Zero Trust

 View Only
  • 1.  Zero Trust Maturity Model initiative - July 28 Meeting Notes

    Posted Jul 29, 2022 08:10:00 AM

    Hello all – Thanks for joining the most recent Zero Trust Maturity Model working session, on July 28. We began the discussion and debate about what we believe we can and should create as part of this Zero Trust Maturity Model initiative.

    Meeting Recording: 

    https://cloudsecurityalliance.zoom.us/rec/share/2J0YW7InK1CSxHGAoCqBdzO6yj0M104PauWqN1MKj0RHufYJqn9-v7zhbmKxsz3u.43bP-Y7KJvsXHyXb?startTime=1659008768000

    Passcode: $%?G$Z0R

    Note that the meeting content starts at 16:55 into the recording

    Meeting Notes

    July 28 Meeting -

    • Recap / Summary of overall ZTMM initiative
    • Opportunity to step back, decide - what is needed in the market?
    • Where are the gaps, how could orgs use?
    • ROI / Business Value of ZT?
      • there is business value associated with ZT Initiatives. It can be measured and communicated. 
      • May or may not be tied to a maturity model
    • ZTMM - tied to risk reduction?
    • How to better align ZT with business value - in order to engage business leaders
      • if security is viewed as just a cost center, it is viewed as delivering risk reduction
      • Is this tied into a ZTMM?
    • Can we create a way to better communicate the business value?
      • g. how can I securely enable remote workers?
      • this can reduce real estate and personnel costs, and open hiring to people in different geographic locations without compromising security and user experience
      • Of course VPNs enable some of this - but not securely, not effectively, and not in a forward-looking way
    • Orgs STILL struggle with the basics
      • g. disabling accounts when an employee is terminated
      • How can we help educate and enable a ZT approach to these basics
    • How to get from step 0 to step 1 along a ZTMM?
      • to help orgs with the basics
    • Definition of ZT - not just for practitioners, but also for business leaders
      • communicate the benefits of ZT
    • Who are the target audiences for what we are thinking about?
      • Technical implementers?
      • security leaders?
      • Economic buyers / decision-makers?
      • CISO / CIO
        • How to empower them to talk about ZT - in a way that's meaningful to a non-technical audience?
      • ZTMM
        • pillars (identity, device, etc) - mapping to actions / improvements
        • Do too many people look at ZT from a greenfield perspective?
        • EVERY org has some in-place "legacy" / existing components that need to be considered
          • e.g. on-prem AD, in-place workloads, in-place networks
        • ZTA expert group also recognizes that all orgs are hybrid
      • Alex: CSA is taking this approach in the ZTA training course
        • Policies, Access Control
      • Basic definitions?
        • e.g.. "What is an Identity Provider?"
          • what should it do? Is on-prem AD an Identity Provider?
        • Plan - to have the CSA group working on the ZTA Training Course - present to this group
          • Current status, plans, target audience, etc
        • Compliance benefits of ZT
          • Important as a way to get attention of the business
        • Show ways to get from one maturity level to the next
          • With specific actions and steps
          • That then get mapped to organization-specific

      

    Next meeting - Thursday, August 11 at 8pm EDT - which is Friday August 12 at 00:00 UTC / GMT, and Friday August 12 at 8am China Standard Time, 9am Japan Standard Time

    We will post the meeting Zoom link within 36 hours of the next meeting

    Topic: Continued recap of our ZTMM reviews to date, and opening the discussion for what we should create as a working group, now that our initial set of reviews are done. Note: We will have this discussion over the next several meetings, in order to accommodate people in all time zones



    ------------------------------
    Jason Garbis, CISSP
    Co-Chair, SDP Zero Trust Working Group
    CPO, Appgate
    ------------------------------


  • 2.  RE: Zero Trust Maturity Model initiative - July 28 Meeting Notes

    Posted Aug 02, 2022 03:10:00 AM
    Thank you, Jason.

    During the working group session, I mentioned a growing concern we are overly focused on training front-line and entry-level skills while the greatest need is mid and senior levels. I think I also mentioned there was some talk about the White House, CISA, and others hosting some events. The group might find this interesting.

    Cheers,
    alex.

    https://www.whitehouse.gov/briefing-room/statements-releases/2022/07/21/fact-sheet-national-cyber-workforce-and-education-summit/

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    alex@sharpellc.com
    ------------------------------



  • 3.  RE: Zero Trust Maturity Model initiative - July 28 Meeting Notes

    Posted Aug 03, 2022 07:41:00 AM
    Hi Jason

    At the end of the meeting Erik offered a starting point with the high level ZT foundation pillars as the top level of the ZTMM

    I responded that it would be useful to create the matrix by walking down a tree from each of the pillars with increasing levels of technical complexity.  So that the people who are making the decisions about implementing ZT, usually C-Suite level, could understand the rationale, and read the top couple of levels of the matrix.

    I gave the example
    Device >
              Secure provisioning/devprovisioning processes>
                       Device security
                       Human resources/workflow security
              Secure message transmission >
                        Message classification>
                                 Sensitive data transmission encryption>
                                              Encryption verification
             Secure Operating System >
                         Up-to-date version
                         Up-to-date patches

    To me, the problem is not that we do not know what constitutes Zero Trust, it is that we must communicate ZT to business owners and technical SMEs equally effectively. Otherwise ZT continues to be whatever a vendor chooses to define to suit their product set, which is the case at the moment.

    Otherwise, a reasonable record of the call.  Yes, Alex's contribution is important, as it summarises the level of understanding required for the output from the group.

             




                                             


    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 4.  RE: Zero Trust Maturity Model initiative - July 28 Meeting Notes

    Posted Aug 04, 2022 08:27:00 AM
    Hi,
    support Nya's approach, gives flexibility to at who is reading or applying these principles.
    Suggest to have minimum objectives in the top layers as baseline for say Level 1, confirmation of adhering to couple different areas?
    (Needs to align all pillars and show areas of continual improvements)

    ------------------------------
    Bernard Coetzee
    Capitec Bank
    Capitec Bank
    ------------------------------