1 of 11

IEEE & Zero Trust Security

Eric Hibbard �Chair, IEEE Cybersecurity & Privacy Standards Committee (CPSC)

eric.hibbard@ieee.org

2 of 11

Background

  • Zero Trust (ZT) initiatives currently driven by NIST and other US Government entities
  • The US Government is engaging its international partners (e.g., NATO) on ZT

  • International standards development organizations (SDOs) activities:
    • ITU-T/SG 17 Workshop (August 2023)
    • ISO/IEC JTC 1/SC 27 considering (PWI on update of ISO/IEC 27033 (Network security)
    • IEEE Computer Society – Two active projects

2

3 of 11

Zero Trust Security WG (ZTSWG)

  • WG formed June 2020
  • Charter: Serve as IEEE CS focus point for zero trust security (ZTS):
    • Develop international standards, guidelines, and guides
    • Develop and deliver education materials (papers, seminars, etc.)
    • Conferences and meetings

  • Two approved project under development
  • Ability to leverage IEEE CS Cat A Liaison with SC 27
  • Chair: Thomas Rivera (thomas.rivera@ieee.org)

3

4 of 11

IEEE P2887, Recommended Practice for Zero Trust Security�

  • PAR Approval Date: 03 Jun 2020
  • PAR Expiration Date: 31 Dec 2024
  • Scope:
    • This recommended practice provides security guidance for Zero Trust Security (ZTS) architectures and implementations.
  • Summary:
    • Surveying current ZT architectures
    • Developing ZT terminology (ISO style)
    • Identifying core ZT elements
    • Developing security-specific guidance

    • Early interest in CSA Software Defined Perimeter (SDP)
    • Undergoing a realignment with IEEE P3409
    • Plan to submit to ISO/IEC JTC 1/SC 27 for ISO/IEC/IEEE branding

4

June 2014

5 of 11

IEEE P3409, Standard for a Zero Trust Security Framework�

  • PAR Approval Date: 21 Sep 2023
  • PAR Expiration Date: 31 Dec 2027
  • Scope:
    • This standard provides a framework for zero trust security, including terminology, concepts, and identification of core elements.
  • Summary:
    • Serve as the IEEE ZTS foundation standard (vocabulary, concepts, relevant references, etc.)
    • Bridge the ZT architecture materials (i.e., identify what is important from a security perspective)
    • Specify the minimum and optional ZTS elements

    • Plan to submit to ISO/IEC JTC 1/SC 27 for ISO/IEC/IEEE branding

5

June 2014

6 of 11

6

Q & A

7 of 11

About the Speaker

7

Chair, IEEE Computer Society, Cybersecurity & Privacy Standards Committee (CPSC)

Chair, INCITS TC Cybersecurity & Privacy

Co-Chair, Cloud Security Alliance (CSA) – International Standardization Council (ISC)

Co-Chair, American Bar Association – SciTech Law – Internet of Things (IoT) Committee

Member, American Bar Association – SciTech Law – Council

Member, American Bar Association – Cybersecurity Legal Task Force

Member, American Bar Association – AI Legal Task Force

Chair, SNIA Security Technical Work Group

Member, International Data Sanitization Consortium

ISO Editor: ISO/IEC 27040 (Storage security), ISO/IEC 27050 (eDiscovery series), ISO/IEC 22123 (Cloud series), ISO/IEC 20648 (TLS for storage)

IEEE Editor: IEEE Std 1619 (XTS-AES)

Eric Hibbard, CISSP-ISSAP, ISSMP, ISSEP, FIP, CIPT, CDPSE, CISA, CCSK

Security/Privacy Professional

eric.Hibbard@ieee.org

8 of 11

Cybersecurity & Privacy Standards Committee (CPSC)

  • Responsible for cybersecurity and privacy standardization including, but not limited to:
    • cryptographic techniques, cyber incident management, identity management, IT system security evaluation, information security management systems, network security, security automation and continuous monitoring, supply chain risk management, software assurance, and system security engineering standards.
    • identification of privacy risk and mitigation methods and technology
  • International focus; avoids duplication of other SDO security/privacy projects

8

June 2014

9 of 11

CPSC Active Projects

  • Authentication in a Multi-server Environment WG (C/CPSC/AMSE)
    • P2989 Standard for Authentication in a Multi-server Environment
  • Data Leakage Tracing WG (C/CPSC/DLTWG)
    • P3361 Standard for Evaluation Method of Robustness of Digital Watermarking Implementation in Digital Contents
  • Interworking Framework for Privacy-Preserving Computation WG (C/CPSC/IFPPC)
    • P3117 Standard for Interworking Framework for Privacy-Preserving Computation
  • Quantum Security WG (C/CPSC/QuSEC)
    • P3172 Recommended Practice for Post-Quantum Cryptography Migration
  • Space System Cybersecurity WG (C/CPSC/S2CY)
    • P3349 Standard for Space System Cybersecurity
  • System & Software Runtime Security WG (C/CPSC/S2RS)
    • P3389 Standard for Technical Framework of Runtime Application Self-Protection (RASP)
  • Security in Storage WG (C/CPSC/SIS-WG)
    • P2883.1 Recommended Practice for Use of Storage Sanitization Methods
    • P2883.2 Recommended Practice for Virtualized and Cloud Storage Sanitization
    • P1667 Standard for Discovery, Authentication, and Authorization in Host Attachments of Storage Devices (Revision)
    • P3406 (Draft) Standard for a Purge and Destruct Sanitization Framework
  • Software Supply Chain Security WG (C/CPSC/SSCS-WG)
    • P3390 Standard for Security Management Capability Framework of Open Source Software Supply Chain for Software Providers
  • Zero Trust Security WG (C/CPSC/ZTSWG)
    • P2887 Recommended Practice for Zero Trust Security
    • P3409 (Draft) Standard for a Zero Trust Security Framework

9

June 2014

10 of 11

Collaboration with ISO/IEC JTC 1

  • Subcommittee 27 (SC 27) – Information security, cybersecurity and privacy protection
    • WG 1: Information security management systems
    • WG 2: Cryptography and security mechanisms
    • WG 3: Security evaluation, testing and specification
    • WG 4: Security controls and services
    • WG 5: Identity management and privacy technologies
  • IEEE CS has a Category A Liaison with SC 27

10

11 of 11

11

Thank You