Comments on the NIST draft SP 800-207 (Zero Trust Architecture)

["Herrmann, Jan" <jan.herrmann@siemens.com>]

Hello XACML TC,

 

I wanted to bring your attention to a new NIST draft on zero trust architecture (SP 800-207) that is currently under a public comment period until Nov 22nd.

 

Note upfront: I do see the terms around zero trust as buzzwords that stand for a bunch of – still to be formally defined and agreed on - assumptions and security principles. Based on these zero trust principles and assumptions one can define a security architecture as one has always done.

Independent of the marketing craze and fuzziness around the zero trust stuff, it is clear that IAM (on network and application layer) plays a central role in security architectures following zero trust principles (e.g. as one turns down network segmentation and perimeters, allow for BYOD).

I strongly believe that ABAC / policy based authZ (e.g. or hopefully based on XACML ;-) is, one or THE most central security control needed to get the IAM challenges solved right in security architectures following zero trust principles.

 

Reading through the draft it seems that they try to redefine XACML’s authorization system reference architecture based on the P*P components as defined in the spec of by ISO. They introduce new terms, get the definitions wrong, add strange dependencies to connection establishment features within the authZ components – maybe because some network product vendors have build their things like this – etc. From my perspective the quality of this NIST draft is poor and should next to other improvements be better aligned with the already existing NIST ABAC and XACML definitions and concepts.

Whatever zero trust is, it is for sure a vehicle that can be used to push ABAC forward. Or: ABAC and XACML are the perfect pattern to sole advanced authorization challenges secure and sustainable in security architectures following zero trust principles.

 

What are your thoughts on this draft? Any interest in submitting a comments document from XACML TC perspective?

 

BR Jan

 

With best regards,
Dr. Jan Herrmann

Key Expert Authorization Technologies
Senior Security Architect

Siemens AG
Corporate Technology
Research in Digitalization and Automation
Security Architecture
CT RDA ITS SEA-DE
Otto-Hahn-Ring 6
81739 Muenchen, Germany
Fax: +49 89 636-48000
Mobile: +49 173 3157961
mailto:jan.herrmann@siemens.com
www.siemens.com/ingenuityforlife

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

Important notice: This e-mail and any attachment thereof contain corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank you.