BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Memento EPFL//
BEGIN:VEVENT
SUMMARY:IC Colloquium: Zero Trust in Zero Trust?
DTSTART:20221107T161500
DTEND:20221107T173000
DTSTAMP:20260407T091642Z
UID:4d4d0a2b50be8de70055e2a7ed90271556603c9fad05969d59b9cb82
CATEGORIES:Conferences - Seminars
DESCRIPTION:By: Virgil D. Gligor - Carnegie Mellon University\n\nAbstract\
 nWe review the basic notions of trust\, trust minimization\, zero trust\, 
 and trust establishment. We also review the key characteristics of zero-tr
 ust architectures as presented by the National Institute of Standards and 
 Technology (NIST) in the clearest technical explanation of this concept. W
 e show that the modest goal of limiting the effects of security breaches t
 o single implicit trust zones is often unachieved by these architectures. 
 We argue that they can never serve as security models as they are unsound 
 even for their modest goal\, and inadequate for pervasive use. Evidence sh
 ows that zero-trust architectures\nhave low security value as they cannot 
 address many common attacks\, much less advanced ones. Nevertheless\, matu
 re zero-trust architectures can reduce recovery costs after security breac
 hes\, but the reduction is lower than provided by some alternate technique
 s. Finally\, we show that zero trust impossible in any enterprise network 
 and has meaning only as an unreachable limit of trust establishment. Hence
 \, trust establishment -- not the zero trust “buzzword” -- can be a fo
 undation of network security.\n\nIn view of these observations\, mandating
  adoption of zero-trust architectures in all government networks seems sur
 prising. A 2021 Presidential Executive Order incorrectly calls NIST's zero
 -trust architecture a ``security model\," mandates its adoption\, and freq
 uently requires trust-establishment measures\, which exclude zero trust. T
 his recognizes some basic zero-trust inadequacies while missing others ide
 ntified in this presentation. Promoting zero trust is not simply assigning
  an inappropriate label to a modest goal. Rather\, it is encouraging simpl
 istic security analyses that leave critical networks vulnerable to serious
  attacks\, while promoting the myth that low-cost assurance can always be 
 effective. In contrast\, trust establishment encourages flexible cost allo
 cation among security functions and assurances\, risk reduction\, and adve
 rsary deterrence.\n\nBio\nVirgil D. Gligor is a Professor at Carnegie Mell
 on University. His research interests have ranged from access control mech
 anisms\, penetration analysis\, and denial-of-service protection to crypto
 graphic protocols and applied cryptography. He was an associate editor of 
 several ACM and IEEE journals and the editor in chief of the IEEE Transact
 ions on Dependable and Secure Computing. He received the 2006 National Inf
 ormation Systems Security Award jointly given by NIST and NSA\, the 2011 O
 utstanding Innovation Award of ACM SIGSAC\, and the 2013 Technical Achieve
 ment Award of IEEE Computer Society. He was inducted into the National Cyb
 er Security Hall of Fame in 2019.\n\nMore information
LOCATION:BC 420 https://plan.epfl.ch/?room==BC%20420 https://epfl.zoom.us/
 j/64444030076?pwd=dEFkRlBhNHlkS3pLQU1keFA2V3hyUT09
STATUS:CONFIRMED
END:VEVENT
END:VCALENDAR