- From: Adrian Gropper <agropper@healthurl.com>
- Date: Fri, 14 May 2021 15:42:25 -0400
- To: Steven Rowat <steven_rowat@sunshine.net>
- Cc: W3C Credentials Community Group <public-credentials@w3.org>
- Message-ID: <CANYRo8hx5rk4tnMoT0ajOY+089P7G5SCN-z8LMDSO6vcogpexg@mail.gmail.com>
https://csrc.nist.gov/publications/detail/sp/800-207/final On Fri, May 14, 2021 at 3:37 PM Steven Rowat <steven_rowat@sunshine.net> wrote: > On 2021-05-14 5:42 am, Adrian Gropper wrote: > > Please read Section 3 in the EO link at > https://comms.wiley.law/e/knewjcfglctwt7w/a7406307-5755-44fa-a5c5-22dd04d9e9a7 > > > It may be time for us to explain Zero-Trust Architecture relationship to > VCs and DIDs. ... > > Interesting. EO = Executive Order (of the US President). > > And "Zero Trust Architecture" is defined in that EO in section 10 (k), > which reads: > > " > (k) the term “Zero Trust Architecture” means a security model, a set of > system design principles, and a coordinated cybersecurity and system > management strategy based on an acknowledgement that threats exist both > inside and outside traditional network boundaries. The Zero Trust security > model eliminates implicit trust in any one element, node, or service and > instead requires continuous verification of the operational picture via > real-time information from multiple sources to determine access and other > system responses. In essence, a Zero Trust Architecture allows users full > access but only to the bare minimum they need to perform their jobs. If a > device is compromised, zero trust can ensure that the damage is contained. > The Zero Trust Architecture security model assumes that a breach is > inevitable or has likely already occurred, so it constantly limits access > to only what is needed and looks for anomalous or malicious activity. Zero > Trust Architecture embeds comprehensive security monitoring; granular > risk-based access controls; and system security automation in a coordinated > manner throughout all aspects of the infrastructure in order to focus on > protecting data in real-time within a dynamic threat environment. This > data-centric security model allows the concept of least-privileged access > to be applied for every access decision, where the answers to the questions > of who, what, when, where, and how are critical for appropriately allowing > or denying access to resources based on the combination of sever." [*]. > > [*That last word in section (k), "sever", must be an error as published. > Perhaps it's intended to be "servers"? Not sure. Or perhaps "sever[al...] > and there were other words cut off.] > > > Steven Rowat >
Received on Friday, 14 May 2021 19:42:49 UTC