Hello all – Thanks for joining the most recent Zero Trust Maturity Model working session, on May 19
We completed our walkthrough and discussion about the CISA Zero Trust Maturity Model.
Meeting recording (.mov): https://drive.google.com/file/d/1biMduPP1yM3GNPrZ871jEFGPqjkLgXvU/view?usp=sharing
Apologies for the recording - due to technical difficulties, this recording only includes the screensharing, and my portion of the audio. The other participants' audio was not captured. Moving forward, we will not encounter this issue.
Topic: Walkthrough of CISA Zero Trust Maturity Model (conclusion)
- Application Workload
- externalizing authentication - definitely a common pattern
- externalizing authorization - haven't seen a lot of traction with this
- maybe. There is externalized authorization at the Advanced phase. Maybe just for role consumption vs. consuming fine-grained authorization
- XACML? PlainID as a vendor. Policy-Based Access Control PBAC
- Open Policy Agent as an example of this
- Would using OPA mean you're at the Optimal phase?
- Undefined in the document. Is this vulnerability management?
- Would log4j as a library vuln be part of this? Or an app-specific vuln e.g. SQL injection?
- Or Threat Modeling, like Microsoft STRIDE, or OWASP?
- Removal of VPN is good advice, but the wording "accessible to users over the internet". As worded, this is poor advice, and counter to ZT
- straightforward progression, toward DevSecOps as a practice
- monitoring and telemetry
- also application security profile / configuration?
- Tied into DevOps and CI/CD
- Apps might be moved by an infra manager .e.g Container
- vague at the higher levels
- should this be tied to compliance controls?
- bi-directional - consuming control reqs, and feeding back results, orchestrating config changes
- Access Authorization
- Threat Protections
- Application Security
- Visibility and Analytics
- Automation and Orchestration
- this is hard and often poorly done
- Need tools to augment
- Need to better highlight the data discovery
- needs to have systems (PEPs, Apps, or DLP) that can consume ZT context (identity, device, risk) and control access to data accordingly
- DLP tying to higher-level ZT policy
- DLP has to consume ZT Policy
- "data tagged "sensitive" can only be accessed by users with a risk score below 3"
- This policy might be consumed by a DLP system, from a ZT system
- Data mask for PII - another example of a policy. Data tagged as "PII" must be masked for all users
- Should there be a distinction between disk encryption versus application encryption
- At rest - doesn't cover lifecycle stages. e.g. backup or archive
- Does include discovery aspects here
- data inventory - lack of ownership and accountability
- Access determination
- Data retention - policies need to account for this somewhere in this model
- Automation and Orchestration
Next meeting - Thursday, June 2 at 8am ET - which is 13:00 UTC / 8pm China Standard Time
Topic: Examination of the National Security Telecommunications Advisory Committee (NSTAC) Draft Report to the President: Zero Trust and Trusted Identity Management
We will post the meeting Zoom link within 36 hours of the next meeting