The Inner Circle

 View Only

  • 1.  Zero Trust Planning and Guidance

    Posted Oct 20, 2022 01:07:00 PM

    I found that there are a number of articles on Zero Trust but nothing truly as substantial as the NIST guidelines besides obtaining a few published titles. Happy Reading! 

    •Zero Trust Networks- Evan Gilman and Doug Barth
    •Practical Cloud Security- Chris Dotson
    • Zero Trust Security: An Enterprise Guide- Jason Garbis and Jerry Chapman

    site links:

    DoD ZT Ref Arch
    DoD Zero Trust Reference Architecture | CSA

    NIST publication on ZT
    https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.20.pdf



    ------------------------------
    Kristian Gonzalez
    Security Team
    IoT Home Lab
    ------------------------------


  • 2.  RE: Zero Trust Planning and Guidance

    Posted Oct 21, 2022 05:26:00 AM
    A good list, Christian.

    Are you looking for something specific?

    I'm asking for two reasons. First, we are collecting ZT resources in the Zero Trust Research Hub. You might want to look there. Second, we formed 9 working groups in part to fill in the gaps. If you see a need, we can add it to the list of potential work items. Below are the links to a presentation and a webinar recording to learn more about the working groups. I co-chair two of the groups (Philosophy & Guiding Principles and Organizational Strategy & Governance)

    Meeting presentation: ZT Full WG Meeting 10-18-2022.pptx

     

    Meeting recording: cloudsecurityalliance.zoom.us/rec/share/...

    Passcode: ZeroTrust2022!

    The actual meeting starts about 13 minutes in


    Cheers,
    alex.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------

    Original Message


  • 3.  RE: Zero Trust Planning and Guidance

    Posted Oct 26, 2022 11:26:00 AM
      |   view attached
    GAO has put together a ZTA Buyer's guide. The link to the GSA page on ZTA is https://www.gsa.gov/technology/technology-products-services/it-security/zero-trust-and-gsa You'll find the link to the buyer's guide, though I've uploaded it as well, and other sources.

    /Jayne



    ------------------------------
    Jayne Lytel
    Booz Allen Hamilton
    Booz Allen Hamilton
    ------------------------------

    Original Message


  • 4.  RE: Zero Trust Planning and Guidance

    Posted Oct 27, 2022 08:47:00 AM

    One of the key things missing from a lot of these discussions is the managing of least privilege at various stages of a workload's maturity cycle.  As we remove humans from the infrastructure throughout the maturity cycle, the threat model shifts, and so should the supporting infrastructure patterns in support of least privelage.



    ------------------------------
    Jonathan Flack
    ------------------------------

    Original Message


  • 5.  RE: Zero Trust Planning and Guidance

    Posted Oct 27, 2022 09:36:00 AM
    You ain't kiddin' @Jonathan Flack. I would go out on a limb and say MOST incidents would either go away or the blast radius would be greatly reduced if the Concept of Least privileged was enforced.


    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------

    Original Message


  • 6.  RE: Zero Trust Planning and Guidance

    Posted Oct 27, 2022 02:15:00 PM
    Edited by Jonathan Flack Oct 27, 2022 03:16:51 PM
    @Alex_Sharpe Yes, and few understand that Zero Trust is as much about the architecture of your platform, and how you manage the relationship between the workload resources and the IAM role bindings, in a way that supports optimal least privilege.

    An area of your architecture that still has humans in the console configuring resources will have a different threat model than fully mature workloads fully deployed using IaC, continuous deployment, and GitOps.  You need to design according to these, and other threat models, and land the workloads accordingly.

    This is the point I have to spend the most effort educating executives on.

    You design for least privilege, you don't bolt it on.

    In fact, you really can't achieve "least" privilege by bolting it on.  Confusion about this is why there's so much snake oil in the market today.



    Original Message


  • 7.  RE: Zero Trust Planning and Guidance

    Posted Oct 28, 2022 09:37:00 AM

    The CSA is maintaining a curated list of key ZT resources (including these from DoD & NIST and others from CISA/NSTAC and others) on Zero trust Resource Hub on our online ZT Advancement center at https://cloudsecurityalliance.org/zt/resources/.

    Please check out the page and let us know your thoughts and suggestions for future enhancements.

    If you are aware of any resources (articles, documents, books, recordings, etc.) that we don't have listed and you think we should add then you can submit them for consideration using the link at the bottom of the page. 



    ------------------------------
    Erik Johnson CCSK, CCSP, CISSP, PMP
    Senior Research Analyst
    Cloud Security Alliance
    Leesburg VA
    ------------------------------

    Original Message


  • 8.  RE: Zero Trust Planning and Guidance

    Posted Oct 28, 2022 01:29:00 PM
    Thanks Erik! Much appreciated.

    ------------------------------
    Kristian Gonzalez
    Security Team
    IoT Home Lab
    [email protected]
    ------------------------------

    Original Message