Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Zero Trust Paper #950

Open
7 of 9 tasks
achetal01 opened this issue Jul 6, 2022 · 31 comments
Open
7 of 9 tasks

Zero Trust Paper #950

achetal01 opened this issue Jul 6, 2022 · 31 comments
Assignees
Labels
project work of the group whitepaper Related to discussion of white papers

Comments

@achetal01
Copy link
Collaborator

achetal01 commented Jul 6, 2022

Description:

“Traditional perimeter-based network defenses with multiple layers of disjointed security technologies have proven themselves to be unable to meet the cybersecurity needs due to the current threat environment. Contemporary threat actors, from cyber criminals to nation-state actors, have become more persistent, more stealthy, and more subtle; thus, they demonstrate an ability to penetrate network perimeter defenses with regularity. These threat actors, as well as insider threat actors, have succeeded in leveraging their access to endanger and inflict harm on national and economic security.” Ref: NSA publication U/OO/115131-21 | PP-21-0191

A Cloud native platform is empowered by a connected world that is also susceptible to malicious activity due to its connectedness of software, assorted users, devices, and distributed applications and services, supply chain in the software components. The continuously evolving complexity of current and emerging cloud, multi-cloud, and hybrid cloud, cloud native, network environments combined with the rapidly escalating and evolving nature of adversary threats has exposed the lack of effectiveness of traditional network cybersecurity defenses. With the Executive Order requirements to be compliant with the Zero trust Architecture by end of 2023, It will be useful for the community and Enterprises to understand how Zero Trust can be achieved for Cloud Native platforms and services and considering there are number of controls that Cloud native platforms provide which make it easier to achieve and raise the level of security by default anyway such as micro segmentation, Policy enforcement and management etc.

Impact: For Enterprises this will be very beneficial. Security Enthusiasts who are part of CNCF and have knowledge of Zero trust can help bring this initiative together and valuable guidance for the community.

Scope: This will be a large effort.

TO DO

@achetal01 achetal01 added proposal common precursor to project, for discussion & scoping triage-required Requires triage labels Jul 6, 2022
@lumjjb lumjjb added this to the STAG Rep: @achetal01 milestone Jul 10, 2022
@lumjjb lumjjb removed the triage-required Requires triage label Jul 10, 2022
@lumjjb
Copy link
Collaborator

lumjjb commented Jul 10, 2022

@achetal01 can you give an overview of this at an upcoming meeting? Can you put the agenda item into the meeting notes schedule?

@chasemp
Copy link
Contributor

chasemp commented Jul 14, 2022

Is this targeting a whitepaper as output?

@achetal01
Copy link
Collaborator Author

achetal01 commented Jul 14, 2022 via email

@elinesterov
Copy link
Contributor

Happy to participate and contribute.

@pratiklotia
Copy link

interested to contribute.

@pxp928
Copy link

pxp928 commented Jul 27, 2022

Interested to contribute also.

@mrsabath
Copy link

mrsabath commented Sep 27, 2022

Interested

@mrsabath
Copy link

Here is the link to the CNCF Slack channel: https://cloud-native.slack.com/archives/C0444N0KYQJ

@achetal01
Copy link
Collaborator Author

Kishore and Mariusz are going to reach out for a Kickoff meeting for next week

We r starting this off...

@mrsabath
Copy link

mrsabath commented Oct 3, 2022

The initial meeting will take place on Friday, Oct. 7th at 11am EST. For more details, please reach out to the organizers via CNCF Slack #tag-security-zero-trust channel: https://cloud-native.slack.com/archives/C0444N0KYQJ

@mrsabath
Copy link

mrsabath commented Oct 5, 2022

The kickoff meeting is this Friday Oct. 7th at 11am EST
CNCF TAG Security is inviting you to a scheduled Zoom meeting.
Topic: TAG-Zero Trust Working Group
Time: This is a recurring meeting Meet anytime
Join Zoom Meeting
https://zoom.us/j/94806970233
Meeting ID: 948 0697 0233
One tap mobile
+16469313860,,94806970233# US
+16465588656,,94806970233# US (New York)
Dial by your location
+1 646 931 3860 US
+1 646 558 8656 US (New York)
+1 301 715 8592 US (Washington DC)
+1 309 205 3325 US
+1 312 626 6799 US (Chicago)
+1 669 444 9171 US
+1 669 900 6833 US (San Jose)
+1 719 359 4580 US
+1 253 215 8782 US (Tacoma)
+1 346 248 7799 US (Houston)
+1 386 347 5053 US
+1 564 217 2000 US
877 369 0926 US Toll-free
855 880 1246 US Toll-free
+1 647 558 0588 Canada
+1 778 907 2071 Canada
+1 780 666 0144 Canada
+1 204 272 7920 Canada
+1 438 809 7799 Canada
+1 587 328 1099 Canada
+1 647 374 4685 Canada
855 703 8985 Canada Toll-free
Meeting ID: 948 0697 0233
Find your local number: https://zoom.us/u/asBlIACXe

@JonZeolla
Copy link
Contributor

I'm interested in helping

@apmarshall
Copy link
Contributor

If it's not too late to join, I'd be interested in helping with this!

@mrsabath
Copy link

mrsabath commented Oct 26, 2022

It's never too late @apmarshall and @JonZeolla to join :) Please see the links above to find the current documentation. Please join the CNCF slack channel to get further information: https://cloud-native.slack.com/archives/C0444N0KYQJ
Due to Kubecon, we are not meeting this Friday, Oct. 28th, so the next meeting is Nov. 4th at 11am EST.

@asadfaizi-github
Copy link

Hello, I am interested in participating and contributing. Should I start attending weekly Zoom meetings?

@lumjjb lumjjb added the project work of the group label Nov 2, 2022
@lumjjb
Copy link
Collaborator

lumjjb commented Nov 2, 2022

It would be helpful to have the project have a timeline of events (see #975), we've found success in projects that do this!

@knadendla
Copy link

Thank you @lumjjb , will discuss on next meeting and follow similar approach.

@mrsabath
Copy link

mrsabath commented Nov 2, 2022

Hello, I am interested in participating and contributing. Should I start attending weekly Zoom meetings?
Hi @asadfaizi-github please join us on Friday

@anvega
Copy link
Collaborator

anvega commented Feb 9, 2023

Catching up here. I raised my concerns regarding this project during a meeting a few months ago. Appears there is a good cadence of meetings, however there is no telling which direction this is headed based off the sparse notes.

As someone who has dedicated half a decade to advancing the notion of applying Zero Trust using open source and cloud native projects, I fear yet another publication explaining the concept and proclaiming the virtues of Zero Trust might actually detract from the goal do more harm than good. The industry and standards need catching up to the work that has been happening here, not the other way around.

Most of my work alongside that of others (h/t @ZackButcher @evan2645) has been around “Zero Trust Networks", which applies the zero trust model to specifically computer networks. That in itself has been a struggle as its slightly nuanced in respect to broader Zero Trust and at odds with what standard bodies are pushing. Case can be made that the industry isn't ready for "Zero Trust Architecture" which "the application of a zero trust security model to all aspects of a distributed computer system". Frankly, verdict is still out on whether that is even attainable from a philosophical point of view.

If the intend here instead is posit what does a cohesive system of well architected integrations between identity and access control looks like, then that is an entire different story. In that case, people can go read the docs of Istio, OPA, and SPIRE to learn what setting up and integrating those systems right looks like. If that is the point, the effort should be geared towards a reference architecture of an authorization and authentication framework built upon cloud native projects.

This has also been lingering for a while since the issue was first opened. I'm sure the rest of the TAG will find it beneficial to see what progress has been made, in what direction, next milestones, and a timetable for completion.

@achetal01
Copy link
Collaborator Author

achetal01 commented Feb 9, 2023 via email

@fkautz
Copy link
Contributor

fkautz commented Feb 9, 2023

I also worry about this; there is a lot of hype and buzz around Zero Trust. We should be careful in our approach to appear like we are not chasing fads but instead providing high-quality guidance for the Cloud Native community. If this turns into a reference architecture for building a cloud-native zero-trust system, as Andres recommends above, that would be amazing. If the discussion focuses on the benefits of Zero Trust, we'll end up being yet another paper in an enormous sea of material.

@fkautz
Copy link
Contributor

fkautz commented Feb 9, 2023

Also, if you're thinking of moving it toward a Zero Trust Reference Architecture, I'd be more than happy to contribute, though I have a conflict with the current time. Happy to work async there. I have prior work I can contribute here.

@davidhadas
Copy link

davidhadas commented May 5, 2023

Hi,

I am a Security WG Lead at Knative and the main contributor of Guard - a security extension of Knative (which can also be deployed for any microservices on vanilla Kubernetes). Guard is well suited to be part of a ZTA as it introduces a per pod gate.

I will try to catch up with the team's work on https://docs.google.com/document/d/1K_k3ddnFMIhraoqMuXQo7BUWwo8pR2UPd6ZeIJZt7R8/ and hopefully make contributions as a followup.

@mrsabath
Copy link

Quick update, we re-shuffled the paper content. The new document is here: https://docs.google.com/document/d/10g2390JdCBXmSmzQ_EGHFWrg2JosPsXLaqXaGQ-B9NA/edit?usp=sharing

@mrsabath
Copy link

We have locked the document and open for an internal review. The version that you can comment on is available here:
https://docs.google.com/document/d/10g2390JdCBXmSmzQ_EGHFWrg2JosPsXLaqXaGQ-B9NA/edit?usp=sharing

@pmacni
Copy link

pmacni commented Aug 14, 2023

@mrsabath we are interested in participating (AuthZed team). Are you collecting new content? We could help in fine-grained access control.

@datosh
Copy link

datosh commented Aug 16, 2023

We used today's EMEA TAG Security Meeting to review the Zero Trust Whitepaper.
Comments were added to the document. Let me know if you have any questions regarding the comments, I will try to elaborate if possible

@mrsabath
Copy link

@mrsabath we are interested in participating (AuthZed team). Are you collecting new content? We could help in fine-grained access control.

W have decided to split this white paper into several phases, or at least two. The first one is pretty much completed. The goal for it is to introduce the ZT concepts and principles and provide some high level architecture. The current state is a final adjustments, reviews, and editorial changes.

The second phase is to provide some specific use-cases and best practice scenarios, as well as introducing a various CNCF technologies that can help with accomplishing the ZT journey. This would definitely cover the access control topics. I think we would be very happy to have you to participate on the second phase of the paper that would start as soon as we complete and publish the introductory paper.

@pmacni
Copy link

pmacni commented Aug 16, 2023 via email

@PushkarJ PushkarJ added whitepaper Related to discussion of white papers and removed proposal common precursor to project, for discussion & scoping labels Nov 29, 2023
@anvega
Copy link
Collaborator

anvega commented Jun 8, 2024

Good job incorporating earlier feedback and highlighting key principles and components that should be considered when designing and implementing a Zero Trust Architecture.

I wanted to acknowledge that you have made significant progress, and I appreciate everyone's efforts. To move things along, I gave an editor pass to the white paper. This effort was aimed at streamlining the content, removing redundancies, and enhancing the overall readability and tone.

I updated the title to better reflect the comprehensive nature of the white paper but obviously, that's one for you to pick ultimately. The introduction was restructured to improve readability and focus, with a simplified explanation of Zero Trust principles and their relevance to cloud native environments. I also removed redundant content to emphasize the importance and application of Zero Trust.

The core elements section was revised to highlight the essential elements required for a Zero Trust model in cloud native environments, removing specific organizational references to maintain broader applicability. Reviewer and contributor acknowledgments were consolidated into a more concise format to ensure clarity and readability.

The history of Zero Trust was simplified and summarized to provide a quick yet comprehensive overview of the key milestones in its evolution. Finally, the "Referenced Projects" section was renamed to "Tools and Technologies" and organized to list relevant tools and technologies for Zero Trust implementation more clearly.

I would appreciate it if the authors could review the editorial copy and provide their feedback.

Here is the editor's review copy.

A set of technologies not included but I would encourage to incorporate is emerging areas like open-source silicon (e.g., OpenTitan) as a hardware root of trust and lattice-based cryptography (e.g., liboqs) in the context of Zero Trust, which could be a focus for future updates.

Thank you for your continued support and contributions. Your feedback has been invaluable, and I believe these changes will make the white paper a more effective and accessible resource.

@anvega
Copy link
Collaborator

anvega commented Jun 8, 2024

I spent several more hours today and added several enhancements:

  • Added a section on threat modeling
  • Included detailed guidance on planning the rollout and preparing for implementation, drawing from the "Solving The Bottom Turtle" book.
  • Enhanced the history section with more references and milestones.
  • Added a section on cryptoagility.
  • Mentioned eBPF for implementing fine-grained network policies and monitoring which hadn't been covered. I would like to expand more about that with a stretch goal to talk about kTLS
  • Discussed hardware roots of trust, such as TPM and HSM, which weren't previously covered.
  • Added a preface on behalf of the tag leadership to set the stage and provide context.
  • Tweaked the structure and organization to improve the document's flow and readability.

@anvega anvega changed the title Zero Trust - Cloud Native Platforms and Services Zero Trust Paper Jun 8, 2024
@cncf cncf deleted a comment from Wherever2 Jun 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
project work of the group whitepaper Related to discussion of white papers
Projects
Status: wrapping up
Development

No branches or pull requests