Zero Trust Paper

[achetal01]

Description:

“Traditional perimeter-based network defenses with multiple layers of disjointed security technologies have proven themselves to be unable to meet the cybersecurity needs due to the current threat environment. Contemporary threat actors, from cyber criminals to nation-state actors, have become more persistent, more stealthy, and more subtle; thus, they demonstrate an ability to penetrate network perimeter defenses with regularity. These threat actors, as well as insider threat actors, have succeeded in leveraging their access to endanger and inflict harm on national and economic security.” Ref: NSA publication U/OO/115131-21 | PP-21-0191

A Cloud native platform is empowered by a connected world that is also susceptible to malicious activity due to its connectedness of software, assorted users, devices, and distributed applications and services, supply chain in the software components. The continuously evolving complexity of current and emerging cloud, multi-cloud, and hybrid cloud, cloud native, network environments combined with the rapidly escalating and evolving nature of adversary threats has exposed the lack of effectiveness of traditional network cybersecurity defenses. With the Executive Order requirements to be compliant with the Zero trust Architecture by end of 2023, It will be useful for the community and Enterprises to understand how Zero Trust can be achieved for Cloud Native platforms and services and considering there are number of controls that Cloud native platforms provide which make it easier to achieve and raise the level of security by default anyway such as micro segmentation, Policy enforcement and management etc.

Impact: For Enterprises this will be very beneficial. Security Enthusiasts who are part of CNCF and have knowledge of Zero trust can help bring this initiative together and valuable guidance for the community.

Scope: This will be a large effort.

TO DO

• [x] Security TAG Leadership Representative: @achetal01 @PushkarJ
• [x] Project leader(s): @knadendla, @mrsabath
• [] Project Members:
  Fill in addition TODO items here so the project team and community can see progress!
• [ ] Scope: Two papers, one focussed on design other on implementation
• [ ] Deliverable(s): https://github.com/cncf/tag-security/pull/1229
• [X] Project Schedule: Currently, In Final Publication phase (Liaison and Chair Review complete)
• [x] Slack Channel (as needed): https://cloud-native.slack.com/archives/C0444N0KYQJ
• [x] Meeting Time & Day: Fridays, 11 am EST
• [x] Meeting Notes (link): https://docs.google.com/document/d/1ruQEbGFJDvp3AAj1U4kvp1MR2sfLnw_2JxNbwky_enA/edit?usp=sharing
• [x] Meeting Details (zoom): https://zoom.us/j/94806970233
• [] Meeting Recordings:
• [] Retrospective

[lumjjb]

@achetal01 can you give an overview of this at an upcoming meeting? Can you put the agenda item into the meeting notes schedule?

[chasemp]

Is this targeting a whitepaper as output?

[achetal01]

yes next meeting for sure.

On Sun, Jul 10, 2022 at 11:09 AM Brandon Lum @.***> wrote:

@achetal01 https://github.com/achetal01 can you give an overview of this at an upcoming meeting? Can you put the agenda item into the meeting notes schedule?

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/950#issuecomment-1179773731, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARO764UC46UX7COOQYO7GOTVTMGVVANCNFSM522SKUPQ . You are receiving this because you were mentioned.Message ID: @.***>

[elinesterov]

Happy to participate and contribute.

[pratiklotia]

interested to contribute.

[pxp928]

Interested to contribute also.

[mrsabath]

Interested

[mrsabath]

Here is the link to the CNCF Slack channel: https://cloud-native.slack.com/archives/C0444N0KYQJ

[achetal01]

Kishore and Mariusz are going to reach out for a Kickoff meeting for next week

We r starting this off...

[mrsabath]

The initial meeting will take place on Friday, Oct. 7th at 11am EST. For more details, please reach out to the organizers via CNCF Slack #tag-security-zero-trust channel: https://cloud-native.slack.com/archives/C0444N0KYQJ

[mrsabath]

The kickoff meeting is this Friday Oct. 7th at 11am EST CNCF TAG Security is inviting you to a scheduled Zoom meeting. Topic: TAG-Zero Trust Working Group Time: This is a recurring meeting Meet anytime Join Zoom Meeting https://zoom.us/j/94806970233 Meeting ID: 948 0697 0233 One tap mobile +16469313860,,94806970233# US +16465588656,,94806970233# US (New York) Dial by your location +1 646 931 3860 US +1 646 558 8656 US (New York) +1 301 715 8592 US (Washington DC) +1 309 205 3325 US +1 312 626 6799 US (Chicago) +1 669 444 9171 US +1 669 900 6833 US (San Jose) +1 719 359 4580 US +1 253 215 8782 US (Tacoma) +1 346 248 7799 US (Houston) +1 386 347 5053 US +1 564 217 2000 US 877 369 0926 US Toll-free 855 880 1246 US Toll-free +1 647 558 0588 Canada +1 778 907 2071 Canada +1 780 666 0144 Canada +1 204 272 7920 Canada +1 438 809 7799 Canada +1 587 328 1099 Canada +1 647 374 4685 Canada 855 703 8985 Canada Toll-free Meeting ID: 948 0697 0233 Find your local number: https://zoom.us/u/asBlIACXe

[JonZeolla]

I'm interested in helping

[apmarshall]

If it's not too late to join, I'd be interested in helping with this!

[mrsabath]

It's never too late @apmarshall and @JonZeolla to join :) Please see the links above to find the current documentation. Please join the CNCF slack channel to get further information: https://cloud-native.slack.com/archives/C0444N0KYQJ Due to Kubecon, we are not meeting this Friday, Oct. 28th, so the next meeting is Nov. 4th at 11am EST.

[asadfaizi-github]

Hello, I am interested in participating and contributing. Should I start attending weekly Zoom meetings?

[lumjjb]

It would be helpful to have the project have a timeline of events (see https://github.com/cncf/tag-security/issues/975), we've found success in projects that do this!

[knadendla]

Thank you @lumjjb , will discuss on next meeting and follow similar approach.

[mrsabath]

Hello, I am interested in participating and contributing. Should I start attending weekly Zoom meetings? Hi @asadfaizi-github please join us on Friday

[anvega]

Catching up here. I raised my concerns regarding this project during a meeting a few months ago. Appears there is a good cadence of meetings, however there is no telling which direction this is headed based off the sparse notes.

As someone who has dedicated half a decade to advancing the notion of applying Zero Trust using open source and cloud native projects, I fear yet another publication explaining the concept and proclaiming the virtues of Zero Trust might actually detract from the goal do more harm than good. The industry and standards need catching up to the work that has been happening here, not the other way around.

Most of my work alongside that of others (h/t @ZackButcher @evan2645) has been around “Zero Trust Networks", which applies the zero trust model to specifically computer networks. That in itself has been a struggle as its slightly nuanced in respect to broader Zero Trust and at odds with what standard bodies are pushing. Case can be made that the industry isn't ready for "Zero Trust Architecture" which "the application of a zero trust security model to all aspects of a distributed computer system". Frankly, verdict is still out on whether that is even attainable from a philosophical point of view.

If the intend here instead is posit what does a cohesive system of well architected integrations between identity and access control looks like, then that is an entire different story. In that case, people can go read the docs of Istio, OPA, and SPIRE to learn what setting up and integrating those systems right looks like. If that is the point, the effort should be geared towards a reference architecture of an authorization and authentication framework built upon cloud native projects.

This has also been lingering for a while since the issue was first opened. I'm sure the rest of the TAG will find it beneficial to see what progress has been made, in what direction, next milestones, and a timetable for completion.

[achetal01]

Alex Yes, please Join in...Great to have you in this working group.

On Wed, Oct 26, 2022 at 1:14 PM Alex Floyd Marshall < @.***> wrote:

If it's not too late to join, I'd be interested in helping with this!

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/950#issuecomment-1292601904, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARO764UCSGVMT5LDEI4XFNTWFGGIVANCNFSM522SKUPQ . You are receiving this because you were mentioned.Message ID: @.***>

[fkautz]

I also worry about this; there is a lot of hype and buzz around Zero Trust. We should be careful in our approach to appear like we are not chasing fads but instead providing high-quality guidance for the Cloud Native community. If this turns into a reference architecture for building a cloud-native zero-trust system, as Andres recommends above, that would be amazing. If the discussion focuses on the benefits of Zero Trust, we'll end up being yet another paper in an enormous sea of material.

[fkautz]

Also, if you're thinking of moving it toward a Zero Trust Reference Architecture, I'd be more than happy to contribute, though I have a conflict with the current time. Happy to work async there. I have prior work I can contribute here.

[davidhadas]

Hi,

I am a Security WG Lead at Knative and the main contributor of Guard - a security extension of Knative (which can also be deployed for any microservices on vanilla Kubernetes). Guard is well suited to be part of a ZTA as it introduces a per pod gate.

I will try to catch up with the team's work on https://docs.google.com/document/d/1K_k3ddnFMIhraoqMuXQo7BUWwo8pR2UPd6ZeIJZt7R8/ and hopefully make contributions as a followup.

[mrsabath]

Quick update, we re-shuffled the paper content. The new document is here: https://docs.google.com/document/d/10g2390JdCBXmSmzQ_EGHFWrg2JosPsXLaqXaGQ-B9NA/edit?usp=sharing

[mrsabath]

We have locked the document and open for an internal review. The version that you can comment on is available here: https://docs.google.com/document/d/10g2390JdCBXmSmzQ_EGHFWrg2JosPsXLaqXaGQ-B9NA/edit?usp=sharing

[pmacni]

@mrsabath we are interested in participating (AuthZed team). Are you collecting new content? We could help in fine-grained access control.

[datosh]

We used today's EMEA TAG Security Meeting to review the Zero Trust Whitepaper. Comments were added to the document. Let me know if you have any questions regarding the comments, I will try to elaborate if possible

[mrsabath]

@mrsabath we are interested in participating (AuthZed team). Are you collecting new content? We could help in fine-grained access control.

W have decided to split this white paper into several phases, or at least two. The first one is pretty much completed. The goal for it is to introduce the ZT concepts and principles and provide some high level architecture. The current state is a final adjustments, reviews, and editorial changes.

The second phase is to provide some specific use-cases and best practice scenarios, as well as introducing a various CNCF technologies that can help with accomplishing the ZT journey. This would definitely cover the access control topics. I think we would be very happy to have you to participate on the second phase of the paper that would start as soon as we complete and publish the introductory paper.

[pmacni]

Great, can you please ping us or let us know approx. timelines to plan for this?

On Wed, Aug 16, 2023 at 4:03 PM Mariusz Sabath @.***> wrote:

@mrsabath https://github.com/mrsabath we are interested in participating (AuthZed team). Are you collecting new content? We could help in fine-grained access control.

W have decided to split this white paper into several phases, or at least two. The first one is pretty much completed. The goal for it is to introduce the ZT concepts and principles and provide some high level architecture. The current state is a final adjustments, reviews, and editorial changes.

The second phase is to provide some specific use-cases and best practice scenarios, as well as introducing a various CNCF technologies that can help with accomplishing the ZT journey. This would definitely cover the access control topics. I think we would be very happy to have you to participate on the second phase of the paper that would start as soon as we complete and publish the introductory paper.

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/950#issuecomment-1680679126, or unsubscribe https://github.com/notifications/unsubscribe-auth/BBY2ANFIXA5JAJ2N6YAYPMTXVTHKNANCNFSM522SKUPQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[anvega]

Good job incorporating earlier feedback and highlighting key principles and components that should be considered when designing and implementing a Zero Trust Architecture.

I wanted to acknowledge that you have made significant progress, and I appreciate everyone's efforts. To move things along, I gave an editor pass to the white paper. This effort was aimed at streamlining the content, removing redundancies, and enhancing the overall readability and tone.

I updated the title to better reflect the comprehensive nature of the white paper but obviously, that's one for you to pick ultimately. The introduction was restructured to improve readability and focus, with a simplified explanation of Zero Trust principles and their relevance to cloud native environments. I also removed redundant content to emphasize the importance and application of Zero Trust.

The core elements section was revised to highlight the essential elements required for a Zero Trust model in cloud native environments, removing specific organizational references to maintain broader applicability. Reviewer and contributor acknowledgments were consolidated into a more concise format to ensure clarity and readability.

The history of Zero Trust was simplified and summarized to provide a quick yet comprehensive overview of the key milestones in its evolution. Finally, the "Referenced Projects" section was renamed to "Tools and Technologies" and organized to list relevant tools and technologies for Zero Trust implementation more clearly.

I would appreciate it if the authors could review the editorial copy and provide their feedback.

Here is the editor's review copy.

A set of technologies not included but I would encourage to incorporate is emerging areas like open-source silicon (e.g., OpenTitan) as a hardware root of trust and lattice-based cryptography (e.g., liboqs) in the context of Zero Trust, which could be a focus for future updates.

Thank you for your continued support and contributions. Your feedback has been invaluable, and I believe these changes will make the white paper a more effective and accessible resource.

[anvega]

I spent several more hours today and added several enhancements:

• Added a section on threat modeling
• Included detailed guidance on planning the rollout and preparing for implementation, drawing from the "Solving The Bottom Turtle" book.
• Enhanced the history section with more references and milestones.
• Added a section on cryptoagility.
• Mentioned eBPF for implementing fine-grained network policies and monitoring which hadn't been covered. I would like to expand more about that with a stretch goal to talk about kTLS
• Discussed hardware roots of trust, such as TPM and HSM, which weren't previously covered.
• Added a preface on behalf of the tag leadership to set the stage and provide context.
• Tweaked the structure and organization to improve the document's flow and readability.