-
Notifications
You must be signed in to change notification settings - Fork 507
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Zero Trust Paper #950
Comments
@achetal01 can you give an overview of this at an upcoming meeting? Can you put the agenda item into the meeting notes schedule? |
Is this targeting a whitepaper as output? |
yes next meeting for sure.
…On Sun, Jul 10, 2022 at 11:09 AM Brandon Lum ***@***.***> wrote:
@achetal01 <https://github.com/achetal01> can you give an overview of
this at an upcoming meeting? Can you put the agenda item into the meeting
notes schedule?
—
Reply to this email directly, view it on GitHub
<#950 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ARO764UC46UX7COOQYO7GOTVTMGVVANCNFSM522SKUPQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Happy to participate and contribute. |
interested to contribute. |
Interested to contribute also. |
Interested |
Here is the link to the CNCF Slack channel: https://cloud-native.slack.com/archives/C0444N0KYQJ |
Kishore and Mariusz are going to reach out for a Kickoff meeting for next week We r starting this off... |
The initial meeting will take place on Friday, Oct. 7th at 11am EST. For more details, please reach out to the organizers via CNCF Slack |
The kickoff meeting is this Friday Oct. 7th at 11am EST |
I'm interested in helping |
If it's not too late to join, I'd be interested in helping with this! |
It's never too late @apmarshall and @JonZeolla to join :) Please see the links above to find the current documentation. Please join the CNCF slack channel to get further information: https://cloud-native.slack.com/archives/C0444N0KYQJ |
Hello, I am interested in participating and contributing. Should I start attending weekly Zoom meetings? |
It would be helpful to have the project have a timeline of events (see #975), we've found success in projects that do this! |
Thank you @lumjjb , will discuss on next meeting and follow similar approach. |
|
Catching up here. I raised my concerns regarding this project during a meeting a few months ago. Appears there is a good cadence of meetings, however there is no telling which direction this is headed based off the sparse notes. As someone who has dedicated half a decade to advancing the notion of applying Zero Trust using open source and cloud native projects, I fear yet another publication explaining the concept and proclaiming the virtues of Zero Trust might actually detract from the goal do more harm than good. The industry and standards need catching up to the work that has been happening here, not the other way around. Most of my work alongside that of others (h/t @ZackButcher @evan2645) has been around “Zero Trust Networks", which applies the zero trust model to specifically computer networks. That in itself has been a struggle as its slightly nuanced in respect to broader Zero Trust and at odds with what standard bodies are pushing. Case can be made that the industry isn't ready for "Zero Trust Architecture" which "the application of a zero trust security model to all aspects of a distributed computer system". Frankly, verdict is still out on whether that is even attainable from a philosophical point of view. If the intend here instead is posit what does a cohesive system of well architected integrations between identity and access control looks like, then that is an entire different story. In that case, people can go read the docs of Istio, OPA, and SPIRE to learn what setting up and integrating those systems right looks like. If that is the point, the effort should be geared towards a reference architecture of an authorization and authentication framework built upon cloud native projects. This has also been lingering for a while since the issue was first opened. I'm sure the rest of the TAG will find it beneficial to see what progress has been made, in what direction, next milestones, and a timetable for completion. |
Alex Yes, please Join in...Great to have you in this working group.
…On Wed, Oct 26, 2022 at 1:14 PM Alex Floyd Marshall < ***@***.***> wrote:
If it's not too late to join, I'd be interested in helping with this!
—
Reply to this email directly, view it on GitHub
<#950 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ARO764UCSGVMT5LDEI4XFNTWFGGIVANCNFSM522SKUPQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
I also worry about this; there is a lot of hype and buzz around Zero Trust. We should be careful in our approach to appear like we are not chasing fads but instead providing high-quality guidance for the Cloud Native community. If this turns into a reference architecture for building a cloud-native zero-trust system, as Andres recommends above, that would be amazing. If the discussion focuses on the benefits of Zero Trust, we'll end up being yet another paper in an enormous sea of material. |
Also, if you're thinking of moving it toward a Zero Trust Reference Architecture, I'd be more than happy to contribute, though I have a conflict with the current time. Happy to work async there. I have prior work I can contribute here. |
Hi, I am a Security WG Lead at Knative and the main contributor of Guard - a security extension of Knative (which can also be deployed for any microservices on vanilla Kubernetes). Guard is well suited to be part of a ZTA as it introduces a per pod gate. I will try to catch up with the team's work on https://docs.google.com/document/d/1K_k3ddnFMIhraoqMuXQo7BUWwo8pR2UPd6ZeIJZt7R8/ and hopefully make contributions as a followup. |
Quick update, we re-shuffled the paper content. The new document is here: https://docs.google.com/document/d/10g2390JdCBXmSmzQ_EGHFWrg2JosPsXLaqXaGQ-B9NA/edit?usp=sharing |
We have locked the document and open for an internal review. The version that you can comment on is available here: |
@mrsabath we are interested in participating (AuthZed team). Are you collecting new content? We could help in fine-grained access control. |
We used today's EMEA TAG Security Meeting to review the Zero Trust Whitepaper. |
W have decided to split this white paper into several phases, or at least two. The first one is pretty much completed. The goal for it is to introduce the ZT concepts and principles and provide some high level architecture. The current state is a final adjustments, reviews, and editorial changes. The second phase is to provide some specific use-cases and best practice scenarios, as well as introducing a various CNCF technologies that can help with accomplishing the ZT journey. This would definitely cover the access control topics. I think we would be very happy to have you to participate on the second phase of the paper that would start as soon as we complete and publish the introductory paper. |
Great, can you please ping us or let us know approx. timelines to plan for
this?
…On Wed, Aug 16, 2023 at 4:03 PM Mariusz Sabath ***@***.***> wrote:
@mrsabath <https://github.com/mrsabath> we are interested in
participating (AuthZed team). Are you collecting new content? We could help
in fine-grained access control.
W have decided to split this white paper into several phases, or at least
two. The first one is pretty much completed. The goal for it is to
introduce the ZT concepts and principles and provide some high level
architecture. The current state is a final adjustments, reviews, and
editorial changes.
The second phase is to provide some specific use-cases and best practice
scenarios, as well as introducing a various CNCF technologies that can help
with accomplishing the ZT journey. This would definitely cover the access
control topics. I think we would be very happy to have you to participate
on the second phase of the paper that would start as soon as we complete
and publish the introductory paper.
—
Reply to this email directly, view it on GitHub
<#950 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BBY2ANFIXA5JAJ2N6YAYPMTXVTHKNANCNFSM522SKUPQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Good job incorporating earlier feedback and highlighting key principles and components that should be considered when designing and implementing a Zero Trust Architecture. I wanted to acknowledge that you have made significant progress, and I appreciate everyone's efforts. To move things along, I gave an editor pass to the white paper. This effort was aimed at streamlining the content, removing redundancies, and enhancing the overall readability and tone. I updated the title to better reflect the comprehensive nature of the white paper but obviously, that's one for you to pick ultimately. The introduction was restructured to improve readability and focus, with a simplified explanation of Zero Trust principles and their relevance to cloud native environments. I also removed redundant content to emphasize the importance and application of Zero Trust. The core elements section was revised to highlight the essential elements required for a Zero Trust model in cloud native environments, removing specific organizational references to maintain broader applicability. Reviewer and contributor acknowledgments were consolidated into a more concise format to ensure clarity and readability. The history of Zero Trust was simplified and summarized to provide a quick yet comprehensive overview of the key milestones in its evolution. Finally, the "Referenced Projects" section was renamed to "Tools and Technologies" and organized to list relevant tools and technologies for Zero Trust implementation more clearly. I would appreciate it if the authors could review the editorial copy and provide their feedback. Here is the editor's review copy. A set of technologies not included but I would encourage to incorporate is emerging areas like open-source silicon (e.g., OpenTitan) as a hardware root of trust and lattice-based cryptography (e.g., liboqs) in the context of Zero Trust, which could be a focus for future updates. Thank you for your continued support and contributions. Your feedback has been invaluable, and I believe these changes will make the white paper a more effective and accessible resource. |
I spent several more hours today and added several enhancements:
|
Description:
“Traditional perimeter-based network defenses with multiple layers of disjointed security technologies have proven themselves to be unable to meet the cybersecurity needs due to the current threat environment. Contemporary threat actors, from cyber criminals to nation-state actors, have become more persistent, more stealthy, and more subtle; thus, they demonstrate an ability to penetrate network perimeter defenses with regularity. These threat actors, as well as insider threat actors, have succeeded in leveraging their access to endanger and inflict harm on national and economic security.” Ref: NSA publication U/OO/115131-21 | PP-21-0191
A Cloud native platform is empowered by a connected world that is also susceptible to malicious activity due to its connectedness of software, assorted users, devices, and distributed applications and services, supply chain in the software components. The continuously evolving complexity of current and emerging cloud, multi-cloud, and hybrid cloud, cloud native, network environments combined with the rapidly escalating and evolving nature of adversary threats has exposed the lack of effectiveness of traditional network cybersecurity defenses. With the Executive Order requirements to be compliant with the Zero trust Architecture by end of 2023, It will be useful for the community and Enterprises to understand how Zero Trust can be achieved for Cloud Native platforms and services and considering there are number of controls that Cloud native platforms provide which make it easier to achieve and raise the level of security by default anyway such as micro segmentation, Policy enforcement and management etc.
Impact: For Enterprises this will be very beneficial. Security Enthusiasts who are part of CNCF and have knowledge of Zero trust can help bring this initiative together and valuable guidance for the community.
Scope: This will be a large effort.
TO DO
Fill in addition TODO items here so the project team and community can see progress!
The text was updated successfully, but these errors were encountered: