Software Supply Chain Implications for Zero Trust

Webinar - Zero Trust

Zero Trust (ZT) has been the source of hope and confusion for many organizations looking to improve and modernize their security program. 

It is not a new concept, but President Biden’s 2021 Executive Order has recently highlighted it. The order cites Zero Trust, Software Supply Chains, and SBOM as critical pieces toward better securing American institutions and people against cyber attacks.

There is wide agreement that ZT concepts lead in a positive direction toward better security. Implementing it requires fundamental changes and raises questions: How does it really work? How do I apply it? What are its implications?

In this webinar,  Jerry Hoff and Julius Musseau break down Zero Trust’s fundamental concepts and resources. Also, they looked at Zero Trust’s implications for Applications, SBOM and Software Supply Chains.

Watch it now:

 

Webinar Highlights

Concept

Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.

Definition

ZT provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privileged per-request access decisions in information systems and services in the face of a network viewed as compromised.

Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a ZT enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.

Strong Identity, Authorization & Data

Core Zero Trust Logical Components
Source: NIST

Which effectively means

  • Strong Authentication / Identity is paramount
  • Identity based access control for all connections
  • Encryption on all connections
  • Consistent application of security rules
  • Cloud and on prem workloads
  • Remote and on prem workers
  • Device Control / Inspection
  • Deliberate access granting / strong governance
  • Enriched monitoring

Base Pillars to build ZT

High-Level Zero Trust Maturity Model
Source: CISA

High-Level ZT Maturity Model

High-Level Zero Trust Maturity Model
Source: CISA

New Capabilities

  • Need for unified, centralized, overarching authentication
  • Need for centralized authorization & decision-making capabilities
  • Need for device information
  • Updated SOC capabilities (EDR)
  • Updated Training for Staff (design, implementation, deployment, production)
  • Internal delegation (who oversees centralized auth, authz, etc…)
  • Policy design, update, implementation (who ?)
  • Updated Governance (Many more decisions)

Implications for Application Security

  • Identity
  • Internally facing / externally facing paradigm breaking down
  • Secure connections
  • ZT is getting grouped together with new appsec regulations.
MergeBase

About the Author

MergeBase