Zero Trust

 View Only
Expand all | Collapse all

Using Blockchain Technology to strengthen Zero Trust architectures

  • 1.  Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 18, 2022 01:46:00 PM
    Hi all,
    Thanks for the warm welcome.

    My day job involves leading the design and implementation of digital platforms and products, and ensuring they are operationally resilient, so since joining, I've been reading the posts on Zero Trust with real enthusiasm. 

    As more and more organisations explore blockchain technology beyond crypto use cases, and mission-critical distributed ledger networks go live, the value of a decentralised, trustless architecture framework is no longer in question. Researchers in certain sectors (finance, healthcare) are taking a hard look at the viability of merging zero trust principles and blockchain to address the risk of data breaches during offchain / onchain transactions.

    With the potential for blockchain to act as a secure and transparent ledger, a number of potential use cases have been cited for strengthening the Zero Trust ecosystem, but I'd be keen to hear of any previous thoughts on this.


    ------------------------------
    Denis Nwanshi
    Head of Digital Platforms
    Bank of England
    ------------------------------


  • 2.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 19, 2022 07:20:00 AM

    Hey Denis,

    Welcome to the community! I believe there is an overlap between Zero Trust and Blockchain indeed.

    I personally do work on a UK Government & industry-funded initiative called Digital Sandwich (/https://www.digitalsandwich.co.uk/) which is building a blockchain-based system for food supply chain security and incorporates open source zero trust networking to make the system 'dark' and has a massively reduced attack surface while increasing visibility. I am also working with a university project which is building a Zero Trust intent-Based Networking and Blockchain-driven solution which uses the same open source zero trust networking technology - here is the presentation they will give at Linux One Summit in November - https://onesummit2022.sched.com/event/1Aafc.

    I would personally love to have some further chats on this. There may be others in the community too who would like to understand more.

    Regards
    Philip



    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 3.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 19, 2022 09:29:00 AM
    IMHO, it is hard to find a place where Zero Trust does not apply.  IAM and the last mile problem (i.e., connecting the digital and physical worlds) are the hardest problems when developing a Blockchain solution. I also sit on a regulatory and policy committee trying to address these issues for cryptocurrencies, Non-Fungible Tokens (NFT), and Digital Contracts. Establishing identity in a global, decentralized world is not easy. Common regulatory requirements like AML/ KYC are not possible without it.

    Please keep me in mind if you decide to have further discussions.

    Cheers,
    alex.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------



  • 4.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 19, 2022 01:03:00 PM
    Hi Alex, it is definitely a great conversation to have regarding Blockchain and Zero Trust. I think it would be ideal to dig deeper into how blockchain protocols are using Zero trust at the protocol layer it may help the broader conversation.


    ------------------------------
    T. Devon D. Artis
    DevSecOps Engineer/Blockchain Security Researcher
    Divine Digital Transformation
    ------------------------------



  • 5.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 19, 2022 10:51:00 PM
    Hi all,

    Great to see there is interest (and real-world projects) addressing this important topic. The diverse use cases and examples cited (supply chain, intent based networking, NFTs, crypto, digital contracts, IDM, IOT) highlight the opportunity for converging blockchain and ZT technologies for improved security outcomes.

    At the same time, we know that in the absence of agreed international standards and lack of interoperability between the many blockchain protocols, scaling many of these decentralised network use cases will bring significant operational and maintainability risks.

    I agree that understanding how blockchain protocols are using ZT at the protocol layer warrants further exploration.

    With the onset of 5G network speed and scale,
    I also see value in devising a universal ZT security policy framework and standard  technology mechanism that operates at the edge computing level and leverages the immutability and transparency attributes of blockchain. 

    Keen to ensure this discussion fits within the parameters of the ZT working group scope and we stay on course for the key deliverables, so further view points / leadership oversight would be appreciated.


    PS. These are my opinions and do not in anyway represent the views of my current or future enterprise clients.

    Thanks
    Denis

    ------------------------------
    Denis Nwanshi
    Head of Digital Platforms
    Bank of England
    ------------------------------



  • 6.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 20, 2022 10:48:00 AM

    Hi Denis, all,

     

    Both the application of Blockchain to support ZT and the use of ZT to further secure Blockchain raise interesting use cases.   

     

    In the case of the former I responded on Draft NISTIR 8403 - Blockchain for Access Control Systems https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8403-draft.pdf earlier this year that was positing how Blockchain could be used as a transport mechanism for Access Control Policy.   The paper highlighted a number of challenged to be resolved, the most pressing (for me and highlighted also by Denis) being interoperability of policy across different both technologies and geography.   Not because this is an issue specific to a blockchain based solution, but is true for all multi-vendor/ multi-tech ZT solutions and the architectures that inform them.

     

    It has also uncovered that we need to ZT to secure ZT.   We often discuss the use of ZT security in the data plane, but as the discussion in this thread is uncovering, there is need for ZT in the control plane of the multi-vendor / multi-party architectures we evolve more complex interoperable solutions, this needs to be explicitly discussed in any operational architecure.  I would therefore agree that BC based systems (and interop with Non BC systems) should also be within the scope of any architecture discussion.   The challenge for the group is to find the appropriate blend of interoperability, resilience and performance for multiple levels of customer maturity and to support their respective roadmaps.

     

    Regards

    Richard Baker

    Security Innovation Architect

     

     

     






  • 7.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 21, 2022 05:52:00 AM
    Good thread.

    This is not the first time Blockchain has been looked at for policy distribution and enforcement. As far back as the 90s, DARPA briefly considered blockchain as part of research into automated policy enforcement. It was quickly decided it was like using a cannon to kill a flee. Something more lightweight was better suited. Not sure that has changed, except for larger, highly distributed implementation. Would love to know your thoughts.

    When you think about it, ZT is a paradigm not all that different than Separation of Duties (SOD) and the Concept of Least Privileged. To your point, the masses often forget the infrastructure providing (and enforcing) ZT also needs to be secured. Frankly, if I was going to attack a system I would explore ways of subverting the access controls. The digital version of bribing the guards.

    What is your short list of challenges to be resolved?

    You mention the last mile problem (i.e., connecting the digital and physical worlds). That is always one of the top two problems for any blockchain-based system.

    BTW, the balances you point out are spot on. "...challenge for the group is to find the appropriate blend of interoperability, resilience and performance for multiple levels of customer maturity and to support their respective roadmaps."  That is the traditional systems engineering problem.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------



  • 8.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 21, 2022 08:08:00 AM
    Edited by Philip Griffiths Oct 28, 2022 05:36:58 AM

    I believe aspects of the last mile problem (i.e., connecting the digital and physical worlds) can be solved by using concepts from a Hardware-Based Zero Trust Supplicant (O'Reilly, Zero Trust Networks, pg.140 - https://itjumpstart.files.wordpress.com/2019/02/zerotrust.pdf ). This allows you to build an authentication proxy which terminates the zero trust relationship and forwards the connection to the legacy host. While this was merely an "interesting thought experiment" in 2017, it's completely possible today using a low-cost device carrying a TPM chip (under $100) combined with an identity-driven overlay network built on ZT principles such as OpenZiti.



    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 9.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 21, 2022 08:40:00 AM
    Kinda like a Zero Trust appliance?

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------



  • 10.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 21, 2022 11:17:00 AM
    Yeah, sort of. To quote the book, "it is desirable to push the zero trust termination point as close to the device as possible.... [that] device can act as a zero trust supplicant, carrying a TPM chip, and plug directly into a legacy device's Ethernet port. Pairing the two in your inventory management system can allow for seamless integration between legacy devices and a zero trust network". This is why an identity-driven overlay is vital where the TPM provides an unspoofable HW-based strong identity which gets consumed into the overlay (likely between the HW CA and the CA of the overlay via external JWT signing).

    Alongside much stronger security, this has another added benefit of zero touch deployment of the device. The endpoint consumes the local identity, calls to the zero trust network overlay control plane, presents itself and gets onboarded and configured with services which have been defined.

    I have customers who do this today with both our SaaS platform and the open source version.

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 11.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 23, 2022 04:24:00 AM
    I forgot to add @Alex Sharpe, if the physical world (e.g., manufacturing machines) is running local applications (e.g, SCADA) then we have the ability, instead of using a Hardware-Based Zero Trust Supplicant, to embed Zero Trust connectivity directly into the application (i.e., SCADA) that is running on or next to the physical machine - this would be layer 1/2 in the Purdue OT model if you are familiar.


    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 12.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 23, 2022 07:59:00 AM
    Interesting thoughts, Phillip. Thank you for bringing up the Purdue OT model. I forgot about it. Good reminder.

    Coincidently, earlier this morning I reached out to one of the Purdue faculty on another matter.

    Cheers,
    alex.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------



  • 13.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 28, 2022 04:16:00 AM
    @Alex Sharpe @Philip Griffiths @boris taratine @Jun YuI have worked in depth on a Connected Car deployment in the past.  Quite honestly, I think we are kidding ourselves that framework layers to industrial control systems are impervious borders.  They are not.  The deeper one looks at a connected vehicle, for example, the more mouseholes one can find. Firewalls, encrypted networks, session and transport protocols, data services, network boundaries, encryption, secrets, identity credentials, are often porous, none is able to be controlled completely.

    Back to the discussion point that it is about assessing the risk potential of any boundary.  And the requirement to choose high risk boundaries to authenticate and authorise, medium risk to authorise, and only presume security for public or low risk data.  Jun Yu and co are right, it is about protecting data.  And given that the whole boiling, the whole virtual stack above chips and metal is information, it is not just business data, it is technology data, all of it.

    Don't forget that the network IS data.

    I think the biggest Zero Trust fairy tale is being told by the vendors/suppliers of ZT technology.  Boris is correct about the common use of the term Zero Trust applied to technology, that is THE paradox.  Yet such is the level of ​ignorance of how the entire holistic technology landscape works, companies are continuing to flog their glasshouse holey products as ZT.  Emperor's New Clothes springs to mind.

    I don't think I've read such a hotch potch of fake fantasy marketing bs as the pitches around ZT credentials of technology products, and that includes major players.  The network people forget about data and identity.  The application people are ignorant of network and cross network communications. The identity people take a thin slice of function then forget about the application context.

    Has not anyone any sense?  You cannot proclaim ZT without a shred of proof.  This is like science without demonstration, or some of the wackier astronomical paradigms that are never able to be proved.  Just call something Zero Trust, and kerching.  That seems to be the philosophy.  And who is laughing all the way to the bank?  The global crime bosses, and the autocratic regimes who are spying on democratic governments.

    Wake up everyone.  Zero Trust is about cleverly determining where to place effort to reduce risk, and taking a holistic approach to identity of services that span devices, networks, applications and data collections.  ​​​​

    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 14.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 28, 2022 05:43:00 AM

    Last year, we did some work on building an autonomous car blueprint that incorporated some zero trust principles using open source together with Arm and Capgemini. This enabled us to embed private networking into applications in vehicles using strong identity from silicon. We didn't go into the realm of data zero trust, but it could be layered on top. This is the blueprint - https://capgemini-engineering.com/us/en/insight/converging-on-a-zero-trust-blueprint/

    Funny thing. Capgemini decided to use AWS Greengrass to do edge processing in-vehicle. We released the paper in Nov for Re-Invent. Did you know AWS Greengrass is written in Java and uses Log4J. Luckily, our architecture cannot be exploited from the external network so Log4Shell could not be exploited - https://netfoundry.io/protecting-aws-greengrass-iot-solutions-from-log4j/.

    As you say @Nya Murray, Zero Trust is about cleverly determining where to place effort to reduce risk, and taking a holistic approach to identity of services that span devices, networks, applications and data collections. ​​​​



    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 15.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 28, 2022 07:20:00 AM
    Slick marketing, Philip :)  CG is good at that!  Not a lot of detail, but some OK high level analysis. Yes well connected vehicles sounds like a good use case to me.  The risks are clearly to life and limb.  Indirect vulnerabilities are a scourge.  No Log4J in Verviam, either :)  And yes, data can be exploited across large attack surfaces where services cross network boundaries and application workload providers.  My best goto source to check for risk is to rope bridge back from the statistically prevalent source of data breaches.  IBM commissions an annual report that identifies risk pretty comprehensively.  https://www.ibm.com/uk-en/security/data-breach

    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 16.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 28, 2022 07:45:00 AM
    OK that is impressive Philip.  Vulnerabilities protected at the point of access. This is part of the SDP Zero Trust approach.  And then the only question is how to authenticate and then authorise prior to access.  Yes you are right, inheriting secondary vulnerabilities is the biggest problem around today.  Because it is difficult to find, analyse and understand the architecture and design of the components of any subsystem from reverse engineering and logic.  Who would have thought AWS Greengrass to be written in Java with a Log4J dependency. Well, I would be suspicious.  Anything that lies above the network line has to be the subject of scrutiny.  @Philip Griffiths  - I think I am trying to make the point that one cannot rely on vendor literature to understand the inherent vulnerabilities or lack of, and it is hard to get hold of any meaningful technical documentation these days.  What is the point of looking holistically at an insecure global environment when money is the goal, not cybersecurity?  Sigh, must be Friday afternoon if I am asking rhetorical questions. Bon Weekend all.  ​

    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 17.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 28, 2022 09:01:00 AM
    100%, 'how to authenticate and then authorise prior to access' is a very important question. We use x509 public/private cryptography using JWTs and a process called bootstrapping trust (5-part blog - https://ziti.dev/blog/bootstrapping-trust-part-1-encryption-everywhere/). We also have the ability to work with external systems of identity, e.g., in the whitepaper we used Parsec, which is an open-source project from Arm to abstract any hardware of software identity via PKCS11. We have also recently implemented 3rd party signers, e.g., SPIFFE/SPIRE, to provide the workload identity via JWT.

    I would agree that in general, vendor literature is almost pointless. Some is almost impossible to get technical details on, with very little comparison information. In fact, I am working on this right now with some of our team to help our community and people who want to understand.

    Likewise, its why we open sourced the technology. We want to make the world a more simple and secure place by default.

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 18.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 28, 2022 09:00:00 AM
    I could not agree more with Nya.

    ------------------------------
    Jonathan Flack Managing Director, ACM, CNCF, CSA
    ------------------------------



  • 19.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 28, 2022 03:53:00 AM
    Hi Philip, broken link to the Hardware-Based Zero Trust Supplicant pdf. do you have another?

    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 20.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 28, 2022 05:36:00 AM
    CSA was including ) in the link... this should work and updated the previous too - https://itjumpstart.files.wordpress.com/2019/02/zerotrust.pdf

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 21.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 28, 2022 03:13:00 AM
    Hi Richard

    Re requiring ZT to control ZT, I agree, this is the nub of the matter.  So what controls the controller, because clearly this is the dangerous single point of failure.  My thought has always been that if I were a state funding hacking organisation, I would set up a controller, either SDP or ZT and mirror the data flows. :)

    That is why I have focused on demonstrably independent identity management as the way to mitigate the risk of hostile control of the control plane.

    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 22.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Nov 01, 2022 04:19:00 AM
    Nya,   I can agree that management of identity needs to be independent of both the data and control planes, but what is also missing in the discussion is the management of access policy.   In many cases access policy and authorisation is seen as an extension of the idenity of the individual, this is I believe is an error in thinking.  Access Policy needs to be managed independently by the organisation/ business that has ultimate responsibility for the org operations and outcomes.   

    So while an organisation might draw upon multiple ID (and supporting attributes) sources (its own employees, partners, external consumer ID etc) it is the responsibility of that organisation to govern that access policy and to ensure it is alligned to the business and regulatory needs and published in a consistent across an organisations infrastructure.   The idea that policy or identity can be managed more appropriately using blockchain to provide distributed management is falacious and will make demonstration of coherent corporate governance impractical.

    Therefore like a number of people on this thread I remain a blockchain skeptic. 

    Richard

    ------------------------------
    Richard Baker
    Security Innovation Consultant
    Independent
    ------------------------------



  • 23.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Nov 01, 2022 05:56:00 AM
    Richard,

    We already see this with some CSP's like Google Cloud, where Identity and IAM are purposefully independent services, and this concept is fundamental when your requirements include a SDP.

    But one of the other key reasons is that role bindings should be a component of your infrastructure, and maintained with state, so that you can continuously evaluate that state for drift.

    If you adhere at all to the philosophy as articulated by John Kindervag, securing the protect surface in a resource level is a bespoke undertaking.  This means that the role bindings can be logically and specifically associated with resources they control access to.

    ------------------------------
    Jonathan Flack Managing Director, ACM, CNCF, CSA
    ------------------------------



  • 24.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Nov 01, 2022 07:03:00 AM
    AWS has the same approach, Jonathan -  IAM independently applied as policy to role to access.  And role can be attached to any service.  I think that people still confuse personal identity with identity as it's applied to IT systems, which is basically an access claim, could be an automated device or application access, equally there could be a button press by a person, but in essence it is a service that allows/denies access based on policy info, credentials, and I would like to see a risk profile added there. 

    Request access > provide/prove identity claim  > request further authentication (e.g. MFA, TOTP, > validate claim with service policy/policies > open the gateway > review access on a periodic basis.

    What I dislike about Google is their uber reliance on behavioural characteristics, and their review period being so annoyingly short. I am extremely annoyed at having to type in my Google credentials multiple times every day on my devices.  Because their poor management means that people save their credentials on their devices so they are not being annoyed by Google so often.  And I am not sure they don't leak credentials in transit. 

    Also we are missing the taking of responsibility by organisations of systems review of passwords/ secrets/ token rotation.  Internal resources tend to take the marketing hype of their identity supplier as gospel. 

    Blockchain is useful as a primary definition of trust on creation.  For heavens sake, I am often tempted to change the term Zero Trust because of its negative linguistic and NLP connotations for the term Foundation of Trust.  Last time I looked, we are all individuals who are part of the collective Gestalt  (human identity) dealing with a common Zeitgeist ( the meaning of the life and times).  Why are we lacking the fundamental social skills to identify what can be trusted and what cannot?  I'd say we have a collective disorder and we are stopping ourselves from experiencing our potential.   I bet this gets a few defensive responses out of the woodwork :) :) :)

    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 25.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Nov 01, 2022 07:44:00 AM

    Nya,

     

    I agree with your thinking in a number of areas, in particular how we manage trust and risk.    So many times in zero trust discussions we still seem to get back to a black and white view of the security world.   Whereas what I think you are saying is that we have to balance trust and risk depending on who we are dealing with and what is at stake.  This seems to be a conversation that is often lost in our discussions.

     

    If we had to live our lives trusting no one, i.e. no assumed trust at the start of EVERY transaction life would get VERY expensive and consume a great deal of energy.  That is one reason why we have professional and business standards to provide short cuts / signals.

     

    So part of the challenge that we have as security professionals is to help users and organisations negotiate a new set of technical and social ques.  But at the same time, as technologists, we should not make their life so frustrating that they refuse to engage or actively circumvent the technologies provided.  Yet we need to provide meaningful signals/ friction to challenge the user to pay attention to a higher level of risk.

     

    As for a better name for Zero Trust – I would suggest "Dynamic Trust" as a qualification when discussing with users/ organisations as this reflects what we have do in human interactions.

     

    Richard

     






  • 26.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Nov 01, 2022 09:35:00 AM
    Hi Richard

    Dynamic Trust is a great name. In fact what keeps me up at night is that without being deeply technical, deeply business, and having been around since the year dot, how on earth does the average security punter know what to trust and what not to. 

    There are so many protocols that claim to be secure, that I think are insecure.  And I do validate my thinking by trawling the vulnerability reports.  e.g. TLS 1.2, certificates and handshake,  NOT secure alone or with mTLS - plenty of exploits in the wild. Network protocols IPSec, client VPN, NOT secure alone.  Plenty of evidence for innovative exploits and old exploits being reused.  OAuth 2.0  NOT secure, ways to renegotiate handshakes, lots of pilot error in implementation - complex, and originally for developers to trust IdP like Google, not having to roll their own.  On premises data centre network firewalls and security groups.  NOT secure only, plenty of bypasses, particularly in organisations with legacy applications, new and old network escape routes are being exploited.

    What is the lesson here?????  Once you build communication protocols without security as part of the design principles, it is impossible to close all the loop holes.  And we are talking 1990s protocols, when userID and password was secure enough.  

    So, am I big on trust?  No.  I constantly use my 25 years experience to evaluate each service, each network hop, each authentication, each authorisation for vulnerabilities.  And so my philosophy is to make it really difficult to hack my applications. The simplest way to do this, is to encrypt the data at the field level prior to transit.  So the only person who sees the data, owns the data.  And use as many security methods such as firewalls, security groups, keep TLS up to date, Perfect Forward Security, add a client VPN, doublecheck identity JWT tokens, evaluate the trust horizon of all end users (persons, applications and devices) for risk, and if there is risk, encrypt the payload. Make Multi Factor Authentication as secure as possible, then only require once per day sign in, because the JWT is auto rotated daily, therefore trusting that devices can stay secure for a day before requiring another sign in (much less tedious than Google).  Unless of course I was designing a solution for the Ukrainian armed forces to communicate their drone targets, then I would autorotate JWTs every hour, or every 10 minutes if I knew there were Russian hackers on my trail.  (Russians and Ukrainians are all pretty good at mathematical algorithms, and analysing security posture). 

    So in fact I despair at getting the security services buyer to understand much of this.  They will be repeating what someone told them about Active Directory, or Ping or Okta, which would have been the positive spin on their security measures, which I personally think are insufficient because they've been broken.  I also get a lot of stuff from IBM X-Force as well as CVEs.  

    So a Zero Trust governance mechanism, could not come at a better time.  And yet do we really understand the deployment context well enough to provide advice?  That is why a few of us are privately setting up a ZT PoC, complete with design principles in the context of a couple of standard Use Cases.  We'll publish to this circle when we have something to show, and certainly share the set of practical ZT design principles we come up with.  

    We have to start somewhere, because Identity Fraud is so easy for criminal rings, because most organisations are very careless with private data of customers and employees.  This opinion is based on experience with a number of customers over the past 5 years, which I consider to be the most dangerous for cybersecurity.  And it's not going to get better by itself, because hackers are much better paid than we are. 

    BTW, really enjoying reading everyone's POV because I really think we are putting some issues on the table here. 

    Best

    Nya

    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 27.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Nov 01, 2022 10:58:00 AM
    Edited by Jonathan Flack Nov 01, 2022 11:00:13 AM
    Identity is an assertion.  If Joe is authenticated, I can make an assumption that Joe is the source of packets on the network, but there is some question as to how much certainty I should have (even if that certainty is reinforced with other heuristics), certainty can be elusive.

    Example, Joe has a gun to his head.. Joe is no longer authenticated, the person with the gun is.  That is the person putting packets on the network at this point.

    That gun may not always be literal, but it is a gun none-the-less.

    ------------------------------
    Jonathan Flack Managing Director, ACM, CNCF, CSA
    ------------------------------



  • 28.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Nov 01, 2022 11:28:00 AM
    I'm going to spit hairs in an attempt to provide some clarity;

    Identity is an assertion.
    No; facets of an identity can be asserted

    If Joe is authenticated,
    No, this is not binary, Joe should be authenticated to a know level of trust by understanding the level of immutability between Joe and whatever he is is using.

    I can make an assumption that Joe is the source of packets on the network,
    No, you should end up with a probability (a risk-score) that Joe is actually Joe

    and actually, assuming anonymity and the Turing test, this should be "the entity" not Joe, because Joe is actually just a name attribute of an entity - and should be irrelevant for most transactions.

    See, told you i was going to split hairs ......

    ------------------------------
    Paul Simmonds
    CSA UK Chapter
    ------------------------------



  • 29.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Nov 01, 2022 11:54:00 AM
    It is my belief that John Kindervag, who pioneered the concepts embodied in the practice area we call Zero Trust (and I believe coined the original phrase) would vehemently disagree with you.

    There is a deep volume of writings by both John and his co-contributors that may be worth reviewing, specifically on this topic.


    ------------------------------
    Jonathan Flack Managing Director, ACM, CNCF, CSA
    ------------------------------



  • 30.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Nov 01, 2022 07:16:00 AM

    Jonathan

     

    So I agree there are a number of CSP and other vendors who have separated Identity and Role, but there are still vendors while they have externalised identity still have embedded role and policy binding to their particular controls for a specific PEP technology.   

     

    I would argue that as part of an evolving maturity for organisations on a ZT  journey they should look for vendors that enable policy "design" to be externalised outside the context of a specific technology control, so that a consistent business policy/ intent can be interpreted and applied to the different control technologies (PEP) at different points in the communication path.

     

    If security or applications operations teams are required to specify policy in the context of each specific control technology in the communications path we will be creating (in the increased complexity) more opportunities for malicious actor to get through the "cracks" in the policy sets.

     

    I suspect this is one of those discussions that is best progressed over a couple of beers....

     

    Richard






  • 31.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 23, 2022 02:44:00 PM
    Edited by Jason A. Garbis Oct 23, 2022 02:44:12 PM
    Philip, thanks for the link to the abstract for the Intent-Based Networking presentation. I'd like to see that actual presentation - could you ask these researchers - since you are collaborating with them - if they'd be willing to present on this topic to the Zero Trust working group? I'd be keen to see this, and ask some questions, and I'm sure that many others on this list would likewise enjoy that.

    In terms of the Digital Sandwich initiative, that also looks interesting - I am a bit of a Blockchain skeptic, but the inherently cross-organizational nature of the food supply chain may well be a good fit for the decentralized aspect of the blockchain. Do let us know as this project proceeds, and when there is more information beyond the abstract. 

    regards
    Jason

    ------------------------------
    Jason Garbis, CISSP
    Co-Chair, Zero Trust Working Group
    CPO, Appgate
    Author: Zero Trust Security: An Enterprise Guide
    ------------------------------



  • 32.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 24, 2022 03:51:00 AM
    Edited by Philip Griffiths Oct 24, 2022 03:51:13 AM
    Hey Jason,

    Sure thing, I will ask if we can organise that presentation with the research team.

    What is nice about both examples (in my opinion) is that one (Intent Based Networking) is focused on using BC within the administration of a zero trust overlay network while the other (Digital Sandwich) is about protecting BC resources, nodes and external communications to non-BC resources and cyber-physical systems using ZT and SDP.

    The Digital Sandwich project ends early next year with a demonstrator and will share more on it when ready.

    Regards
    Philip

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 33.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 26, 2022 03:51:00 AM
    Excellent idea, Jason. I would like to learn more about both examples.

    I am a big fan of Blockchain and its power. Unfortunately, it has a bad rep from well-intentioned efforts trying to use Blockchain where it should have never been applied. Kinda like killing a flee with a cannon. It takes out the dog as well. It also has a bad rep from its widespread adoption in illicit activities like Ransomware.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------



  • 34.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 27, 2022 02:45:00 AM
    Hey all,

    @Jason A. Garbis @Alex Sharpe, I have spoken to the Intent-Based Networking team, and they are happy to present after the Linux ONE Summit (Nov 15-16). In the same presentation, I can give a brief overview of Digital Sandwich (and then have a more in-depth one if desired, early next year).

    Do you want to propose some dates for this in late Nov? Note, the team are based in South Korea, we have thus been picking times in the past which are early US East morning (e.g., 7am).

    ​Regards
    Philip
    ​​

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 35.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 27, 2022 04:17:00 AM
    Excellent. However, @Jason A. Garbis wants to handle it. He had an excellent suggestion. I just jumped in to endorse.

    Cheers,
    alex.
    ​​

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------



  • 36.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 27, 2022 08:21:00 AM
    Hi Alex et al

    I have been watching this post unfold with interest.  As we all know, it is performance that inhibits blockchain deployments, and the difficulty to find a data breach by an independent audit (complexity), and the latency involved in, as you say Alex, misapplication. 

    I wrote this white paper a few years ago, with the realization that the right time to apply blockchain is an instantiation, that is creation time.  This would provide a legal ownership trail of an asset, rather than a cybersecurity trail, which is well handled by cloud security measures. https://www.researchgate.net/publication/364807024_Data_Identity_Security_with_Blockchain
    Here is a picture of my Identity Management with Blockchain UML Model - if anyone is interested, get in touch. 




    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 37.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 27, 2022 08:43:00 AM
    Funny Nya, I think you are well describing how Jeju University has implemented blockchain with ZT for their Intent-Based Networking solution.

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 38.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 27, 2022 09:42:00 AM
    Thank you, Nya. I look forward to digging in.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------



  • 39.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 27, 2022 11:03:00 AM

    Hi team,

     

    On the convergence of blockchain and zero trust, as well as a blockchain-enabled intrusion detection and prevention prototype within ZTA and based on Hyperledger fabric, you might find more information here and here.

     

    Moreover, indeed performance of blockchain ecosystems is an issue. The same was verified through our lab/prototype experiments. However, we are currently using the policy enforcement point (PEP) of a ZT alongside a novel query handling strategy to significantly boost performance and solve the bottleneck in the mentioned use case.

     

    Kind regards,






  • 40.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 28, 2022 08:23:00 AM
    There's a lot going on in this thread.  All good.

    Going back to the connected vehicles for a second, there is some really good work going on in this space including the FBI, the Auto-ISAC, and the National Motor Freight Traffic Association, Inc. (NMFTA). The Automotive Sector Working Group has a nice collection of presentations on security and EV infrastructure. It is TLP-Green so I am not comfortable posting on a public forum. Anyone who wants a copy, just email me at [email protected]

    Cheers,
    alex.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------



  • 41.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 28, 2022 09:29:00 AM
    Thanks @Charalampos Alevizos, would be great to have you in the session we setup on blockchain and ZT to have your opinions and experience as part of the discussion.


    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 42.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 28, 2022 10:00:00 AM
    Circulating back to the topic of Blockchain performance and the like. Are we really talking about the use of Digital Signatures to provide non-repudiation, message integrity, and the like, not a Blockchain?  Blockchain connects links of blocks using what amounts to digital signatures to create an immutable ledger with all of the characteristics that come with Digital Signatures. If not, what blocks are being linked and what is the purpose of the immutable ledger?

    BTW, let's not forget, Blockchain was never designed for anything that amounts to high volume transaction processing like alluded to in parts of the thread. If that is what is being done, you would need to so overpower the system it would not make sense. It is kinda like entering a truck into a F1 race and complaining about being lapped by the other racers.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------



  • 43.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 28, 2022 07:43:00 PM
    Blockchain was originally developed as a non repudiation mechanism.  Blockchain has been breached a number of times.  And there are ways to put backdoors in blockchain that are currently being exploited.  And many malicious actors who would have us trust their interpretation of blockchain, with little or no visibility. What are we trying to achieve here?  

    I have attended a few sessions where Chinese nationals have been trying to convince climate actors that blockchain is the answer to monitoring carbon emissions. Non technical people are being told a bunch of stuff. 

    Don't forget that one of the key principles of ZT is logging and monitoring activity.  And don't forget that currently blockchain is really difficult to audit.  And don't forget that blockchain members can ALL be corrupt.  We are dealing with a planet on the edge of mathematical weather chaos.  With a bunch of madmen able to press some very destructive buttons.  Personally I think blockchain is good for cross border co-operation between friendly participants to establish an identified resource/asset/service, as a kind of federation of trust.  It is currently being misused.  As a cybersecurity guarantee, I would rather trust a crocodile in the wild.  Visibility is security.  Publishing of network access on dashboards is security.  Providing end users with visibility of network and application behaviours is security.  Encouraging public scrutiny of corporate and state activities is security. 

    Humanity is an evolutionary entity that is in a confused state between mass flight behaviours as prey, and a new worrying form of mass predation based on narcissism and superiority/inferiority complexes that would make Freud and Jung both shudder in their graves. If there is any rational purpose to life in the 2020s, it is to use whatever moral code and technology that we have to guard against ourselves.  NO government can be trusted.  NO corporation can be trusted. We have to place technology in the hands of people, stop the marketing hype that is being pushed by corporates wanting to trash the planet even further by replacing nature with money, and we do not have the luxury of time.  It is running out on a stable biosphere. 

    Blockchain is a nice idea that requires a lot of work to be of practical use IMHO.

    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 44.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 28, 2022 09:32:00 PM
    Edited by Jonathan Flack Oct 28, 2022 10:24:51 PM

    Once again, I am in 1000% agreement with Nya on this.

    Blockchain remains a solution in search of a problem.  Observability and transparency, and the ability to interactively investigate events (the operative word being interactively) to contain or remediate in a breach event should not be minimized. 

    I don't see any chance at maintaining high degrees of interactive analytics capability in the SOC if blockchain is involved at a critical pivot point in the analysis.

    Furthermore, access  in a Software Defined Perimeter (SDP) is based on a need-to-know model.  That need to know can be highly fluid, and consensus on the blockchain takes time, which provides both time and opportunity for attackers.
    ------------------------------
    Jonathan Flack Managing Director, ACM, CNCF, CSA
    ------------------------------



  • 45.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 29, 2022 03:06:00 AM
    Greetings.

    As I've stated before I'm probably not the right guy taking part of these discussions. I'm running a company of grumpy old ignorant cyber-guardians - very reluctant - as in NOT using ANY technology that controls or manage ANY part of ANY security in ANY system or platform we create e.g. - security as to to be built in from DAY ONE - holistically and end-to-end.

    Here at Zafehouze, our Zafepass platform DON'T AND WON'T have any 3rd party security dependencies - nothing can be added that would make Zafepass more secure - nor can anything security-wise be taken out. Why should it ... it's bolted in holistically - and our clients don't really care. Sure we can jump from 4,096bit never reused (PK-exchange WITHOUT the "I") to a 8,192bit - but that's really not the point. The point is (among many others) that the encryption IS BAKED in - end-to-end - so your sensitive data at rest in an S3 Bucket is 100% yours - and only readable by you - not us, not Amazon, not the government - not by anyone not intended. The same applies for CMMC 2.0 CUI data. The data owner can allow a sub-contractor to access and work with HIS data - and the data-owner will maintain FULL control. Once terminated - the data-owner knows the data residing in the subcontractors environment is turned into a pile of junk. 

    We gladly talk about the "why's and the what's" of what we do ... the "how" will require NDA.       

    Blockchain will not make any sense in what we do - and maybe we need to add 'paranoid' to the grumpy old ignorant list - but we SIMPLY HAVE NOT TRUST in blockchains either. Not now at least.

    I know what you're thinking ( "Did he fire six shots or only five?" - sorry, couldn't help this little Dirty Harry de-tour :-) )

    ... you've gotta ask yourself one question: ... "should Zafehouze be trusted - can Zafepass be trusted" ... NO! is the short answer.

    We're a supplier like anyone else - but we do offer code-review and have leading accounting firms verifying Zafepass is not doing anything malicious etc.

    BOTTOM LINE .... I'm pleased to read @Nya Murray post no 34 - and @Jonathan Flack post no. 35.


    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------



  • 46.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 29, 2022 03:18:00 AM
    Some prophetical statements @Nya, somehow I think there is too many truths to challenge?
    Think we have the ability to bring balance… starting to go Star Wars dialogue here?
    In short we have tools to support or affirm how we want to drive digital trust. Open ledger can be audited. ‘Building tests supporting what we see is where we can focus our efforts on.’
    I see this as an opportunity of improvement, agree time is currently not a luxury we have.
    Hail Nya 🤓




  • 47.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Nov 01, 2022 06:09:00 AM
    The entire point of Zero Trust is to eliminate trust, a human emotion that brings a subjective confidence to technical systems.  It is thus a vulnerability. Trust is not part of the security solution in modern systems.

    The entire point of zero trust is the ELIMINATION of trust from the security model.


    ------------------------------
    Jonathan Flack Managing Director, ACM, CNCF, CSA
    ------------------------------



  • 48.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 01, 2022 03:02:00 AM
    ... if you wonder why I keep quiet - I think too many are too far away from 'problem solving'. 

    ... I know it sounds nice, Jonathan - but I don't fully agree. At some point trust has to be established between two entities or humans communicating. If I can't trust you my most sensitive data - you won't get it (and that you can argue is a Zero-Trust policy - but it will eventually halt communication, won't it? - is that the goal - no!).

    Zero-Trust is good - but not good enough - and for some it's a mirage, others a revelation and for people with with deep technical it's just something we have done since we took out a patent on this stuff back in 2005.  In my mind (and what we do, and patented back in 2005 - long time before JK coined ZT) is creating a Prevent & Protect platform, capable of "swimming safely in overcrowded shark-filled waters" - think that is more aligned to The Jericho Forum and the 'de-perimeterization' manifest. 

    @Paul Simmonds - correct me if I'm wrong!


    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------



  • 49.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 01, 2022 03:14:00 PM
    John K and I had this discussion the other night.  Trust is not a requirement, validation is a requirement.

    We need to stop anthropomorphizing here.  Security is based on policy, not emotions, and trust is an emotion.  Hence, trust IS THE vulnerability.   

    Ask anyone working in the IC to explain why it was that the Manning and Snowden leaks happened.  It had nothing to do with breaches, it was the security model based on trust that was violated.

    ------------------------------
    Jonathan Flack Managing Director, ACM, CNCF, CSA
    ------------------------------



  • 50.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 01, 2022 04:35:00 PM
    Hey Jonathan ... you're absolutely right. Admitted, being non-english, the word 'trust' - has too many flavors in my part of the world - hence why we think zero-trust is a bit 'unclear' - covering 'trust', 'confidence' / 'confidentiality' over to words like 'intimacy', 'affirmation'. 'proof'. I guess some these words are also 'emotions' - so it could be the best ways to describe it - is "validation". Thanks for clarifying, cheers

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------



  • 51.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 01, 2022 02:06:00 AM

    I have spoken to the team at Jeju University in South Korea that built a Zero Trust intent-Based Networking and Blockchain-driven solution (which they presented at Linux One Summit in November https://onesummit2022.sched.com/event/1Aafc. 

    They would like to present to the CSA their work in the week beginning 12th of December, at US Eastern 0800 on Monday, Tues, Wed or Friday... any preferences on the timing?

    @Denis Nwanshi @Alex Sharpe @Nya Murray @Devon Artis @Richard Baker @Jonathan Flack @Paul Simmonds @Jason A. Garbis @Charalampos Alevizos @Niels E. Anqvist @Bernard Coetzee

    ​​​​​​​​​​​

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 52.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 01, 2022 02:22:00 AM
    Bad week all round, will try to make it - but definitely not the 14th.

    ------------------------------
    Paul Simmonds
    Board, CSA UK Chapter
    Director, CSA (Europe) CIC
    CEO, Global Identity Foundation
    ------------------------------



  • 53.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 01, 2022 02:57:00 AM
    Edited by Denis Nwanshi Dec 01, 2022 03:11:35 AM
    Thanks for the heads up, @Philip Griffiths...I'm flexible on dates, but the challenge for me might be the time difference (currently in the UK).

    Thanks for the points of clarification on ZT, @Paul Simmonds.

    @Alex Sharpe, @Nya Murray,
    I agree with the assertion that blockchain-based use cases built on clearly defined communities stand a better chance of success, particularly given the need for blockchain interoperability in many verticals. In terms of determining whether there is a viable architecture design to explore further, hopefully we'll learn something from the team at Jeju University in South Korea.​​​​​​​



    ------------------------------
    Denis Nwanshi
    Chief Digital Officer
    NetraScale
    ------------------------------




  • 54.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 01, 2022 07:48:00 AM
    Agreed, @Denis Nwanshi. Not even considering the security issues for a second, people forget, a Blockchain in and of itself does nothing. It needs data structure for payloads, business rules to operate, and it must solve the last mile problem. The larger and more diverse the constituents, the less likely it is to deploy something useful.

    Cheers,
    alex.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------



  • 55.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 01, 2022 07:43:00 AM
    Thank you, @Philip Griffiths. Realy appreciate you doing this. The 13th, 15th, and 21st are bad for me.

    Cheers,
    alex.


    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------



  • 56.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 01, 2022 02:37:00 AM
    Edited by Paul Simmonds Dec 01, 2022 02:41:53 AM

    I would seriously question how intent-based networks can be misused, not to mention the whole "locus-of-control" issues with who owns the blockchain standard behind it.

    Though this is very US-Centric and US-Partisan, I would suggest a read of this prior to any meeting.

    https://www.justsecurity.org/75741/chinas-dystopian-new-ip-plan-shows-need-for-renewed-us-commitment-to-internet-governance/

    Not that I would in any way suggest their work is part of any covert government play/ploy - just an example of how Intent-based network could be used to balkanize the Internet.

    ------------------------------
    Paul Simmonds
    Board, CSA UK Chapter
    Director, CSA (Europe) CIC
    CEO, Global Identity Foundation
    ------------------------------



  • 57.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 01, 2022 03:37:00 AM
    Worrying article @Paul Simmonds - there's a big chess game going on. We could end up returning to a pigeon-based-internet (again). :-)

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------



  • 58.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 01, 2022 03:25:00 AM
    Hmm .... I'm not convinced blockchain can strengthen Zero-Trust architectures - but I might be wrong, and stay curious. I think there are simply too many security questions needing pragmatic answers.

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------



  • 59.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 01, 2022 08:41:00 AM
    Edited by Denis Nwanshi Dec 01, 2022 08:42:33 AM
    Good points all round, we cannot overlook the many unanswered questions relating to decentralised ledgers, although I think we should also weigh them against the concerns surrounding traditional ZT centralised architectures as more critical assets are moved to the cloud.
    The DLT features that might warrant exploring for ZT include the transparency, data privacy and immutability benefits of a trust-less private blockchain network. One test case cited involves a government agency accessing trust-less COVID patient data hashed on a healthcare consortium private blockchain, rather than having to directly integrate with x number of healthcare providers hosting centralised databases, which expands the attack surface. Under this decentralised model, transactional cost is significantly lower, and the information granularity provided via selective disclosure means the traveller controls how much health information they want to share when presenting their (verified) credentials.
     
    Admittedly this is very high level and a DLT-based ZT architecture is unlikely to be optimal for every use case, just bouncing off ideas gathered from cross-vertical research.


    ------------------------------
    Denis Nwanshi
    NetraScale
    ------------------------------



  • 60.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 01, 2022 04:38:00 AM
    That timeslot works for me @Philip Griffiths - looking forward to hearing their perspective and experience!


    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 61.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 01, 2022 05:20:00 AM

    Hi Phillip, I can certainly make myself available for the presentation.  I would appreciate an invitation. Thank you



    ------------------------------
    T. Devon Artis
    Cloud Security Architect/DevSecOps Lead
    ------------------------------



  • 62.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 02, 2022 03:49:00 AM

    Hey again, thanks for the feedback on the timings. It seems the best day is December the 12th at 1300. I have added a zoom invite below; if anyone direct messages me their email address, I will happily email it to you.

    Topic: CSA - Zero Trust and Blockchain Presentation

    Time: Dec 12, 2022 01:00 PM London

     

    Join Zoom Meeting

    https://netfoundry.zoom.us/j/9293163712

     

    Meeting ID: 929 316 3712

    One tap mobile

    +12532158782,,9293163712# US (Tacoma)

    +13017158592,,9293163712# US (Washington DC)

     

    Dial by your location

            +1 253 215 8782 US (Tacoma)

            +1 301 715 8592 US (Washington DC)

            +1 305 224 1968 US

            +1 309 205 3325 US

            +1 312 626 6799 US (Chicago)

            +1 346 248 7799 US (Houston)

            +1 360 209 5623 US

            +1 386 347 5053 US

            +1 507 473 4847 US

            +1 564 217 2000 US

            +1 646 876 9923 US (New York)

            +1 646 931 3860 US

            +1 669 444 9171 US

            +1 669 900 6833 US (San Jose)

            +1 689 278 1000 US

            +1 719 359 4580 US

            +1 253 205 0468 US

            +44 131 460 1196 United Kingdom

            +44 203 481 5237 United Kingdom

            +44 203 481 5240 United Kingdom

            +44 203 901 7895 United Kingdom

            +44 208 080 6591 United Kingdom

            +44 208 080 6592 United Kingdom

            +44 330 088 5830 United Kingdom

            +65 3129 4891 Singapore

            +65 3129 4892 Singapore

            +65 3158 7288 Singapore

            +65 3165 1065 Singapore

    Meeting ID: 929 316 3712

    Find your local number: https://netfoundry.zoom.us/u/kxPyxYNRm



    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 63.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 02, 2022 04:50:00 AM
    Thanks Philip, this is a very interesting topic.  Best Regards

    Nya Alison Murray
    Trac-Car Technology
    UK +44 208133 9249
    Australia +61 73040 1637
    Switzerland +41 22548 1747
    ----------------------------------------







  • 64.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 02, 2022 08:08:00 AM
    Count me in @Philip Griffiths.


    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------



  • 65.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 05, 2022 07:39:00 AM
    Thanks for setting this up. Would you like me to create a Circle Event posting for this, or does this blog post suffice?

    ------------------------------
    Erik Johnson CCSK, CCSP, CISSP, PMP
    Senior Research Analyst
    Cloud Security Alliance
    Leesburg VA
    ------------------------------



  • 66.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 05, 2022 07:43:00 AM
    Yes, please do Erik! Max participation and questions is great.

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 67.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 02, 2022 07:27:00 AM
    Who in CSA would they like to engage with? The Zero Trust Research Working Group and particularly the Networking Pillar workstream?

    ------------------------------
    Erik Johnson CCSK, CCSP, CISSP, PMP
    Senior Research Analyst
    Cloud Security Alliance
    Leesburg VA
    ------------------------------



  • 68.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 02, 2022 08:18:00 AM
    To be honest, @Erik Johnson, anyone interested in ZT & Blockchain... if we can announce more widely, that would be awesome. The Jeju team has read this thread and will try to ensure they cover all the questions that have come up.


    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 69.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 13, 2022 04:22:00 AM
    Edited by Philip Griffiths Dec 13, 2022 05:02:37 AM

    Hey all,

    Thanks for attending the Zero Trust and Blockchain presentation from the project Jeju University worked on @Paul Simmonds, @Richard Baker, @Alex Sharpe and @Rob L. The team presented how they built an Intent-based Networking solution using open source blockchain (Etherium) and open source zero trust networking (OpenZiti). Hopefully, we will get a presentation from them soon with updates on use cases as we were discussing.

    Recording and slides are uploaded here for anyone who missed it - CSA Blockchain - Google Drive. @Denis Nwanshi @Nya Murray @Devon Artis @Jonathan Flack @Jason A. Garbis @Charalampos Alevizos @Niels E. Anqvist @Bernard Coetzee
    ​​



    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 70.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 13, 2022 05:42:00 AM
    Thank you for pulling this together, @Philip Griffiths. The team presented some novel ideas I would like to understand a bit more. It seems to me a workflow (or use case) is the best way to do that. To @Paul Simmonds' point, they are assuming well-behaved sources of truth for things like identity, entitlements, and the like. History shows us that is not practical on a global scale. I cannot wait to understand this a bit better.
    ​​​

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------



  • 71.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 13, 2022 06:29:00 AM

    All,

     

    I agree that this will continue to promote discussion.  As we start to build out the use cases I would also appreciate examples of where in an organisations infrastructure blockchain nodes might be placed and how and where the artifacts referenced from the blockchain are held and processed.  Be this Identity, Policy or Signal information.  

     

    How might identities of Third Parties (orgs and individuals) be managed as an alternate to current federated Id systems?  Just because an attribute or artifact is referenced from the block chain does not mean that it can be trusted absolutely.  Ie the Admin problem that @paulsimmonds raised.

     

    Richard






  • 72.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 13, 2022 07:02:00 AM

    Hi,

     

    Interesting topic, I watched parts of this thanks to @Philip Griffiths, few thoughts:

     

    • It would be beneficial for the authors and the readers, to investigate and justify the need of blockchain in such use cases (see page 3 here).
    • Based on the above and if you already have a go no-go outcome, the "admin argument" does not stand as you will have separate entities interacting with the nodes (even if its permissioned) hence different admins, or at least levels.
    • The change on smart contracts does not require a fork. There are simpler ways to upgrade chaincodes if needed via proxies. This happens all the times in smart contract enabled blockchains, so again not an issue.
    • If this is built on Eth, what are you going to do with the fees / gas / and currency reliance in general? That would be a reason for auto-exclude in the corporate world.

     

    Kind regards,

     






  • 73.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 19, 2022 06:04:00 AM
    Just got my hands on the Jeju presentation from November at Linux OneSummit - https://www.youtube.com/watch?v=H1hIT5qbPe0&list=PL0bkBeEamheDmPEkxbJAlo65IQ6VgTbRH&index=10&ab_channel=LFNetworking

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 74.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 19, 2022 06:24:00 AM
    Thanks @Philip, appreciate the link.




  • 75.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 19, 2022 07:17:00 AM
    Thanks for sharing, Philip. Excellent presentation, highly recommended to anyone who is seriously interested in best practice Zero Trust cybersecurity posture..  

    Without identity services authentication, authorization and access control, of course there is no Zero Trust architecture.

    I know it is fashionable to take an application-centric view of Zero Trust, however there is no Zero Trust without a secure network.  Nothing substitutes for secure identity validated access at the network perimeter.

    And while a completely secure Software Defined Perimeter is not achievable today, with secure control plane/data plane identity, network, device, application and data  access logging, monitoring and analysis, the organization's cybersecurity posture can have the least risk possible.

    Particularly not forgetting message payload and data encryption, according to security classification, once access is verified.

    By starting from the network layer, and thinking security out to the transport layer, the session layer, the presentation layer, before reaching the application layer,  it is not as difficult as it first appears.

    Automation of access policy is currently integrated with service IAM policy and delegation of trust across services. Le voila, reduction in risk of data breaches. That is a given.

    I find it useful to consider using blockchain as the immutable single source provides, as the speaker notes:

    1. Provide strong and unique Identities that can be continuously verified.
    2. Achieve a single source of trust through an immutable permissioned ledger
    While it is not necessary to use blockchain as the single source of trust, the principles of immutability and access logging are why blockchain was originally developed, to support non-repudiation. 

    Of course I note nobody can stop authorized personnel from internal hacks, but logging and monitoring access, one of the fundamental principles of a Zero Trust network, can make insider trading much more difficult. 

    So what governments and financial institutions waiting for?  Identity fraud is costing us all massive amounts not only in terms of money, but also in social and national peace and stability.  This is a critical time in stopping war and addressing climate change, so further attacks on national infrastructure, companies, governments and social institutions have to be prevented as an urgent security imperative.

    Best

    Nya

    Nya Alison Murray
    Trac-Car Technology
    UK +44 208133 9249
    Australia +61 73040 1637
    Switzerland +41 22548 1747
    ----------------------------------------








  • 76.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 31, 2022 08:51:00 AM
    Edited by Paul Simmonds Oct 31, 2022 08:54:23 AM

    I refer you to Vint Cerf.....

    Or expanding on this: https://www.globalidentity.blog/2020/03/ten-reasons-blockchain-may-not-be.html

    The same issues apply when implementing Zero Trust ecosystems.

    My 2 cents

    Paul



    ------------------------------
    Paul Simmonds
    CSA UK Chapter
    ------------------------------



  • 77.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Oct 31, 2022 08:55:00 AM
    Edited by Niels E. Anqvist Oct 31, 2022 08:57:06 AM
    100% agree ... @Paul Simmonds

    /Niels A.
    CSA Denmark Chapter

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------



  • 78.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Nov 01, 2022 07:23:00 AM
      |   view attached
    Good post @Paul Simmonds. 100% agree. I have had the pleasure of working with Vint. Very smart and such a gentleman. Loved his dry sense of humor. Don't think I have ever seen him out of a three-piece suit.

    Blockchain as a global identity solution, any time soon, is not practical on so many levels.

    When it comes to Blockchain and Identity, I think the more relevant problem is the authentication of the identity of the users. In my opinion, that is why the only Blockchain solutions with a chance of sustainable success (and wide-scale adoption) are those with defined communities. I have been in this space since before the term Blockchain was coined. I have never seen an exception.

    One of the other things I do, is sit on a Policy & Regulatory body for cryptocurrency and digital assets. Globally, the issues always come back to identity. Attached is guidance for anyone who is interested. There are lots of references to the issues, international efforts, etc.


    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------

    Attachment(s)



  • 79.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Nov 14, 2022 01:42:00 AM
    Just read this Vint Cerf blog @Paul Simmonds - covers the ground nicely.  So where does that leave us???  Time to put the hands in the clay, I think, with a clear architecture and design first, to see if there is a lesser evil for identity.  I do think it is a shame that the security industry reverts to pulling up the drawbridge philosophies as the go-to position in times of trouble.  This approach is just not up to 21st century hacking practices. I can just hear the status quo mumbling in its beard that it is better than anything else. ​

    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 80.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Dec 02, 2022 07:43:00 AM

    Count me in, Philip.


    @Philip Griffiths

    ------------------------------
    Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA
    ------------------------------



  • 81.  RE: Using Blockchain Technology to strengthen Zero Trust architectures

    Posted Sep 15, 2023 03:11:00 PM

    Revisiting this ZT/blockchain thread as the risk to ZT posed by human error, insider threats, shadow IT, device sprawl, and software supply chain vulnerabilities grow exponentially. For example, one of the solutions we're designing at NetraScale involves the convergence of AI and blockchain to counter the threats arising from data flow velocity and complexity across the ZT ecosystem as remote / hybrid work models become the norm. Look forward to sharing more details in the near future.

    @Erik Johnson, do you still plan to setup the Circle Event post?



    ------------------------------
    Denis Nwanshi
    NetraScale
    ------------------------------