Most active commenters

    ←back to thread

    I read the federal government’s Zero-Trust Memo so you don’t have to

    (www.bastionzero.com)
    656 points EthanHeilman | 11 comments | 27 Jan 22 15:06 UTC | HN request time: 0s | source | bottom
    Show context
    uncomputation ◴[27 Jan 22 17:33 UTC] No.30103419[source]
    > “Enterprise applications should be able to be used over the public internet.”

    Isn’t exposing your internal domains and systems outside VPN-gated access a risk? My understanding is this means internaltool.faang.com should now be publicly accessible.

    replies(10): >>30103496 #>>30103558 #>>30103584 #>>30103588 #>>30103623 #>>30104344 #>>30104669 #>>30105221 #>>30106774 #>>30106879 #
    1. enriquto ◴[27 Jan 22 17:44 UTC] No.30103558[source]
    As I understand it, this sentence says that the application should be safe even if it was exposed to the public internet, not that it needs to be exposed. It is a good practice to securize everything even if visible only internally. The "perimeter defense" given by a VPN can be a plus, but never the only line of defense.
    replies(3): >>30103607 #>>30103636 #>>30103760 #
    2. jaywalk ◴[27 Jan 22 17:47 UTC] No.30103607[source]
    No, the memo pretty clearly says that VPNs need to go away.
    replies(2): >>30103780 #>>30103879 #
    3. ◴[27 Jan 22 17:49 UTC] No.30103636[source]
    4. servercobra ◴[27 Jan 22 17:58 UTC] No.30103760[source]
    The memo does say each agency needs to pick one system that is not internet accessible and make it accessible in the next year. The way I read this memo is pushing that VPNs don't add much in the way of security (if you follow the rest of the memo) and should be removed.
    replies(1): >>30104715 #
    5. ◴[27 Jan 22 17:59 UTC] No.30103780[source]
    6. MattPalmer1086 ◴[27 Jan 22 18:08 UTC] No.30103879[source]
    It says that VPNs and other network tunnels should not be relied on.

    Where does it say they should go away?

    replies(1): >>30104348 #
    7. nybble41 ◴[27 Jan 22 18:40 UTC] No.30104348{3}[source]
    "Further, Federal applications cannot rely on network perimeter protections to guard against unauthorized access. Users should log into applications, rather than networks, and enterprise applications should eventually be able to be used over the public internet. In the near-term, every application should be treated as internet-accessible from a security perspective. As this approach is implemented, agencies will be expected to stop requiring application access be routed through specific networks, consistent with CISA’s zero trust maturity model."

    "Actions … 4. Agencies must identify at least one internal-facing FISMA Moderate application and make it fully operational and accessible over the public internet."

    replies(2): >>30105162 #>>30108262 #
    8. tptacek ◴[27 Jan 22 19:07 UTC] No.30104715[source]
    The other way to read that part of the memo is that the exercise of exposing an application on the public Internet is a forcing function that will require agencies to build application security skills necessary whether or not they use VPNs. Note that the memo demands agencies find a single FISMA-Moderate service to expose.
    9. shkkmo ◴[27 Jan 22 19:34 UTC] No.30105162{4}[source]
    Which is saying that agencies have to stop relying on / requiring VPNs for authorization and access control, not that any user has to stop using VPNs.
    replies(1): >>30105531 #
    10. nybble41 ◴[27 Jan 22 19:57 UTC] No.30105531{5}[source]
    It's true that they didn't mandate detecting and blocking accesses from VPNs, if the user chooses to connect through one. However, they pretty clearly are saying that the application should be exposed to the public Internet, which is the opposite of what enriquto claimed[0] earlier in this thread:

    > As I understand it, this sentence says that the application should be safe even if it was exposed to the public internet, not that it needs to be exposed.

    [0] https://news.ycombinator.com/item?id=30103558

    11. MattPalmer1086 ◴[27 Jan 22 23:00 UTC] No.30108262{4}[source]
    Yes, good point.

    I wonder if that applies to all infrastructure, or just enterprise applications.