- From: Steven Rowat <steven_rowat@sunshine.net>
- Date: Fri, 14 May 2021 12:37:12 -0700
- To: Adrian Gropper <agropper@healthurl.com>, W3C Credentials Community Group <public-credentials@w3.org>
- Message-ID: <340cef19-3680-5c54-4805-b024012baadd@sunshine.net>
On 2021-05-14 5:42 am, Adrian Gropper wrote: > Please read Section 3 in the EO link at https://comms.wiley.law/e/knewjcfglctwt7w/a7406307-5755-44fa-a5c5-22dd04d9e9a7 <https://comms.wiley.law/e/knewjcfglctwt7w/a7406307-5755-44fa-a5c5-22dd04d9e9a7> > > It may be time for us to explain Zero-Trust Architecture relationship to VCs and DIDs. ... > Interesting. EO = Executive Order (of the US President). And "Zero Trust Architecture" is defined in that EO in section 10 (k), which reads: " (k) the term “Zero Trust Architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever."[*]. [*That last word in section (k), "sever", must be an error as published. Perhaps it's intended to be "servers"? Not sure. Or perhaps "sever[al...] and there were other words cut off.] Steven Rowat
Received on Friday, 14 May 2021 19:37:29 UTC