Re: Zero Trust Architecture in the White House Executive Order on Cybersecurity from Greg Mcverry on 2021-05-15 (public-credentials@w3.org from May 2021)

From: Greg Mcverry <jgregmcverry@gmail.com>
Date: Fri, 14 May 2021 21:26:57 -0400
To: "Jim St.Clair" <jim.stclair@lumedic.io>
Cc: Adrian Gropper <agropper@healthurl.com>, Steven Rowat <steven_rowat@sunshine.net>, W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <CAKCYZhzrEvHQof-Vwp0E-WgP9bm32DLpDd=LNR9yehriBu1N7A@mail.gmail.com>

The Biden EO is quite interesting with ZTA.

Been needing out on it for days.

Where I keep pushing DIDs/VCs (Jim guessing you will understand given DHS
and  NIST reference) is in the SRPS scores companies must upload while not
wanting to share SSPs while their prime contractors demand they do.

For everyone else currently any doing business in the DoD rates themselves
on NIST SP-800-171 using the 171a methodology.

In terms of the EO I can see DIDs/VCs being used to reduce the fear on ATO
and threat/vulnerability reporting.

Badges, more aligned to OBI specs are all over the place. The self
attestation Inspoke of will come to an end by 2026 in US and replaced with
a third party program called CMMC, cybersecurity maturity model
certification .

Currently a badge is a “png” or “pdf” but I am working on community. They
did just announce moving to “smart” badges.

If folks are interested NIST put out a call for papers for a June
conference on the SMoB stuff. Gonna be a fun two days. Someone should put
in a paper on DID/VC

On Fri, May 14, 2021 at 4:20 PM Jim St.Clair <jim.stclair@lumedic.io> wrote:

> Adrian/Steven, thank you! We are VERY CLOSE to considering the
> interrelationships of DIDs/VCs and ZTA/Sp 800-207.
> This was a topic broached just today in The Advanced Technology Academic
> Research Center (ATARC) IdM working group which also has a ZTA WG.
> I’ve also been wanting to reach out to Anil to see if this was an area of
> interest for DHS S&T to consider.
> I think I have three or four resources who expressed interest in the idea
> and collaboration.
>
> Best regards,
>
> Jim
>
> *_______________*
>
> [image: Image]
>
> *Jim St.Clair *
>
> Chief Trust Officer
>
> jim.stclair@lumedic.io | 228-273-4893
>
> *Let’s meet to discuss patient identity exchange*:
> https://calendly.com/jim-stclair-1
>
> ------------------------------
> *From:* Adrian Gropper <agropper@healthurl.com>
> *Sent:* Friday, May 14, 2021 2:42:25 PM
> *To:* Steven Rowat <steven_rowat@sunshine.net>
> *Cc:* W3C Credentials Community Group <public-credentials@w3.org>
> *Subject:* Re: Zero Trust Architecture in the White House Executive Order
> on Cybersecurity
>
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
> https://csrc.nist.gov/publications/detail/sp/800-207/final
>
> On Fri, May 14, 2021 at 3:37 PM Steven Rowat <steven_rowat@sunshine.net>
> wrote:
>
> On 2021-05-14 5:42 am, Adrian Gropper wrote:
>
> Please read Section 3 in the EO link at
> https://comms.wiley.law/e/knewjcfglctwt7w/a7406307-5755-44fa-a5c5-22dd04d9e9a7
>
>
> It may be time for us to explain Zero-Trust Architecture relationship to
> VCs and DIDs. ...
>
> Interesting.  EO = Executive Order (of the US President).
>
> And "Zero Trust Architecture" is defined in that EO in section 10 (k),
> which reads:
>
> "
>  (k)  the term “Zero Trust Architecture” means a security model, a set of
> system design principles, and a coordinated cybersecurity and system
> management strategy based on an acknowledgement that threats exist both
> inside and outside traditional network boundaries.  The Zero Trust security
> model eliminates implicit trust in any one element, node, or service and
> instead requires continuous verification of the operational picture via
> real-time information from multiple sources to determine access and other
> system responses.  In essence, a Zero Trust Architecture allows users full
> access but only to the bare minimum they need to perform their jobs.  If a
> device is compromised, zero trust can ensure that the damage is contained..
> The Zero Trust Architecture security model assumes that a breach is
> inevitable or has likely already occurred, so it constantly limits access
> to only what is needed and looks for anomalous or malicious activity.  Zero
> Trust Architecture embeds comprehensive security monitoring; granular
> risk-based access controls; and system security automation in a coordinated
> manner throughout all aspects of the infrastructure in order to focus on
> protecting data in real-time within a dynamic threat environment.  This
> data-centric security model allows the concept of least-privileged access
> to be applied for every access decision, where the answers to the questions
> of who, what, when, where, and how are critical for appropriately allowing
> or denying access to resources based on the combination of sever." [*].
>
> [*That last word in section (k), "sever", must be an error as published.
> Perhaps it's intended to be "servers"? Not sure. Or perhaps "sever[al...]
> and there were other words cut off.]
>
>
> Steven Rowat
>
> --
J. Gregory McVerry, PhD
Assistant Professor
Southern Connecticut State University
twitter: jgmac1106

Received on Saturday, 15 May 2021 01:54:27 UTC