Hello all – Thanks for joining the most recent Zero Trust Maturity Model working session on March 24. We had a good discussion about the recent breach at Okta, and what it means in a Zero Trust system when an identity provider is compromised.
Meeting recording (mp4): https://drive.google.com/file/d/1NVWbC_922O0dPkBykbj6KICpCcVkkVcS/view?usp=sharing
Meeting notes:
- Okta breach – as a concept not specifically about this vendor - talking about what it means when an Identity Provider is breached and untrustworthy
- Someone with credentials (or an access token) is no longer trustworthy – authentication is no longer sufficient
- Other security aspects that should be in play
- MFA – making passwords less valuable
- What is MFA provider is the same as the IAM provider, so it's comprised as well. It could be beneficial to have this from a different provider than IAM
- Zero Trust can help facilitate this – as an integration point
- Device posture check and validation
- g. is there a corporate-issued certificate on the device
- Trust and interdependencies between systems
- Does this reduce the trust /value of a Zero Trust system?
- One perspective: yes
- Another perspective: not realistic, enterprises have many interconnected systems that must be carried forward to Zero Trust
- Third party risk mgmt.
- Logs as source of information – from the IdP?
- Transmit logs to separate system rather than storing locally
- And/or encrypt/sign logs for integrity
- Passwordless –
- Authentication via alternative mechanisms, plus attributes
- ABAC – part of ZT
- SSO from IdPs
- Compromised system – could create valid token for authentication into 3rd party applications
- How to defend against this?
- Bringing additional attributes (Zero Trust context) to the applications?
- Authentication token only is good as far as the token and cert can be trusted
- ZT – resiliency against a sophisticated attacker with credentials, spoofed geolocation, etc.
Zero Trust Maturity Model
- Quick final review of the DoD Maturity Model
Next Meeting:
Thursday April 7 at 8am ET / 12.00 UTC / 8pm China Standard Time / 1400 Central European Summer Time (CEST)
Topic: Walkthrough of CISA Zero Trust Maturity Model:
https://www.cisa.gov/sites/default/files/publications/CISA%20Zero%20Trust%20Maturity%20Model_Draft.pdf
Meeting link to be provided within 24 hours of the meeting time.
Working Document:
https://docs.google.com/document/d/1DPKLBe9MkPnTMYaFYXY56arUI4FnVB5N/edit#