Re: Are we doing enough to align our work with Zero Trust Architecture? from Manu Sporny on 2021-01-03 (public-did-wg@w3.org from January 2021)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sun, 3 Jan 2021 17:45:08 -0500
To: Adrian Gropper <agropper@healthurl.com>, W3C DID Working Group <public-did-wg@w3.org>
Message-ID: <48c80586-f927-1df2-2d5c-054f4fd49cda@digitalbazaar.com>

On 1/2/21 6:34 PM, Adrian Gropper wrote:
> Please read 
> https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html
>
>
> What would be a good way for our SSI communities to advance zero 
> trust architecture through more effective accountability and audit?

Hmm, I think Dmitri and Daniel thought you were addressing the DIF
Confidential Storage WG when you were, instead, addressing the DID WG?

Let me start by pointing out that the SolarWinds attack was a supply
chain attack and it is highly unlikely that what I'm going to say below
would have prevented that. Sure, if everything was perfectly executed
then maybe... but we shouldn't be so naive to think that reality comes
close to good security practices (SolarWinds) or that breaches of
security lead to lasting bad outcomes for the negligent (Equifax).

The core of the question is probably, could Zero Trust Architecture have
helped prevent the SolarWinds attack? The answer is probably no, because
it happened due to negligence around security rather than a failure of
good security practices.

Could DIDs and VCs help with systems architected with Zero Trust in
mind? Yeah, probably:

1) You could use VCs to prove that you should have certain levels of
   access to certain systems. Checking this could happen automatically,
   but while ensuring that you're "live" and not some bot.

2) Logs could be kept of which VCs were used when to receive the
   authority to do something.

3) ZCAPs could be used to provide fine-grained access to very specific
   resources, even behind the firewall, within an organizations systems.

DIDs could power much of this... but shouldn't promise any of it. The
closest we could probably get to what you're asking, Adrian, is to align
the Zero Trust Architecture principles to how DIDs and VCs can help --
primarily around: identity verification (VCs), login authentication
(DIDs), least-privilege access (ZCAPs, Confidential Storage), and HTTP
API access authorization (ZCAPs).

You'll note that the above will only help you with about 30% of what
ZTEs are about... the rest will cost you and arm and a leg (consultants
or hiring qualified security people to implement real security
processes, audits, and procedures). Don't know if we can help much
there. That said, it wouldn't hurt to take a stab at how we might help
with the items above.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://tinyurl.com/veres-one-launches

Received on Sunday, 3 January 2021 22:45:25 UTC