Subject: Comments on the NIST draft SP 800-207 (Zero Trust Architecture)
Hello XACML TC,
I wanted to bring your attention to a new NIST draft on zero trust architecture (SP 800-207) that is currently under a public comment period until Nov 22nd.
Note upfront: I do see the terms around zero trust as buzzwords that stand for a bunch of – still to be formally defined and agreed on - assumptions and security principles. Based on these zero trust principles and assumptions one can define a security architecture as one has always done.
Independent of the marketing craze and fuzziness around the zero trust stuff, it is clear that IAM (on network and application layer) plays a central role in security architectures following zero trust principles (e.g. as one turns down network segmentation and perimeters, allow for BYOD).
I strongly believe that ABAC / policy based authZ (e.g. or hopefully based on XACML ;-) is, one or THE most central security control needed to get the IAM challenges solved right in security architectures following zero trust principles.
Reading through the draft it seems that they try to redefine XACML’s authorization system reference architecture based on the P*P components as defined in the spec of by ISO. They introduce new terms, get the definitions wrong, add strange dependencies to connection establishment features within the authZ components – maybe because some network product vendors have build their things like this – etc. From my perspective the quality of this NIST draft is poor and should next to other improvements be better aligned with the already existing NIST ABAC and XACML definitions and concepts.
Whatever zero trust is, it is for sure a vehicle that can be used to push ABAC forward. Or: ABAC and XACML are the perfect pattern to sole advanced authorization challenges secure and sustainable in security architectures following zero trust principles.
What are your thoughts on this draft? Any interest in submitting a comments document from XACML TC perspective?
With best regards,