In this six-part blog series, the RSAC editorial team highlights the six buzz topics featured at RSAC 2022. Each blog will highlight one of the most popular topics and trends seen within related sessions. Our first topic is zero trust.
Inside the Making of a Zero Trust Architecture
Alper Kerman, Security Engineer/Project Manager for the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE)
Scott Rose, Computer Scientist for the National Institute of Standards and Technology (NIST)
Zero trust is a set of principles used when designing, implementing, and operating infrastructure. You want to reduce implicit trust between enterprise systems. Zero trust stemmed from the 2005 Jericho Forum, while the NCCoE was launched in 2015 following the OPM Data Breach.
This session focused on putting principles into practice and implementing a zero-trust architecture project. The deployment approaches include enhanced identity government (EIG), micro-segmentation, and software-defined perimeter (SDP). This is meant to be a descriptive document, not a perspective. Zero trust defense focuses on resource protection. In a NO TRUST ZONE, never trust; always verify first!
The proposed multiple policy engines include a “system of systems,” which is part of a large hive in policy engines. The pros are mixing and matching components to get the best of each—you may be able to keep existing tools, and there is less vendor lock-in. The cons include interoperability challenges, the need for centralized logs, and it may be difficult to diagnose issues.
What Is Zero Trust? What Isn’t Zero Trust? Let’s Make Sense of This!
Amanda Berlin, Lead Incident Detection Engineer at Blumira
Jerry Chapman, Engineering Fellow at Optiv
Chase Cunningham, Chief Strategy Officer at Ericom Software
Evan Gilman, Staff Engineer at VMware
Ways Zero Trust Can Help Organizations Just Starting Out or Interested in Learning More:
Cunningham: “I start with a brief giving everyone a scenario. If you get breached, what do you do? If you are compromised in some way—assume breach. Approaching each problem systematically is key.”
Gilman: “You should look at it as a one-year journey to address issues that occurred. What did you learn? What could you do better? It should be a learning process, and the organization must fully buy in for it to be effective.”
Are we asking too much of organizations if they are struggling with the basics?
Berlin: “Yes. There’s so much to do, and you can’t handle it or have the assets to address it. Many organizations can’t handle it. Budget is important here, and it’s a lot to ask of people. Zero trust should be at the forefront of what we are looking at. It certainly depends on where it is as an organization.”
Cunningham: “Start small; you don’t need to boil the ocean. Different businesses have different levels of risk—it’s really a case-by-case basis. Understanding the philosophy and why it’s important, and making sure everyone agrees to march in the same direction is important.”
Chapman: “High-value targets.”
Gilman: “Identity is key. Password-less and education on what that means. It’s not a less secure environment, but it does feature better security controls.”
Read all of the series: