Zero Trust Architecture rethinks strategies to secure corporate assets. ZTA may allow us to create more enduring security architectures, with less entropy vs. today's security architectures. However, lack of enabling standards is causing confusion about what ZTA is and vendor hype isn't helping either. This session will describe the current state of ZTA, and standards initiatives that may help bring clarity and reduce barriers to adoption.

1. SACON
SACON International 2020
India | Bangalore | February 21 - 22 | Taj Yeshwantpur
Zero Trust Architecture
1
Jim Hietala, VP Business Development & Security
The Open Group
j.hietala@opengroup.org

2. SACON
Agenda
• Zero Trust Origins
• Zero Trust Architecture
• What is ZTA???
• Status in the market
• Gaps & issues
• Zero Trust Architecture Standards Opportunities
• About The Open Group, Security Initiatives
• Summary
2

3. SACON
!3
Full de-perimeterised working
Full Internet-based Collaboration
Consumerisation
[Cheap IP based devices]
Limited Internet-based Collaboration
External Working
VPN based
External collaboration
[Private connections]
Internet Connectivity
Web, e-Mail, Telnet, FTP
Connectivity for
Internet e-Mail
Connected LANs
interoperating protocols
Local Area Networks
Islands by technology
Stand-alone Computing
[Mainframe, Mini, PC’s]
Time
Connectivity
Drivers: Low cost and
feature rich devices
Drivers: B2B & B2C integration,
flexibility, M&A
Drivers: Cost, flexibility,
faster working
Today
(2008)
Drivers: Outsourcing and
off-shoring
Effective breakdown of
perimeter
Zero Trust Origins…De-perimeterization Timeline

4. SACON
De-Perimeterization Flipped Security Architecture On
Its Head…
➢ Perimeter security control
effectiveness today is suspect
at best
➢ Need to move security
controls closer to the data
➢ Distinction between insiders &
outsiders, employees,
contractors, consultants,
suppliers has disappeared
➢ Cloud native, mobile, BYOD,
IoT, IIoT exacerbate this

5. SACON
Bolted-on or Built-in?
➢ Security has historically tended
to be bolted-on (reactive, after
the fact) more often than built-in
(proactive, designed in up front)
➢ Vulnerabilities can exist in the
gaps between disparate security
controls
➢ Bolted-on security architectures
can be brittle and subject to
entropy as threats change
5
Fallen Star, UCSD, Jacobs Engineering Building

6. SACON
Extending De-perimeterization Thinking >
Zero Trust Architecture
• New zero-trust security models (e.g. BeyondCorp security
model described by Google)
• Assumes no trust, assumes no inside/outside of a defined
perimeter
• Focus is on identity and access control policy enforcement
for all computing devices, segmenting networks, and less
reliance on perimeter security systems
• Cloud and IoT deployment models make these new trust
models and security architectures even more critical
6

7. SACON
ZTA Origins
7
Jericho Forum
De-
perimeterization,
trust, data centric
security 2005-2014
Kindervag,
Forester
coins Zero
Trust
2010
Google
releases
Beyondcorp
papers
2014
Gartner coins
"Lean Trust"
2018

8. SACON
Foundational Jericho Forum Guidance
Publication Key Points
Jericho Forum
Commandments V1.2
(W124, 2007)
“5. All devices must be capable of maintaining their security policy
on an untrusted network”
“6. All people, processes and technology must have declared and
transparent levels of trust for any transaction to take place”
“7. Mutual trust assurance levels must be determinable”
”8. Access to data should be controlled by security attributes of the
data itself”
“Conclusion: De-perimeterization has happened, is happening, and
is inevitable, central protection is decreasing in effectiveness”
Jericho Forum
Identity
Commandments
(W125, 2011)
Establishes core identity concepts, identity attributes, entitlement
management and resource access rules
8

9. SACON
Publication Key Points
Trust Ecosystem-
G141,2014
Broad look at trust in online systems, proposes a trust taxonomy and
components
9
Foundational Jericho Forum Guidance

10. SACON
Foundational Security Forum Guidance
Publication Key Points
The Need for Data
Principles (W143,
2014)
Data-Centric Security, including data lifecycle, data sensitivity
Open Enterprise
Security
Architecture (O-
ESA, G112)
Security architecture principles, including Design for Malice,
and policy driven security architecture with policy
management, policy decision points, and policy enforcement
points.
Axioms for the
Practice of Security
Architecture (G192,
2019)
Describes 20 axioms or principles critical to security
architecture, including business risk-driven security, trust,
resilience, security by design, least privilege, device
sovereignty, context, managing access, and others.
10

11. SACON
Google BeyondCorp
11

12. SACON
Google BeyondCorp Components
• Device Inventory Service - A system that continuously collects, processes, and
publishes changes about the state of known devices.
• Trust Inferer - A system that continuously analyzes and annotates device state to
determine the maximum trust tier for accessing resources.
• Resources - The applications, services, and infrastructure that are subject to access
control by the system.
• Access Control Engine - A centralized policy enforcement service that provides
authorization decisions in real time.
• Access Policy - A programmatic representation of the resources, trust tiers, and
other predicates that must be satisfied for successful auth.
• Gateways - SSH servers, web proxies, and 802.1x-enabled wireless networks that
perform authorization actions.
12

13. SACON
Zero Trust Architecture Defined
• NIST: “Zero Trust Architecture (ZTA) provides a collection of
concepts, ideas, and component relationships (architectures)
designed to eliminate the uncertainty in enforcing accurate access
decisions in information systems and services.”
• Zero Trust Networks (O’Reilly, Gilman & Barth): “a collection of
design patterns and considerations which, when heeded, can
produce systems that are resilient to the vast majority of modern-
day attack vectors. In this model, nothing is taken for granted, and
every single access request is rigorously checked and proven to be
authorized.”
13NIST SP800-207 (draft, September, 2019)

14. SACON
Zero Trust Networks (Gilman & Barth)
• Authorization decisions require:
• Enforcement
• Policy engine
• Trust engine- the system in a zero trust network that performs
risk analysis against a particular request or action. This is a new
concept/component in security architectures.
• Data stores- may be inventories, e.g. user database, or
historical., e.g. audit/accounting DB
14

15. SACON
Two Broad Solution Categories
• External to Internal (North – South, client-service/VPN
replacement/SDP focus)
• Internal to Internal (East – West, network
microsegmentation focus)
• Mapping individual vendors into these solution
categories is a challenge
15

16. SACON
Zero Trust Guiding Principles
• Verify explicitly.
• Always authenticate and authorize based on all available data points, including
user identity, location, device health, service or workload, data classification, and
anomalies.
• Use least privileged access.
• Limit user access with Just-In-Time and Just-Enough Access (JIT/JEA), risk-
based adaptive polices, and data protection to protect both data and productivity.
• Assume breach.
• Minimize blast radius for breaches and prevent lateral movement by segmenting
access by network, user, devices, and application awareness. Verify all sessions
are encrypted end to end. Use analytics to get visibility, drive threat detection, and
improve defenses.
16
Microsoft, Zero Trust Maturity Model

17. SACON
Tenets of Zero Trust Architecture
• All data sources and computing services are considered resources.
• All communication is secure regardless of network location.
• Access to individual enterprise resources is granted on a per-connection basis.
• Access to resources is determined by policy, including the observable state of
user identity and the requesting system, and may include other behavioral
attributes.
• The enterprise ensures all owned and associated systems are in the most
secure state possible and monitors systems to ensure that they remain in the
most secure state possible.
• User authentication is dynamic and strictly enforced before access is allowed.
17
Draft NIST Special Pub 800-27

18. SACON
How ZTA Improves Security
• General improvements offered by ZTA:
• Granular perimeters limit lateral movement within networks, limit
these threat vectors
• Assumption that networks are untrusted and that threats exist at
all times necessitates more robust controls
• ZTA improves employee experience by enabling mobile and
cloud use
• Use of data to drive security decision-making (risk, threats,
security posture and identity) enhances security
18

19. SACON
ZTA Vendor Marketing
• ZTA is at risk of being diluted as viable security
architecture by vendors claiming to provide zero trust
capabilities
• At a guess, there are now 50+ vendors from both of the
solution categories claiming to provide zero trust
• This isn’t helpful to end users, particularly when vendors
have a dubious claim re. actually delivering zero trust
capabilities…
19

20. SACON
Security Technical Debt & ZTA
• Requires significant upfront investment
• After reducing security technical debt owing to upfront
investment, ZTA should help keep security technical
debt lower going forward
20

21. SACON
Practical Challenges
• There isn’t a standard definition of what ZTA is
• Without an accepted standard definition, vendors are using and abusing the
term in the market
• Many organizations have bought in to network-based security
controls at the expense of planned security architecture…ZTA
requires mindset and approach change.
• Zero Trust Policy is not standardized (no standard exists for how to
express policies, hence all are custom)
• General lack of standards for ZTA solution components Making
them interoperable, and making policies portable/reusable)
• Fully realized, ZTA will require significant upfront investment
21

22. SACON
Adoption
22
Cybersecurity Insiders 2020 Zero Trust Progress Report surve
reprinted with permission

23. SACON
ZTA Potential Benefits
• Make security architectures less “brittle”
• Reduce entropy of a security architecture
• Minimize security technical debt over time
• Minimize lateral movement within networks by attackers
• Better model to address the changes in threats seen
over the past 10 years, as well as those in the future
23

24. SACON
ZTA Outside of Enterprise IT
• Zero trust is useful (essential) outside of enterprise IT
(connected vehicles, IIoT and OT environments)
• New standards initiative, Open Group OSDU platform
for oil and gas, is embracing zero trust (perimeters
aren’t effective, identities are everything to security)
24

25. SACON
ZTA Standards Opportunities
25
• Create standard frameworks and models and ZTA guidance to bring
clarity to what is/isn’t Zero Trust Architecture, and how to architect
for ZTA
• Enable a rich set of attributes that may be used in trust decisions
• Coalesce early standards interest and efforts to facilitate an
ecosystem of open and compatible zero trust components
• Zero trust algorithm
• Open source components (PEP, PIP, PDP, PAP) and reference implementations

26. SACON
ZTA Standards Landscape
26
• NIST Zero Trust Architecture, provides high level architectural
overview (SP800-207 draft)
• Cloud Security Alliance (Software Defined Perimeter framework)
• IETF (XMPP-Grid threat exchange)
• Open Source projects including Open Policy Agent, SPIFFE (open
source identity framework), SPIRE (open source toolchain
supporting SPIFFE in a variety of environments)

27. SACON
ZTA Standards Gaps
27
• Lack of a common accepted framework or standard model
• Lack of consistent terms for ZTA design, planning
• Systemic gaps in ZTA
• Lack of procurement guidance
• Lack of open, standardized interfaces between ZTA components
(proprietary APIs will inhibit adoption)

28. SACON
Security Forum ZTA Project
28
• Builds on foundational work done by the Jericho Forum 2005-2014
on de-perimeterization and data-centric security
• Includes some of the key contributors to the Jericho Forum
• Joint project between the Security Forum, Architecture Forum,
and the SABSA Institute
• Involvement from IBM, Microsoft, Boeing, NASA, DXC, Raytheon,
Woodside Energy, Accenture, and other large IT Customer and
Supplier organizations

29. SACON
ZTA Project Planned Deliverables:
29
• Survey of CISOs on ZTA plans, challenges
• Landscape white paper
• Guiding Principles of Zero Trust whitepaper
• Reference Architecture and Model whitepaper
• Trust algorithm

30. SACON
Where We Can Use Help
30
» Providing responses to our ZTA surveys (CISO’s, end
users, vendors)
» Contributing content for the ZTA Landscape White Paper
» Contributing to the Trust Algorithm project

31. SACON
How to Get Involved
31
» For end user organizations, vendors, and governments:
– Become members and gain access to all Security Forum projects,
including Security Architecture, Zero Trust Architectures, and Risk
Management/Open FAIR
– For membership information, contact Chris Parnell at
c.parnell@opengroup.org
» For highly qualified/experienced individuals with significant
contributions to make:
– Individual contributor role and IP agreement to enable contributions

32. SACON
Why Get Involved
32
• Learn from ZTA and security thought-
leaders
• Acquire knowledge and approaches that
you can bring back to you organization and
use in your day job
• Tackle common problems in a shared
contribution, collaborative environment
• Gain recognition as an author, reviewer,
translator or editor of industry best-practices

33. SACON
About The Open Group
Programs
Strategy
Platform
Mission
Vision
Our Vision:
Boundaryless Information Flow™
achieved through global
interoperability in a secure, reliable
and timely manner
» A global consortium that enables the
achievement of business objectives
through the development of open,
vendor-neutral technology standards
and certifications
» With more than 740 member
organizations. We have a diverse
membership that spans all sectors of
the IT community - customers,
systems and solutions suppliers, tool
vendors, integrators and consultants,
as well as academics and researchers

34. SACON
The Open Group
34
» Enable all organizations that use information technology to do things better,
faster, and cheaper
» Enable all suppliers of information technology products and services to gain
business benefit
» Enable every individual that we meet to develop their skills and capabilities
Everything we do, is intended to …

35. SACON
The Open Group is ...
35
Australia
Belgium
Brazil
Canada
China
Colombia
Czech Republic
Denmark
Finland
France
Germany
Hong Kong
India
Ireland
Israel
Italy
Japan
Korea
Luxembourg
Malaysia
740+ Member Organizations in 40 Countries
Staff and local partners in 12 Countries
Mexico
Netherlands
New Zealand
Nigeria
Norway
Philippines
Poland
Portugal
Qatar
Saudi Arabia
Singapore
South Africa
Spain
Sweden
Switzerland
Taiwan
Turkey
UK
United Arab Emirates
USA
Vietnam

36. SACON
The Open Group Programs
Enterprise Architecture Security
Risk Analysis
Security
Architecture
Managing Supply
Chain Risk
Airborne Communications
Standards & Certification
Managing the
Business of IT
Managing the
Emerging Platform
Certification
Products
&
Processes
Professional Certification
‘T’ Shaped People
Open Trusted Technology
Forum
Supply chain security
UNIX
Platform base
Standard evolution
Product certification
Open Platform 3.0®
Agile EA

37. SACON
Making Standards Work®
37
Customer/
Vendor needs
Forum or Work
Group
Standards
process
Certification
process
Market
adoption
Collaborate with other
consortia & standards
bodies

38. SACON
Security at The Open Group
• Forums:
• Certifications:
38

39. SACON
Guide: Integrating Security & Risk in a TOGAF Enterprise Architectu
39
Created in collaboration with
the SABSA Institute
Guide is available in our
bookstore now. (https://
publications.opengroup.org/g152)
Brings needed updates to
security and risk thinking in
TOGAF & EA.

40. SACON
Summary
40
• Zero Trust Architecture brings
significant benefits to enterprises
• Standards work is still needed, and
opportunities exist to get engaged
in The Open Group Security Forum’s
ZTA work