Zero Trust and Reference Architecture – A definition and attributes

Leave a reply

So, I have been doing more in-depth reading on Zero Trust Architecture (ZTA).

Side note – I will share my reading list in a future post.

As I read the Department of Defense’s Zero Trust Reference Architecture, Version 1.0 (February 2021) document, I came across a solid definition of reference architecture:

Reference Architecture is an authoritative source of information
about a specific subject area that guides and constrains the instantiations of multiple
architectures and solutions.

This may see simple, but I bet there is a joke that starts with: two architects walk into a bar to define “reference architecture” and….well, you get the idea.

Below is an excerpt from the scope section of the same document referenced above. I highlighted some key words that can be used to extrapolate other important attributes of a reference architecture.

The content was built to align with the DOD Information Enterprise Architecture (IEA) for consistent mapping of terminology and ease of use as an implementation reference. The scope of the DOD Zero Trust Architecture (ZTA) effort is specifically to determine capabilities and integrations that can be used to successfully advance the Department of Defense Information Network (DODIN) into an interoperable Zero Trust end state. The architecture focused on data-centric design, while maintaining loose coupling across services to maximize interoperability. Other initiatives (e.g. ICAM, Public Key Infrastructure (PKI), etc.) to protect the DODIN are not the subject of this reference architecture but may be shown in some cases to provide additional context for ZTA alignment with DOD IEAs. This Reference Architecture describes Enterprise standards and capabilities. Single products/suites can be adopted to address multiple capabilities. Integrated vendor suites of products rather than individual best of breed components will assist in reducing cost and risk to the government. This document will evolve as requirements, technology, and best practices evolve and mature. Zero Trust promotes individual journey to a collaborative goal of continuous Zero Trust enhancements, while also incorporating best practices, tools, and methodologies of industry.

So, other important attributes of a reference architecture include:

  1. Aligns with a larger and single Enterprise Architecture
  2. Uses consistent language and layout for ease of use and orientation by customers
  3. Defined scope
  4. Outlines what is not in scope
  5. Describes standards and capabilities
  6. Evolves and is updated as requirements, technology and best practices changes, mature or evolve

Responding to Confrontation – The duck or diaper response

Source: http://www.davidbowmanart.com

How do you respond to someone that has been unkind, insulting, offensive and/or confrontational to you deliberately or accidentally with or without their knowledge? This question arose during a family discussion after watching episode of a “Draw In” videos (http://www.davidbowmanart.com).

Think of an unkind action or confrontation as water.  Are you unkind, unforgiving, offended, grudgeful, feel victimized, bothered, and/or angry in return? If you do, these responses will continue to slow you down like a wet, full, and saggy diaper.  You will continue to fill up your diaper with negative energy and see the world with a negative attitude. I think that a lot of us, including myself, often respond to anger or confrontation with the same emotions. It is human nature. This can occur in various settings, like work, school, online, via a text message or with family members, but especially in political situations. How much better would we all be if we responded with empathy, understanding, grace, and forgiveness? What if we let unkindness “roll of our backs” like a duck does with water.

Now, I know that letting unkindness roll of our backs seems impossible, especially in the heat of the moment and when someone has truly hurt you. I encourage you to try by gaining an understanding and perspective of the person that was unkind to you.

Quote of the day – 5/17/2021

Leave a reply

…we should always keep top of mind when we’re neck-deep in cyber threat intelligence, control libraries and vendor technology presentations is simply this:

“How does the decision I’m about to make help my security customers accomplish what they’re trying to do?” Followed closely by the corollary: “How are they really going to recognize that what I’m doing is helping them rather than just getting in their way?” ~ Andrew S. Townley

Quote of the day – 3/30/2021

Leave a reply

One of the biggest barriers to security automation isn’t the technology but rather figuring out where to start. Getting to a starting point requires prioritizing the processes that cause the most bottlenecks to security service delivery.

Here, I would recommend CISOs look at value-stream mapping. Value-stream mapping is a visual exercise that helps align workflows to business outcomesand identifies issues related to performance and quality. 

From there, you’ll want to explore which technology solutions have integrations built in and which will need custom programming. Invest in solutions that work well together. Then, fill in any automation gaps with strategic programming.~ Kent Noyes

Quote of the day – 3/24/2021

Leave a reply

The primary purpose of creating an enterprise security architecture is to ensure that business strategy and IT security are aligned. As such, enterprise security architecture allows traceability from the business strategy down to the underlying technology. However, many IT organizations have moved away from formal security architecture governance in favor of rapid deployment cycles and tactical changes which over time risk diverging into complexity and fragmentation – with unresolved security exceptions. Complexity not only leads to insecurity and the increasing potential for human error but also increased cost of operations. (Nige the Security Guy, https://nigesecurityguy.wordpress.com/tag/security-architecture/)