Following on from the interesting discussion generated by @boris taratine
- that is that there is no such thing as Zero Trust - it is a paradox, I'd like to propose that we develop a Foundation of Trust. This is not a new idea either. Back in 2000 when I was consulting to Australian Government on Identity Management within the context of Certificate Authorities proposed as the basis for Identity Federation across organisations. Well that did not happen. Identity Management drifted through LDAP to Single Sign On, while network security see sawed through network and application layer VPN, to private MPLS, to shoring up TLS while various tokens emerged such as IKE and SAML. So why am I telling you this story? BECAUSE NONE OF IT WORKED FROM A SECURITY PERSPECTIVE. I adopted Albert Einstein as my mentor in high school. After all, he was a product of a Swiss education system that was in part founded by my Swiss ancestors. "We cannot solve our problems with the same thinking we used when we created them". The Parable of Quantum Insanity.
- It is impossible to authenticate every access from a Zero Trust perspective
- Current thinking is that we take a risk based approach to allowing access to sensitive systems, particularly personal and financial data (because lucrative data is target of cyber criminals as their motivation is money) and essential services such as energy, water and food logistics (for obvious reasons in a time of insane nationalism)
In parallel with a current thinking on 'Zero Trust', that we require a view of current and emerging technology paradigms for Identity, Device, Network, Application Workload and Data, and all the complex interactions and dependencies between those non exclusive categories, which is being initiated by CSA, I propose the following:
Establishment of a Foundation of Trust, based on best practice AND least risk probability. The Foundation of Trust would be a practical demonstration of Use Case examples, using current and emerging technologies, with an analysis of classes of security vulnerabilities evinced by the demonstration deployment.
This would provide a quantification of risk probability, allowing an evaluation of classes of technology, with an associated matrix of characteristics best fit and lowest risk for securing information technology systems.
To me, this is the intelligent way to provide a Cybersecurity Maturity Matrix for information technology.
So I believe that we require a rigorous way to evaluate technology options based on real-world use cases, with a sliding scale of cost, ease of use and security risk, allowing for apt technology choices for public systems and highly classified systems alike.
This is the simple set of parameters that any architect requires to provide relevant recommendations in context of business requirements to customers.
In my view, this requires an application of practical technology knowledge applied to cybersecurity risk, and the cost of implementing technology that accurately addresses risk, in view of mitigation actions should a breach occur.
This is what would improve the current situation of increasing risk, rising costs of data breaches, and increasingly insecure national power and food distribution systems.
Sent: Sep 20, 2022 05:40:45 PM
From: Nya Murray
Subject: Zero Trust Proof-of-Concept
@Philip Griffiths @Jun Yu thanks for your kind responses to my idea for a PoC and being willing to expose the results to public scrutiny. Actually it is not a new idea. With Juanita Koilpillai as co lead authors of the publication below, we proposed a proof-of-concept. Nobody took it up. So perhaps this is a chance to discuss. I am happy to set up an initial meeting next week. Software-Defined Perimeter (SDP) and Zero Trust | CSA
|Software-Defined Perimeter (SDP) and Zero Trust | CSA|
|A Zero Trust implementation using Software-Defined Perimeter enables organizations to defend new variations of old attack methods that are constantly surfacing in existing network and infrastructure perimeter-centric networking models. Implementing SDP improves the security posture of businesses facing the challenge of continuously adapting to expanding attack surfaces that are increasingly more complex.|
| View this on CSA >|