Charting Zero Trust and High Assurance: ControlPlane’s Takeaways from the NIST Multi-Cloud and OSCAL Conferences

By Torin van den Bulk

• From Theory to Practice: Exploring Zero Trust and Multi-Cloud Security at 4th Annual Multi-Cloud Conference
• Dive Into the World of Service Mesh with Istio and Envoy: An Interactive Workshop Hosted by Tetrate and ControlPlane
• Shifting-Left with OSCAL and Kubernetes: ControlPlane at the 4th Annual OSCAL Conference

From Theory to Practice: Exploring Zero Trust and Multi-Cloud Security at the 4th Annual Multi-Cloud Conference

Our anticipation was palpable as we walked through the gates at the Department of Commerce (DoC) building for the 4th Annual Multi-Cloud Conference hosted by NIST. Upon entry, we were surrounded by a vibrant atmosphere of cloud-centric innovation and collaboration, a testament to the forward-thinking minds gathered there.

To kick off the conference, Senior Security Technical Lead at NIST, Michaela Iorga, delivered a resonant message on the importance of collaboration between private and public sectors on emerging technologies within the Cloud Native and Zero Trust space. Robert Wood, the CISO for Medicare and Medicaid Services, further echoed this message, emphasizing the importance of team collaboration as a cornerstone of cybersecurity.

The day was a wellspring of learning, with incisive discussions fostered around identity-tier service mesh policies and the incorporation of Zero Trust to safeguard multi-cloud ecosystems. Two NIST special publications, SP 800-207a and SP 800-204D, were particularly noteworthy. Presented by NIST’s Senior Computer Scientist Ramaswamy Chandramouli and Tetrate Founding Engineer Zach Butcher, NIST SP 800-207a: A Zero Trust Architecture Model for Access Control in cloud-native Applications in Multi-Location Environments outlined an enterprise-based Zero Trust Architecture (ZTA) model. This model leverages multi-tier service mesh policies that blend traditional network-based enforcement policies (e.g., gateway-to-gateway and service-gateway) with identity-tier policies, enabling interoperable and precise policy enforcement within multi-cloud environments. The publication primarily focuses on five identity-tier policies: Encryption in Transit, Service Identity & Authentication, Service-to-Service Authorization, End User Identity & Authentication, and End User-to-Resource Authorization. Recommended policies and related tooling suggestions are as follows:

• Encrypt in Transit: Mutual TLS (mTLS) secures service-to-service communication.
• Service Identity & Authentication: Use SPIFFE or an equivalent application identity infrastructure for attestation and issuance of cryptographically secure identities (and their related identity documents such as SVIDs).
• Service-to-Service Authorization: Employ dedicated authorization infrastructure such as Next Generation Access Control (NGAC) to enforce policy decisions and dynamically authorize service requests.
• End User Identity & Authentication: Utilize an Identity Provider (IdP) or Identity as a Service Provider (IDaaS) for identity and user management.
• End User-to-Resource Authorization: Use dedicated authorization infrastructure such as NGAC or Open ID Connect (OIDC) to govern policy decisions for users accessing resources.

When integrated to form multi-tier service mesh policies, this model provides a set of security controls that enable Zero Trust Architecture (ZTA) in multi-cloud environments. You can find more information about this document on the NIST publications site here.

Another enriching source was SP 800-204D: Securing the Artifacts in the Software Supply Chain for Building cloud-native Applications, presented by Ramaswamy Chandramouli and Frederick Kautz, Security Enterprise Architect at Elavence. SP 800-204D parallels Zero Trust principles and security concerns in the Software Supply Chain (SSC). The presentation proposed an evidence-based approach to cryptographically identify software components within the SSC and dynamically enforce controls throughout the Software Development Lifecycle (SDLC). Drawing clear commonalities between the objectives and guiding principles of Zero Trust security, the presentation underscored the necessity for secure attestation practices, such as:

• Build attestation: Specify and verify software lifecycle (e.g., SDLC) from source to production.
• Dependency Attestation: Retrieve dependencies (and related metadata) at build time. Post-build scans are also available to support this function.

In addition to attestation, the publication offered recommendations for securing crucial SSC systems such as Source Control Management (SCM) and CI/CD pipelines. This model outlined control measures like code signing and continuous code reviews to facilitate the development of secure, cloud-based applications. These recommendations aim to construct an SSC governance model which leverages Zero Trust principles. For those interested in further details on SP 800-204D, stay tuned for a draft release in the final weeks of June this year.

Throughout the day, we had the opportunity to speak directly with leading figures from private and public sectors, collaborating on their approaches to implementing Zero Trust in cloud-native environments. This face-to-face interaction enriched our understanding of the grounded realities and challenges industry pioneers face today when attempting to secure software supply chains and multi-cloud ecosystems.

The conference’s emphasis on Zero Trust principles in the federal government, presented by Ross Foard (CISA), led to a captivating panel discussion on modernizing multi-cloud security. Moderated by WireWheel.io’s CEO, Justin Antonipillai, the panel included insights from our very own Andrés Vega (VP of ControlPlane North America) and Désiré Banse, Sr. Cloud Security & DevOps Engineer from IdeaCrew. Their combined expertise provided an in-depth understanding of the intricacies of securing multi-cloud ecosystems, gleaned from hands-on industry experience. The full-length panel discussion can be viewed here.

As the conference wrapped up with closing remarks from Matthew Scholl, Chief of the Computer Security Division at NIST, we took a moment to reflect on the day. It was clear to us that this wasn’t merely a conference; it was a transformative journey. Departing from the forum’s venue, we carried with us a heightened understanding of Zero Trust and High Assurance models, gleaned from current industry practices and stimulating dialogues with like-minded cloud professionals.

The 4th Annual NIST Multi-Cloud Conference was more than just an event for us at ControlPlane—it was a catalyst. We saw firsthand the impact of proactively engaging with cutting-edge technologies, the transformative power of kind collaboration, and the immense growth that comes from continuous learning. Here’s to transforming these insights into actions that make the digital world safer for everyone!

Dive into the World of Service Mesh with Istio and Envoy: An Interactive Workshop Hosted by Tetrate and ControlPlane

In the lead-up to the Multi-Cloud conference, a diverse group of cloud enthusiasts assembled at the Ronald Reagan Building and International Trade Center for a hands-on workshop entitled, ‘Introduction to Service Mesh with Istio and Envoy’. ControlPlane and Tetrate jointly spearheaded this interactive session, with seasoned Tetrate engineers Matt Turner and Zach Butcher guiding the workshop.

The workshop primarily aimed to provide participants with a foundational understanding of service mesh concepts, its potential applications in the realm of Zero Trust security (primarily through the perspective of the SPIFFE/SPIRE framework), and the practical use of tools such as Istio, Envoy Proxy, and Kubernetes (K8s).

Participants were introduced to these concepts and guided on actively implementing them alongside critical security features such as end-to-end encryption, API threat detection, and Attribute-Based Access Control (ABAC). Embracing the core philosophy of ’learning by doing,’ participants were encouraged to apply their newfound knowledge practically.

Interactive lab environments allowed participants to explore a simulated K8s cluster and install/configure a service mesh layer with Istio and Envoy. Participants gained hands-on experience with the istioctl command-line tool during this practical exercise. The istioctl CLI allows users to control the operation of the Istio service mesh and offers commands for traffic management, policy enforcement, and telemetry collection.

To enhance the understanding of service mesh observability, the workshop demonstrated operating Istio dashboards, which leverage Grafana and Prometheus for monitoring and visualization. These dashboards offer an intuitive and visual mechanism to monitor and debug microservices within the service mesh, providing valuable insights into service mesh traffic. You can learn more about these dashboards in the official Istio documentation here.

The session strongly emphasized interactive dialogues, especially around the application of SPIFFE (Secure Production Identity Framework For Everyone) in service mesh implementation. SPIFFE offers an interoperable solution for establishing trust between software systems, and its role in enhancing Zero Trust security within service mesh technology formed a vital part of the discussion.

Overall, the workshop was well-received, indicating a strong demand for interactive and hands-on content bridging the gap between service mesh technology, workload identity, and threat-driven designs. ControlPlane and Tetrate’s collaboration at this event underscored their commitment to fostering a deeper understanding of these complex technologies.

You can find a detailed workshop overview here.

Shifting-Left with OSCAL and Kubernetes: ControlPlane at the 4th Annual OSCAL Conference

At the 4th Annual Open Security Controls Assessment Language (OSCAL) Conference, ControlPlane’s Francesco Beltramini unveiled a dynamic exploration into Kubernetes’ automated compliance in his talk Harnessing the Power of OSCAL: A Dive into Continuous and Automated Compliance for Kubernetes. The conference, jointly orchestrated by NIST and DoC, spotlighted OSCAL—an open-source framework that enables security professionals to document security controls, implementation measures, and assessments in a machine-readable language. OSCAL transforms otherwise complex and tenuous manual tasks into streamlined, automated processes. By doing so, OSCAL lays the groundwork for a new era of compliance processes and GRC tools, paving the way for seamless security automation and efficient risk management.

The conference was a hub for public, private, and academic innovators focusing on the latest developments in the NIST OSCAL models. In particular, the conference explored the potential of OSCAL-based automation in refining risk management, governance, and compliance processes across varying regulatory frameworks. The event, led by CSEC experts, fostered collaboration and shared groundbreaking OSCAL-based solutions, marking OSCAL’s growing global footprint.

Amidst this energetic atmosphere, ControlPlane’s Security Engineering Manager, Francesco Beltramini, and Robert Ficcaglia, CTO of SunStone Secure, LLC, took the stage to dive into the world of automated and continuous compliance in K8s. The session started with a comprehensive introduction to Kubernetes, setting the stage for the rest of the insightful presentation.

They then unveiled a scenario-based Kubernetes threat model complete with attack trees, offering a vivid glimpse into potential threats and countermeasures. The threat model included NIST 800-53 controls as means to break the attack chains and map them back to the K8s threat model findings.

Soon after, the presentation keynoted Everything-as-(versioned)-code, an all-encompassing concept including Policy-as-Code, Compliance Controls-as-Code (through OSCAL), Risk Assessment Rules-as-Code, Infrastructure-as-Code, and Pipeline-as-Code. These principles embody the Secure-by-Default, Secure-by-Design, and “shift-left” strategies, advocating for proactive security measures introduced early in the development cycle.

The session’s conclusion brought focus to technical demos where Francesco illustrated how Kyverno policies could be used in OSCAL documents to describe NIST 800-53 controls implementation and to enforce them cluster-wide to preserve a state of compliance. Final remarks touched on the intersection of K8s compliance and OSCAL, highlighting how OSCAL can ultimately help foster a shift-left mentality.

The 4th Annual OSCAL Conference presented a congregation of digital transformation pioneers, security automation tool vendors, and open-source maintainers striving for streamlined security processes. Robert, Francesco, and other industry experts’ insights inspired a more secure, automated, and standards-oriented future.

More information about OSCAL can be found on the official NIST site here and the NIST GitHub repository here.