Zero Trust

 View Only

Zero Trust Maturity Model initiative - June 30 Meeting Notes

  • 1.  Zero Trust Maturity Model initiative - June 30 Meeting Notes

    Posted Jul 01, 2022 05:28:00 AM

    Hello all – Thanks for joining the most recent Zero Trust Maturity Model working session, on June 30. We reviewed and discussed the Huwaei Zero Trust Maturity Model proposal – thanks, Shandy, for walking us through it. 

    Meeting Recording: ** Note: The meeting content starts at 10 minutes, 45 seconds into the recording. 

    Link: https://cloudsecurityalliance.zoom.us/rec/share/21q9ZX84NdZI-ND3QxkW3saAFTX6Eht2j0l6e0hbOkqMhBTQk9XtphPK-is01tJM.m7bUmUmPTNdK2qYQ?startTime=1656589897000

    Passcode: =9C.8JN^

    Meeting Notes:

    Topic:  Review of Huawei ZTMM draft

    • Walkthrough of Huawei proposal
    • 5 domains (consistent with industry approach)
    • 5 maturity levels
      • is consistent with other models
      • 5 is better than 3 - there is better granularity, and ability to show differences
        • 3 is not enough - "everyone" is at level 2, and will stay there . It's harder to show progress in this case
    • Timeline view?
    • Phased approach - needed for each organization
      • times and phases will by necessity be different for each org
    • Sensitivity to external factors
      • Should / Could this be part of the model?
      • Continuous governance and assessment - as part of a ZT Program
        • reassessment - regularly for progress and status across the domains, to take into account changes in the external environment
      • Tie risk to maturity level?
      • Example - Nya's client - financial services firm, using established risk measurements to score specific technical aspects
      • Is tying risk to ZTMM too advanced for most orgs today?
    • Security (and enterprises overall) are still often struggling with the basics
      • Although it differs by industry
      • Many are in 1-3 range, some closer to 4, especially if they are in high tech industries
    • Subdomains - discussion
      • 20 domains across the 5 areas
      • How prescriptive should we be / can we be, since these documents have to be generic across orgs?
      • Maybe aim for more of a toolkit that people could use to create their own maturity pathway?
    • Would a generic toolkit be too advanced / complex for those orgs that are still struggling with the basic?
      • idea - playbooks for specific activities to guide org.
        • .e.g (?) migrating from an on-prem AD to an IDaaS, from a ZT perspective
        • with technology examples (maybe not specific vendors)
    • For next couple sessions
      • recap and thoughts across these multiple models
      • What can / should we as a WG create?
    • Timing of CISA ZTMM v2?
      • Response from CISA: "We are going to begin comment adjudication on the Draft Zero Trust Maturity Model soon. There is no official timeline for release, but we anticipate this will occur by the end of the calendar year."

     Next meeting - Thursday, July 14 at 8pm EDT - which is Friday July 15 at 00:00 UTC / GMT, and Friday July 15 at 8am China Standard Time, 9am Japan Standard Time

    We will post the meeting Zoom link within 36 hours of the next meeting

    Topic: Recap of our ZTMM reviews to date, and opening the discussion for what we should create as a working group, now that our initial set of reviews are done. Note: We will have this discussion over the next 2 meetings, in order to accommodate people in all time zones

     

     



    ------------------------------
    Jason Garbis, CISSP
    Co-Chair, SDP Zero Trust Working Group
    CPO, Appgate
    ------------------------------