include Shruti sharing insights on the data pillar and revisiting specific frameworks in future sessions.
Next Steps
- Shruti is expected to share insights on the work related to the data pillar and its relevance to building the Zero Trust Architecture. (06:16)
- Jason suggested focusing on targeting specific low-maturity protected surfaces for enhancement, indicating a strategic approach to improving security measures. (38:32)
- Jason suggests that the approach recommended in the referenced blog will be a significant part of the upcoming Step 3 white paper, indicating a clear direction for future work. (42:22)
- Jason Garbis mentioned the need to revisit the CCESK version 5 and CCCT in the next working session, indicating a plan to reflect further on the discussed topics. (57:48)
AI Insights
The meeting was characterized by a high level of engagement and participation, with multiple participants actively contributing to discussions on data protection and Zero Trust architecture. Clear next steps were identified, although some lacked specificity. The meeting adhered well to the scheduled duration, indicating effective time management. Overall, the sentiment was positive, reflecting constructive discussions and agreement among participants.
Topics & Highlights
1. Zero Trust Architecture Discussion (06:03)
- Shruti is expected to share insights on the work related to the data pillar and its relevance to building the Zero Trust Architecture. (06:16)
2. Discussion on Zero Trust Architecture (19:03)
- Jason Garbis expressed concern about the terminology used in the NSTAC report, specifically the difference between 'build a zero trust architecture' and 'architect a zero trust environment.' He noted that the latter may be more accurate and less misleading. (22:24)
- It was agreed that the focus should be on the approach to be taken in the white paper regarding Zero Trust Architecture, rather than getting caught up in the terminology differences. (25:00)
3. Zero Trust Architecture Implementation (25:34)
- Hong raised a concern regarding the focus on monitoring and maintaining only the network in the Zero Trust maturity model, questioning why other components are not included in the monitoring process. (28:34)
4. Discussion on Maturity Levels and Protect Surfaces (31:56)
- Jason expressed concern about the practicality of monitoring and maintaining the network on a per-protect surface basis, indicating that some technologies are used horizontally across multiple surfaces. (34:02)
- Erik noted that the maturity scores for protect surfaces may show consistency due to shared services, but there can still be differences in the level of maturity achieved in implementation. (35:56)
- Jason suggested focusing on targeting specific low-maturity protected surfaces for enhancement, indicating a strategic approach to improving security measures. (38:32)
5. Mapping Controls to Protect Surfaces (38:52)
- Jason expresses concern that a linear approach to addressing security issues, starting from identity and moving to devices, may lead to a lack of success for security teams within organizations. (41:05)
- Jason suggests that the approach recommended in the referenced blog will be a significant part of the upcoming Step 3 white paper, indicating a clear direction for future work. (42:22)
6. Commonalities Across Protect Surfaces (45:36)
- Andrea discusses the need to categorize systems based on their sensitivity, suggesting that this categorization can help in determining the baseline security measures required for each type of system. (45:36)
7. Zero Trust Maturity Model Discussion (54:03)
- Jason Garbis raised concerns about the maturity model's effectiveness in the context of Zero Trust, suggesting that it may complicate the understanding of organizational maturity. (54:11)
- Andrea Knoblauch expressed her issues with the maturity model, indicating that the steps to achieve Zero Trust should be more straightforward and not overly complicated. (54:35)
- The group agreed on the importance of maintaining consistency in the maturity model approach, suggesting that it should not vary across different elements. (56:09)
- Jason Garbis mentioned the need to revisit the CCESK version 5 and CCCT in the next working session, indicating a plan to reflect further on the discussed topics. (57:48)
------------------------------
Jason Garbis, CISSP
Co-Chair, Zero Trust Working Group
Principal, Numberline Security
Author: Zero Trust Security: An Enterprise Guide
------------------------------