Software Defined Perimeter

Zero Trust Maturity Model initiative - June 2 Meeting Notes

  • 1.  Zero Trust Maturity Model initiative - June 2 Meeting Notes

    Posted Jun 05, 2022 10:09:00 AM

    Hello all – Thanks for joining the most recent Zero Trust Maturity Model working session, on June2 
    We reviewed and discussed the recent National Security Telecommunications Advisory Committee (NSTAC)  Draft Report to the President: Zero Trust and Trusted Identity Management
    Link: 
    https://www.cisa.gov/sites/default/files/publications/Final%20Draft%20NSTAC%20Report%20to%20the%20President%20on%20Zero%20Trust%20and%20Trusted%20Identity%20Management.pdf

    Meeting recording 
    https://cloudsecurityalliance.zoom.us/rec/share/UFke4gjLv_Tp0LVDuHrTKEjWQz4_M0brL4G1gAlHq7Hatsc87MceKOWUJf4AS75Q.dFATmuhl6dgRSPPO?startTime=1654171023000
    Passcode: 7TXf275.

    Meeting notes:

      Topic:  National Security Telecommunications Advisory Committee (NSTAC)  Draft Report to the President: Zero Trust and Trusted Identity Management

          • History of NSTAC - established 1982
          • Document
          • Focus & scope - broad and programmatic - org as important as the technology
          • Aiming to transform Federal approach to ZT with program management, operations, and baking it into 
          • Metrics - highlighted as first recommendation - "establish or enhance existing metric-based reporting requirements tied to industry best practices for zero trust implementation" - in order to measure "ROI" and quantify benefits from ZT
          • Emphasis on governance framework (more than technology) for measuring and guiding the transformation to ZT
          • example - Hospital
            • Not in the IT business. Budget challenges - preference for allocating budget to improving patient care vs. IT and security
            • CISOs often have short tenures - need to be able to demonstrate improvements (metrics, again) on security strategies
            • for ZT, metrics will need to tie to strategic ZT improvements
          • Maturity Model
            • 5 steps - good, straightforward model
          • Visibility (define the protect surface)
            • Most orgs are only at stage 1 or 2 (maybe even "stage 0")
            • Lack of visibility and basic security hygiene - often missing
            • Orgs NEED to have a baseline understanding of network assets (data, workloads, etc) in order to get started
            • Many orgs DO have good understanding of most valuable assets (crown jewels), and decent security model around them, but don't have a comprehensive view of their full environment
          • ZTMM - appendix B
            • Directory Services - an example of the types of content in a ZTMM that is needed
            • Connection to compliance controls - mapping, demonstrating how ZT initiatives help to meet these regulatory requirements
            • A way to gain additional organizational support, champion, and demonstrate (metrics) benefits from ZT 
            • Table 8 - great example. Many of the concepts & terms are more broadly applicable than just to Directory Services
            • Transition recommendations - e.g. "to move from stage 2 to stage 3" - very useful



          Next meeting - Thursday, June 30 at 8am ET - which is 13:00 UTC / 8pm China Standard Time

          We will post the meeting Zoom link within 36 hours of the next meeting



          ------------------------------
          Jason Garbis, CISSP
          Co-Chair, SDP Zero Trust Working Group
          CPO, Appgate
          ------------------------------