Hello all – Thanks for joining the most recent Zero Trust Maturity Model working session, on July 28. We began the discussion and debate about what we believe we can and should create as part of this Zero Trust Maturity Model initiative.
Note that the meeting content starts at 16:55 into the recording
July 28 Meeting -
- Recap / Summary of overall ZTMM initiative
- Opportunity to step back, decide - what is needed in the market?
- Where are the gaps, how could orgs use?
- ROI / Business Value of ZT?
- there is business value associated with ZT Initiatives. It can be measured and communicated.
- May or may not be tied to a maturity model
- ZTMM - tied to risk reduction?
- How to better align ZT with business value - in order to engage business leaders
- if security is viewed as just a cost center, it is viewed as delivering risk reduction
- Is this tied into a ZTMM?
- Can we create a way to better communicate the business value?
- g. how can I securely enable remote workers?
- this can reduce real estate and personnel costs, and open hiring to people in different geographic locations without compromising security and user experience
- Of course VPNs enable some of this - but not securely, not effectively, and not in a forward-looking way
- Orgs STILL struggle with the basics
- g. disabling accounts when an employee is terminated
- How can we help educate and enable a ZT approach to these basics
- How to get from step 0 to step 1 along a ZTMM?
- to help orgs with the basics
- Definition of ZT - not just for practitioners, but also for business leaders
- communicate the benefits of ZT
- Who are the target audiences for what we are thinking about?
- Technical implementers?
- security leaders?
- Economic buyers / decision-makers?
- CISO / CIO
- How to empower them to talk about ZT - in a way that's meaningful to a non-technical audience?
- pillars (identity, device, etc) - mapping to actions / improvements
- Do too many people look at ZT from a greenfield perspective?
- EVERY org has some in-place "legacy" / existing components that need to be considered
- e.g. on-prem AD, in-place workloads, in-place networks
- ZTA expert group also recognizes that all orgs are hybrid
- Alex: CSA is taking this approach in the ZTA training course
- Basic definitions?
- e.g.. "What is an Identity Provider?"
- what should it do? Is on-prem AD an Identity Provider?
- Plan - to have the CSA group working on the ZTA Training Course - present to this group
- Current status, plans, target audience, etc
- Compliance benefits of ZT
- Important as a way to get attention of the business
- Show ways to get from one maturity level to the next
- With specific actions and steps
- That then get mapped to organization-specific
Next meeting - Thursday, August 11 at 8pm EDT - which is Friday August 12 at 00:00 UTC / GMT, and Friday August 12 at 8am China Standard Time, 9am Japan Standard Time
We will post the meeting Zoom link within 36 hours of the next meeting
Topic: Continued recap of our ZTMM reviews to date, and opening the discussion for what we should create as a working group, now that our initial set of reviews are done. Note: We will have this discussion over the next several meetings, in order to accommodate people in all time zones
Jason Garbis, CISSP
Co-Chair, SDP Zero Trust Working Group