Zero Trust

 View Only
Expand all | Collapse all

Recap: Business Value of Zero Trust working session (Nov 17)

  • 1.  Recap: Business Value of Zero Trust working session (Nov 17)

    Posted Nov 17, 2022 01:55:00 PM
    Hi folks - a quick recap from our working session this morning, Thursday, Nov 17

    Thanks everyone for your participation & engagement
    • Intros and welcome to new members
    • Recap of the Google group for this workstream
    • Quick review of the in-progress Business Value of Zero Trust whitepaper proposal:
      • https://docs.google.com/document/d/1s9OTHZxmv6SURkrq2lAP3Bp32WsHElHw9x-kWQvbGfw/edit?usp=share_link
      • Requesting final input before submission to the ZT steering committee
    • Interactive discussion, editing, and brainstorming on the draft a set of personas to represent the direct and indirect target audience for the ZT working group assets
      • https://docs.google.com/spreadsheets/d/1SoI24cBYyubfFHf27KvQnrMDfNIWyTaO/edit?usp=share_link&ouid=105169721242682585015&rtpof=true&sd=true

    Work plan:
    • Finalize mini charter -Erik has asked for a second review via the new Google Groups. Jason to kick off by Nov 9. Posted / Open for final review through Nov 23
    • Personas - plan for next few working sessions to publish first version, for use across workstreams. Ongoing
    • Whitepaper proposal - by Nov 9 - complete and circulate for feedback & approval. Ready for final review / planned to send to steering committee Nov 23
    Today's meeting Recording Link: 
    https://cloudsecurityalliance.zoom.us/rec/share/vkuzKi8nHbNkpEBDWkOmHSCtP31RwUCZpazsy5Ar0IAOpiTDUFcu6NfoD2f-52uW.4EX4HAF7TweSF8Zx
    Passcode: Nt!4G=&A

    Our next workstream session is Thursday December 1 at 8pm ET

    Topics:
    1. Intros to new members
    2. Ongoing review and discussion of the reader personas
    3. Status / feedback on the whitepaper proposal


    ------------------------------
    Jason Garbis, CISSP
    Co-Chair, Zero Trust Working Group
    CPO, Appgate
    Author: Zero Trust Security: An Enterprise Guide
    ------------------------------


  • 2.  RE: Recap: Business Value of Zero Trust working session (Nov 17)

    Posted Nov 18, 2022 07:32:00 AM
    Edited by Paul Simmonds Nov 18, 2022 07:32:38 AM

    One plea from me; the use of the word "persona" in the way you are using it is incredibly misleading and confusing.

    Zero Trust is (almost certainly) incredibly reliant on Identity, and in the Identity space, "persona's" have a very specific meaning, as a facet of a persons overall identity (normally exposed in a particular setting) - for example I might be happy to share my "work persona" with you (join of Entity:Person & Entity:Organization) but not my sexual-persuasion persona (and certainly not in certain parts of the world) - so there are huge intersections with trust, privacy and anonymity.

    Persona also spill over into the crypto world when it comes to one-way cryptographic joins between entities, giving a persona a unique cryptographic signature / key. These can then be used to prove signed assertions al-la the W3C Verifiable Claims Data Model and Decentralized Identifiers (DIDs) - all of which will be used in ZT solutions.

    Bottom-line; I understand why you are using the word, but can you choose a different word that makes the same point!



    ------------------------------
    Paul Simmonds
    CSA UK Chapter
    CEO, Global Identity Foundation
    ------------------------------



  • 3.  RE: Recap: Business Value of Zero Trust working session (Nov 17)

    Posted Nov 24, 2022 06:57:00 AM
    @Paul Simmonds, you have a habit of bringing up things that have been sticking in the back of my craw. We are having a similar issue with the word "policy".  The word "persona" has specific meanings in other disciplines like marketing and strategy as well. It seems to me, the problem we have is ZT is highly reliant on Identity so we cannot rely on context.

    Can you suggest some alternate terms? We have the same problem with "roles". Not sure if "stakeholders" does it.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------



  • 4.  RE: Recap: Business Value of Zero Trust working session (Nov 17)

    Posted Nov 24, 2022 12:02:00 PM
    I'd suggest using "Business Role(s)" or "Functional Area"

    I've never heard of "personas" used in the context of business roles, and I've just floated it by a senior European HR Manager in Amazon, who says "occasionally" but not recently and not in common use.

    "Business Role" is also probably more descriptive to the first time reader.

    Paul

    ------------------------------
    Paul Simmonds
    Board, CSA UK Chapter
    Director, CSA (Europe) CIC
    CEO, Global Identity Foundation
    ------------------------------



  • 5.  RE: Recap: Business Value of Zero Trust working session (Nov 17)

    Posted Nov 24, 2022 12:12:00 PM
    Another suggestion would be "stakeholder" as this could suggest that they should be considered as "having skin in the game" and that there are consequences both upsides and downsides with their engagement or lack thereof.

    Richarf





  • 6.  RE: Recap: Business Value of Zero Trust working session (Nov 17)

    Posted Nov 25, 2022 04:18:00 AM
    Thinking about it a little more, it seems the revenue-generating parts of an enterprise are more likely to use the term "persona". I hear it most when dealing with business units, marketing, and product managers. One of the media companies I dealt with recently adopted the term "avatars" to designate different types of content consumers. They continue to speak about different types of content creators as "personas."

    My initial thought is "Stakeholders" provides the most clarity and aligns with other work, which would foster adoption. When I get a moment, I will take a look at what others are doing.

    I suspect as we move through this, we are most likely going to look at the various players in terms of their motivation(s) and their role in getting a ZT project off the ground (e.g., approver, influencer, recommender).

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------



  • 7.  RE: Recap: Business Value of Zero Trust working session (Nov 17)

    Posted Nov 29, 2022 07:49:00 AM
    I'd agree that Business Role seems more appropriate and intuitive for what we seem to be trying to accomplish with this activity/deliverable. 
    That said I've seen Persona used in several organizations in ways similar to what Jason and Chris are doing here. Whatever terminology we land on I'm thinking we should document it and include it in the CSA Glossary. Persona isn't currently defined there but it probably should be.  Since seems Identity-related we should probably engage the IAM workgroup similar to what we're doing for Identity and Entity definitions.

    As Paul noted they've defined it in his foundation's Glossary: Identity 3.0 Definitions.

    ------------------------------
    Erik Johnson CCSK, CCSP, CISSP, PMP
    Senior Research Analyst
    Cloud Security Alliance
    Leesburg VA
    ------------------------------



  • 8.  RE: Recap: Business Value of Zero Trust working session (Nov 17)

    Posted Nov 29, 2022 12:12:00 PM
    Good discussion. I've added this as a topic for our upcoming working session on Thursday at 8pm ET. 

    From my POV, I'd be happy with "Business Role" as an accurate description, and a way to avoid any confusion or overloading of the term "persona". But I'm open to other input on this as well.


    ------------------------------
    Jason Garbis, CISSP
    Co-Chair, Zero Trust Working Group
    CPO, Appgate
    Author: Zero Trust Security: An Enterprise Guide
    ------------------------------



  • 9.  RE: Recap: Business Value of Zero Trust working session (Nov 17)

    Posted Dec 02, 2022 07:01:00 AM

    Sorry for missing last night's call. Unfortunately, I had two long days of back-to-back meetings and a family matter to deal with. Something had to give. Sorry for any inconvenience.

    I took an action to eyeball what others are doing. "Stakeholders" seems to be the defacto industry standard for what we are discussing. Screenshots attached.

    ISO 31000, entitled Risk management - Guidelines defines "Stakeholder" (and "Interested Party")

    "person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity"
    Note 1 to entry: The term "interested party" can be used as an alternative to "stakeholder".

    NIST is aligned with ISO
    Definition(s):

      Individual or organization having a right, share, claim, or interest in a system or in its possession of characteristics that meet their needs and expectations.
    Source(s):
    NIST SP 800-160 Vol. 1 from ISO/IEC/IEEE 15288

      Individual, team, organization, or classes thereof, having an interest in a system.
    Source(s):
    NIST SP 800-160 Vol. 1 under stakeholder (system) from ISO/IEC/IEEE 42010




    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------



  • 10.  RE: Recap: Business Value of Zero Trust working session (Nov 17)

    Posted Nov 24, 2022 05:39:00 AM
    Edited by Alex Sharpe Nov 24, 2022 06:52:30 AM
    @Jason A. Garbis the proposal for the white paper looks good. My only comment is this whitepaper fills a void in the existing body of knowledge. It would be good to highlight in the proposal.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------