Requirements from the US Government:

"This memorandum sets forth a Federal zero trust architecture (ZTA)
strategy, requiring agencies to meet specific cybersecurity standards
and objectives by the end of Fiscal Year (FY) 2024 in order to
reinforce the Government’s defenses against increasingly sophisticated
and persistent threat campaigns. Those campaigns target Federal
technology infrastructure, threatening public safety and privacy,
damaging the American economy, and weakening trust in Government."

https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
(from 26-Jan-2022)

This work parallels the BeyondCorp security design that has been posted
around here once or twice before.

--
Pure Personal Opinion | HoffmanLabs LLC

> -----Original Message-----
> From: Info-vax <info-vax-bounces@rbnsn.com> On Behalf Of Stephen
> Hoffman via Info-vax
> Sent: September-08-22 8:28 PM
> To: info-vax@rbnsn.com
> Cc: Stephen Hoffman <seaohveh@hoffmanlabs.invalid>
> Subject: [Info-vax] US Gov't "Zero Trust" Security Requirements
>
>
> Requirements from the US Government:
>
> "This memorandum sets forth a Federal zero trust architecture (ZTA)
> strategy, requiring agencies to meet specific cybersecurity standards and
> objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the
> Government’s defenses against increasingly sophisticated and persistent
> threat campaigns. Those campaigns target Federal technology infrastructure,
> threatening public safety and privacy, damaging the American economy, and
> weakening trust in Government."
>
> https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
> (from 26-Jan-2022)
>
> This work parallels the BeyondCorp security design that has been posted
> around here once or twice before.
>
>

Nice post .. ZTA illustrates transformation from relying on network perimeters (e.g. local firewalls) to enterprise App/DB and IDM (identity management) architectures.

More detailed whitepaper architecture pointer in the link above:
<https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf>

Another related whitepaper from Fortigate (security vendor) on this topic:
<https://www.fortinet.com/blog/ciso-collective/whats-the-difference-between-zero-trust-zta-ztna>
Key extract that is interesting - "Instead, it focuses on evaluating trust on a per-transaction basis." (TLS 1.* is per session security)

Regards,

Kerry Main
Kerry dot main at starkgaming dot com

--
This email has been checked for viruses by AVG antivirus software.
www.avg.com

On 2022-09-19, Kerry Main <kemain.nospam@gmail.com> wrote:
>
> Nice post .. ZTA illustrates transformation from relying on network perimeters (e.g. local firewalls) to enterprise App/DB and IDM (identity management) architectures.
>
> More detailed whitepaper architecture pointer in the link above:
><https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf>
>

I looked briefly at this document and it appears that VMS would fall
down hard when judged by the standards of section 2.1.1, which makes
it clear that systems in a zero trust environment have to operate in
what is assumed to be an actively hostile environment internally, and
not just protect against some external nebulous threats from the outside
world.

Some people around here argue that VMS doesn't really need to be kept
to the same security standards as everything else "because it's run in
an isolated and controlled environment". For anyone new around here,
I disagree strongly with that statement.

How do you see it as being viable to run VMS in such an actively hostile
environment ?

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

On Wednesday, 21 September 2022 at 4:25:05 am UTC+10, Simon Clubley wrote:
> >
> > Nice post .. ZTA illustrates transformation from relying on network perimeters (e.g. local firewalls) to enterprise App/DB and IDM (identity management) architectures.
> >
> > More detailed whitepaper architecture pointer in the link above:
> ><https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf>
> >
> I looked briefly at this document and it appears that VMS would fall
> down hard when judged by the standards of section 2.1.1, which makes
> it clear that systems in a zero trust environment have to operate in
> what is assumed to be an actively hostile environment internally, and
> not just protect against some external nebulous threats from the outside
> world.
>
> Some people around here argue that VMS doesn't really need to be kept
> to the same security standards as everything else "because it's run in
> an isolated and controlled environment". For anyone new around here,
> I disagree strongly with that statement.
>
> How do you see it as being viable to run VMS in such an actively hostile
> environment ?
>
> Simon.
>
> --
Perhaps you should ask those who have run such systems in
"hostile environments" for at least 25 years, like Sydney ASX?
Average daily transaction value is over $50 billion (AU)
Hey, they even have a job on offer, you surely know pascal?

https://www2.asx.com.au/content/dam/asx/about/job-opportunities/securities-and-payments/senior-analyst-programmer%20-chess.pdf

Phil

On 2022-09-20, Phil Howell <phow9917@gmail.com> wrote:
> Perhaps you should ask those who have run such systems in
> "hostile environments" for at least 25 years, like Sydney ASX?
> Average daily transaction value is over $50 billion (AU)
> Hey, they even have a job on offer, you surely know pascal?
>
> https://www2.asx.com.au/content/dam/asx/about/job-opportunities/securities-and-payments/senior-analyst-programmer%20-chess.pdf
>

No way is that in any way near the same thing.

Those systems were designed in an era where the internal network was
considered to be much more trusted than external sources and the focus
was on stopping the external sources from getting unauthorised access
to the trusted internal network.

Today's zero trust network is very different. Today, the assumption behind
zero trust is that the internal network _has_ been compromised and that
you still need to be able to operate your systems in such an environment.

That is a much much more aggressive thing to have to deal with and requires
a very different mindset to the one that VMS systems, even ones considered
secure by the standards of yesteryear, have traditionally had to deal with.

For example, don't forget that there are still some around here who consider
it 1) acceptable to run unencrypted protocols on the internal network because
it is somehow considered to be safe and 2) that you can trust what is coming
from other internal systems on the same internal network.

However, in today's world of zero trust, there is no such thing as a trusted
internal network any more.

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

In article <tgevio$1qglo$1@dont-email.me>,
clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

> Today's zero trust network is very different. Today, the assumption
> behind zero trust is that the internal network _has_ been compromised
> and that you still need to be able to operate your systems in such
> an environment.

The rise in compromises that necessitated this change of mindset seems to
have been largely due to the tendency of managers and salescreatures with
laptops to take them out of the office and get them infected with malware.
Then /targeted/ malware started being distributed via e-mail phishing. At
this point, a lot of IT departments' management concluded the secured
world of the past was no longer viable, except under very special
circumstances.

John

John Dallman <jgd@cix.co.uk> wrote:
> In article <tgevio$1qglo$1@dont-email.me>,
> clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:
>
>> Today's zero trust network is very different. Today, the assumption
>> behind zero trust is that the internal network _has_ been compromised
>> and that you still need to be able to operate your systems in such
>> an environment.
>
> The rise in compromises that necessitated this change of mindset seems to
> have been largely due to the tendency of managers and salescreatures with
> laptops to take them out of the office and get them infected with malware.
> Then /targeted/ malware started being distributed via e-mail phishing. At
> this point, a lot of IT departments' management concluded the secured
> world of the past was no longer viable, except under very special
> circumstances.

Worse. It starts with the classic coconut security model (hard perimeter,
soft core), continues with the office network having unrestricted access
to the production network (be it a data center or a factory floor with
computer controlled machinery), usually 'because it is convenient' and
continues with people having way more access than they need (no, the
CEO of WeMakeWidgets does _not_ need full admin privileges on the
production database). And then you are one malware loaded email away
from getting your systems encrypted, just because someone clicked where
they were told not to click (and honestly, that's not that persons
fault).

Yes, proper internal security boundaries take work to properly define,
set up and maintain. They can also make the difference between "we
have to re-image one project manager's laptop" and "production is
down hard because it all got encrypted".

The times of "the internal network is a safe place" have been over
for quite some time.

Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison

> -----Original Message-----
> From: Info-vax <info-vax-bounces@rbnsn.com> On Behalf Of Simon Clubley
> via Info-vax
> Sent: September-21-22 9:21 AM
> To: info-vax@rbnsn.com
> Cc: Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP>
> Subject: Re: [Info-vax] US Gov't "Zero Trust" Security Requirements
>
> On 2022-09-20, Phil Howell <phow9917@gmail.com> wrote:
> > Perhaps you should ask those who have run such systems in "hostile
> > environments" for at least 25 years, like Sydney ASX?
> > Average daily transaction value is over $50 billion (AU) Hey, they
> > even have a job on offer, you surely know pascal?
> >
> > https://www2.asx.com.au/content/dam/asx/about/job-
> opportunities/securi
> > ties-and-payments/senior-analyst-programmer%20-chess.pdf
> >
>
> No way is that in any way near the same thing.
>
> Those systems were designed in an era where the internal network was
> considered to be much more trusted than external sources and the focus
> was on stopping the external sources from getting unauthorised access to
> the trusted internal network.
>
> Today's zero trust network is very different. Today, the assumption behind
> zero trust is that the internal network _has_ been compromised and that
you
> still need to be able to operate your systems in such an environment.
>
> That is a much much more aggressive thing to have to deal with and
requires
> a very different mindset to the one that VMS systems, even ones considered
> secure by the standards of yesteryear, have traditionally had to deal
with.
>
> For example, don't forget that there are still some around here who
consider
> it 1) acceptable to run unencrypted protocols on the internal network
> because it is somehow considered to be safe and 2) that you can trust what
is
> coming from other internal systems on the same internal network.
>
> However, in today's world of zero trust, there is no such thing as a
trusted
> internal network any more.
>
> Simon.
>

The issue of the internal network being a major security risk is nothing
new.

This has been highlighted by security professionals for many years.

As examples: 2009 articles
<http://informationsecurityformanagers.blogspot.com/2009/03/again-internal-s
ecurity-threat.html>
Quote " Please repeat after me...there is no difference between the inside
and the outside anymore. Security solutions has to be built according to a
model where users only have access information "on a need to know basis"
REGARDLESS of where they happen to be for the moment (and according to how
secure the device is etc. etc.). Today's IT environment is far to complex
and users to mobile for an inside/outside model." End quote.

<https://www.darkreading.com/vulnerabilities-threats/reports-security-pros-s
hift-attention-from-external-hacks-to-internal-threats>
Quote "It's official: Today's security managers are more worried about
insiders leaking sensitive corporate data than they are about outsiders
breaking in to steal it.

In a soon-to-be-published survey of more than 400 IT and security
professionals conducted by Dark Reading and sister publication
InformationWeek, 52 percent of respondents said they are more concerned
about the possibility of internal data leaks -- both accidental and
malicious -- than they are about external threats" End quote

Another issue with some large companies today is that, imho, they have to
many internal FW zones i.e. Apars, WEB_RZ, DB_RZ and numerous others. Each
zone will typically have a pair of FW's separating each zone.

The complexity of maintaining hundreds and usually thousands of rules in
EACH FW leads to an environment that becomes almost impossible to accurately
understand all the various flows.

Many of these FW rules are legacy, but few FW OPS staff want to clean these
up because they are afraid some legacy App or Service will break.

This issue comes up all the time when doing DC Migration/Consolidations.

Zero Trust Networks (ZTA) is just a more modern term to address this old
issue.

Regards,

Kerry Main
Kerry dot main at starkgaming dot com

--
This email has been checked for viruses by AVG antivirus software.
www.avg.com