profile
viewpoint
Izar Tarandach izar Just that guy.

izar/pytm 309

A Pythonic framework for threat modeling

OWASP/www-project-pytm 3

OWASP Foundation Web Respository

izar/awesome-threat-modelling 2

A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

izar/pytm-docs 1

Doc tree for pytm

izar/Venator 1

Venator is a python tool used to gather data for proactive detection of malicious activity on macOS devices.

izar/nandroid_diff 0

A small tool to create diff timelines of two Nandroid backup directories

izar/ocaml-tree-sitter 0

Generate OCaml parsers based on tree-sitter grammars.

izar/oss2019 0

Open Security Summit 2019

push eventukncsc/zero-trust-architecture

Colin Robbins

commit sha c88c0c9dd55a65574d23f6e36349d645f1fe89e8

Directories and Roles. Many organisations choose to use a virtual directory, particularly where there are many legacy systems. In many large organisations, creating a single directory is a hard problem, with many directory products available to support this task. A common issue become who "owns" the single directory? HR or IT? Hence why we often see the JML process driven off a HR system feeding the IT directory. These larger organisations will often derive access privileges from the role.

view details

PeterR707

commit sha 6583e7e7665cb0f2000a96693e091946096eed73

Merge pull request #52 from ColinRobbins/patch-1 Directories and Roles.

view details

push time in a day

PR merged ukncsc/zero-trust-architecture

Directories and Roles.

Many organisations choose to use a virtual directory, particularly where there are many legacy systems. In many large organisations, creating a single directory is a hard problem, with many directory products available to support this task. A common issue become who "owns" the single directory? HR or IT? Hence why we often see the JML process driven off a HR system feeding the IT directory.

These larger organisations will often derive access privileges from the role.

+1 -1

1 comment

1 changed file

ColinRobbins

pr closed time in a day

pull request commentukncsc/zero-trust-architecture

Directories and Roles.

Hi Colin

Thank you for the time to make a few pull requests to the beta principals, I have accepted them all. Yes totally agree with sign posting the virtual directory it highlights we are after the effect and there is more then one way to achieve this.

ColinRobbins

comment created time in a day

push eventukncsc/zero-trust-architecture

Colin Robbins

commit sha 699c229e74dacb320dd9cbff008156744f44c96e

External Users The original text gives the impression all users are local. Whereas Principle 2 acknowledges some users may come via federation etc, so not under your direct control.

view details

PeterR707

commit sha e86a6b9dd3435606b457a2511a4f370878237e44

Merge pull request #53 from ColinRobbins/patch-2 External Users

view details

push time in a day

PR merged ukncsc/zero-trust-architecture

External Users

The original text gives the impression all users are local. Whereas Principle 2 acknowledges some users may come via federation etc, so not under your direct control.

+1 -1

0 comment

1 changed file

ColinRobbins

pr closed time in a day

push eventukncsc/zero-trust-architecture

Colin Robbins

commit sha 6455b8e9d927d16c56b12fb0bd458cfda734b3cc

Fix superscript

view details

PeterR707

commit sha 390d5dcfa5078096a3aaa73560010f1602136ae7

Merge pull request #54 from ColinRobbins/patch-3 Fix superscript

view details

push time in a day

issue commentukncsc/zero-trust-architecture

Principles 2 & 3

Thank Peter, look forward to seeing the guidance. As I am sure you know good asset management is big challenge for most organisations. It is a serious subject that needs to be addressed and a lot of the other principles in ZT have some dependency on it. that being said its a journey you have start to work towards otherwise it creates so much unknown risk.

ColinH1

comment created time in a day

PR opened ukncsc/zero-trust-architecture

External Users

The original text gives the impression all users are local. Whereas Principle 2 acknowledges some users may come via federation etc, so not under your direct control.

+1 -1

0 comment

1 changed file

pr created time in a day

PR opened ukncsc/zero-trust-architecture

Directories and Roles.

Many organisations choose to use a virtual directory, particularly where there are many legacy systems. In many large organisations, creating a single directory is a hard problem, with many directory products available to support this task. A common issue become who "owns" the single directory? HR or IT? Hence why we often see the JML process driven off a HR system feeding the IT directory.

These larger organisations will often derive access privileges from the role.

+1 -1

0 comment

1 changed file

pr created time in a day

issue commentukncsc/zero-trust-architecture

Principle 5 - MFA

Hi Colin

I have accepted some changes this morning which may have answered your question. As yes need to be a bit more clearer on how to balance user experience and gaining trust. The relevant updates are under MFA and usability. https://github.com/ukncsc/zero-trust-architecture/blob/master/05-Authenticate-everywhere.md

Please let me know your thoughts

Thank you for your feedback

ColinRobbins

comment created time in a day

issue commentukncsc/zero-trust-architecture

Principle 6 - Network Monitoring

Hi Coin

Thanks again for the feedback, yes this is something to think about as the approach will be different. I will see if we have some guidance in this areas to link and call there is a different approach.

ColinRobbins

comment created time in a day

issue commentukncsc/zero-trust-architecture

Principle 7. Don't trust any network, including your own

Hi Colin Thank you for the comment Yes we totally agree, we should link out to our cloud guidance for this section, as you quite rightly say you need verify the service provider as part of the process of having trust in their ZT implementation. I will add a link into the document and let you know when its complete.

ColinRobbins

comment created time in a day

issue commentukncsc/zero-trust-architecture

Principles 2 & 3

Hi Colin Thank you for your comment and we totally agree this does underpin both theses ZT principles. This is something we are working on internally "what does a good asset management system look like". This will feed into our next iteration of guidance, once its updated I will let you know so you can have a look. It would be good to know what you think.

ColinH1

comment created time in a day

push eventukncsc/zero-trust-architecture

PeterR707

commit sha b236bf0f55685a6c413a41ea6b1af2278b710fa2

Update README.md

view details

push time in a day

push eventukncsc/zero-trust-architecture

PeterR707

commit sha 8e59e70ea5b50f95e5e3ca5fdf53e23c49bfb600

Update README.md

view details

push time in a day

push eventukncsc/zero-trust-architecture

Takashi Suzuki (BlackBerry)

commit sha abfa39c3af595de5b43f2fdd8ba11f8fd627b8fb

readme - audience the guidance should be aimed at not only a technical audience but people invovled in e.g. netowrk planning and operation.

view details

PeterR707

commit sha cf99235cf553379f9dcc6be6f5e316b094198e26

Merge pull request #28 from Takashi-Suzuki-BlackBerry/readme readme - audience

view details

push time in a day

PR merged ukncsc/zero-trust-architecture

readme - audience

the guidance should be aimed at not only a technical audience but people involved in e.g. network planning and operation.

+1 -1

1 comment

1 changed file

Takashi-Suzuki-BlackBerry

pr closed time in a day

pull request commentukncsc/zero-trust-architecture

readme - audience

Hi Takashi Suzuki, Thank you so much for your effort in reviewing the guidance and incorporating your comments into this beta version. We really do appreciate you spending the time. I have accepted all your changes, but have made a few very minor changes. Kind Regards Peter

Takashi-Suzuki-BlackBerry

comment created time in 2 days

issue openedukncsc/zero-trust-architecture

Principles 2 & 3

General comment on Principles 2 & 3.

To maintain that zero trust model at an operational levels there any thoughts to include guidance on maintaining assets. To really follow the Principles of 2. Know your User, Service and Device identities and 3. Know the health of your users, devices and services. The asset inventory management of especially of services and devices needs to be very good otherwise your zero trust architecture starts to break.

Regards Colin

created time in 2 days

push eventukncsc/zero-trust-architecture

Takashi Suzuki (BlackBerry)

commit sha a6483c0f8db0563d94f47e240fb6dc8499ae8f43

readme - PEP and assets Clarify: - a user and/or device can submit a request to which a policy is enforced - the final determination is not if the connection is trusted but the requests can be authorised. - In addition to services, data is key assets to protect.

view details

PeterR707

commit sha 1748fdb715804a82d6f8f32fe0d6b004dc1e6196

Merge pull request #29 from Takashi-Suzuki-BlackBerry/readme-2 readme - PEP and assets

view details

push time in 2 days

PR merged ukncsc/zero-trust-architecture

readme - PEP and assets

Clarify:

  • a user and/or device can submit a request to which a policy is enforced
  • the final determination is not if the connection is trusted but the requests can be authorised.
  • In addition to services, data is key assets to protect.
+2 -2

0 comment

1 changed file

Takashi-Suzuki-BlackBerry

pr closed time in 2 days

push eventukncsc/zero-trust-architecture

Takashi Suzuki (BlackBerry)

commit sha 16178361cac63087b75cec778f874c3bf813e86c

Principle 1-1 risk assessment Clarify: - Risk assessment is not only to the network design but to the assets including data. - Risk treatment depends on the importance of assets.

view details

PeterR707

commit sha c093ac37922f794c5f0b53e7ad478e5262053c8d

Merge pull request #30 from Takashi-Suzuki-BlackBerry/Principle-1-1 Principle 1-1 risk assessment

view details

push time in 2 days

PR merged ukncsc/zero-trust-architecture

Principle 1-1 risk assessment

Clarify:

  • Risk assessment is not only to the network design but to the assets including data.
  • Risk treatment depends on the importance of assets.
+2 -2

0 comment

1 changed file

Takashi-Suzuki-BlackBerry

pr closed time in 2 days

push eventukncsc/zero-trust-architecture

Takashi Suzuki (BlackBerry)

commit sha d29fa829fb45659483d367e17d4b04f86fb028ea

Principle-2-1 General clarification wording improvment

view details

PeterR707

commit sha 60b62b8bf28cb93e3b94f17469bad5c377461942

Merge pull request #31 from Takashi-Suzuki-BlackBerry/Principle-2-1 Principle-2-1 General clarification

view details

push time in 2 days

push eventukncsc/zero-trust-architecture

Takashi Suzuki (BlackBerry)

commit sha 59e4b49755db88b9f00ccff3e123fde608fb86a5

Principle 2-2 In zero trust architecture authentication is performed internal and expternal services. OAuth 2.0 is also used for authenticaiton purposes

view details

PeterR707

commit sha 546fefe8f98a65918df871c3cdca97093ae014f8

Merge pull request #32 from Takashi-Suzuki-BlackBerry/Principle-2-2 Principle 2-2

view details

push time in 2 days

PR merged ukncsc/zero-trust-architecture

Principle 2-2

In zero trust architecture authentication is performed for internal and external services.

OAuth 2.0 is also used for authentication purposes

+1 -1

0 comment

1 changed file

Takashi-Suzuki-BlackBerry

pr closed time in 2 days

push eventukncsc/zero-trust-architecture

Takashi Suzuki (BlackBerry)

commit sha 28227b8063bfcc2203a8e973072431d01820aa73

Principle 2-3 Federation Federation with external ID providers is an option. Some organization may not need the option.

view details

PeterR707

commit sha 2977943d26ff171267f6a66275411ba3f3415e25

Merge pull request #33 from Takashi-Suzuki-BlackBerry/Principle-2-3 Principle 2-3 Federation

view details

push time in 2 days

more