Just curious how many people out there are actually working towards completely zero-trust and phasing out old school VPN connections?
We say we’re moving to Zero Trust, but in reality, nobody actually understands what it means and it’s really just implementing best practices (which we’ve been doing even before the current Cyber Security team that’s pushing “Zero Trust”).
We started doing it in 2012, though we called it “de-perimeterization” at the time. A lot of the motivation was that client VPNs were not scaling for us any longer.
There are a lot more off-the-shelf open-source tools these days than there were ten years ago. Switching everything from HTTP to HTTPS is just the first step.
I’ve had zero trust in my users for years, does that count?
Zero trust is basically a marketing term…
We’ve been using traditional VPNs for years with limited connectivity behind them. You get DNS and Remote Desktop Gateway. That’s it, unless you need more.
File permissions? Only get what you need.
Firewall rules? Only get what you need.
Concepts have been valid (and good practice) for a long time. Just a fancy new way of selling it to the suits!
Zero Trust is fancy branding cyber/vp/sales/certcamp/radio ad/LinkedIn cucks read in an airplane magazine for what is logically just least privileged architecture and hardening…
Ie when the fuck did any good enterprise admin think anyone trusted ppl on a domain
Do things ITIL (you know like from the 80s, not some marketing weeny shit that is cool because it starts with a Z) and smartly and you’re already there
We originally used the term “de-perimeterization”, but the idea is pretty straightforward:
- Don’t rely on any aspect of the network to maintain security.
- Design your infrastructure as if your users were all using random cafe networks (because they probably are).
- Encrypt all traffic, and strongly authenticate all connections.
I’d argue that it’s a lot different than lease-privileged design.
- Devices on your network WILL get compromised by user activity
- Segmenting your network is the best guard against this
- Storing company data on defensible resources is a must
- No more on-prem file shares or databases
- No more on-prem application servers
- Rely on vendors (Microsoft) to identify high-risk users and cancel their access to company resources
- Monitor network for data egress
- no open ports