Agreed Jason.
The industry does not understand that Zero Trust means denying access at the Network / Transport OSI layers before allowing access to the Presentation / Application layers because the industry does not want to give up the all of the detection software that is making them money. Collectively, the industry is making a lot of money from putting in nets and traps after DNS, identity, and application services are opened. It does not want to rethink the problem of policy enforcement prior to allowing access past the network gateway. It does not want to interact with packets and network protocols.
That's why we have all been so adamant in our support for the Software Defined Perimeter network approach over the past 5 years that we've been talking about this problem, during innumerable working group meetings.
What does it take to change a mindset that is based on resistance to change, and reluctance to give up on past money spinners? A regulatory framework for all network communications, run by an independent international united nations of networks? Excluding Russia and China because they cannot be trusted to work for the common good? Putting caveats on countries that are known to do spyware on a grand scale?
I am worried we are in disaster change territory, where successful attacks are the only change motivation. That is our shared, collective, historical approach, from which we have failed to learn?
I do not have any answers at this point in time.
Best
Nya
Nya Alison Murray
Trac-Car Technology
UK +44 208133 9249
Australia +61 73040 1637
Switzerland +41 22548 1747
----------------------------------------
Original Message:
Sent: 6/29/2022 10:41:00 AM
From: Jason Garbis
Subject: RE: FedRamp Subnets - What They Are and Why They Matter
I'm glad to see the forward-looking section (page 6) - in particular their acknowledgement that CSPs' use of security groups and /32 subnet masks can effectively make each host act as an isolated subnet from a compliance perspective. This is well aligned with how a ZT implementation would likely approach this -- with each host isolated from one another, with access controlled by a ZT PEP, even though the hosts may reside within a numerical subnet.
However, they are not terribly flexible yet - as they state "until this future arrives, we will be looking for subnets as described above". This is representative of many of the compliance challenges I've seen - where compliance and auditors are backwards-looking, and can end up perpetuating outdated and ineffective security approaches in order to meet "checkbox compliance".
------------------------------
Jason Garbis, CISSP
Co-Chair, SDP Zero Trust Working Group
CPO, Appgate
------------------------------
Original Message:
Sent: Jun 29, 2022 05:43:54 AM
From: Nya Murray
Subject: FedRamp Subnets - What They Are and Why They Matter
Good to see an easy-to-use guidelines to help network architects to design secure deployments. Useful definition of what constitutes a public subnet.
------------------------------
Nya Murray
Director
Trac-Car
Original Message:
Sent: Jun 27, 2022 02:42:46 AM
From: Michael Roza
Subject: FedRamp Subnets - What They Are and Why They Matter
Hi All,
FedRamp just recently published Subnets - What They Are and Why They Matter
This white paper is to help our stakeholders understand FedRAMP subnetworks (subnets) requirements. The paper covers what are subnets, why do they matter, and actions cloud service providers (CSPs) should take to ensure compliance.
@Daniele Catteddu
@Jason A. Garbis
------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------