←back to thread

I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)
656 points EthanHeilman | 4 comments | 27 Jan 22 15:06 UTC | HN request time: 0s | source
Show context
uncomputation ◴[27 Jan 22 17:33 UTC] No.30103419[source]
> “Enterprise applications should be able to be used over the public internet.”

Isn’t exposing your internal domains and systems outside VPN-gated access a risk? My understanding is this means internaltool.faang.com should now be publicly accessible.

replies(10): >>30103496 #>>30103558 #>>30103584 #>>30103588 #>>30103623 #>>30104344 #>>30104669 #>>30105221 #>>30106774 #>>30106879 #
enriquto ◴[27 Jan 22 17:44 UTC] No.30103558[source]
As I understand it, this sentence says that the application should be safe even if it was exposed to the public internet, not that it needs to be exposed. It is a good practice to securize everything even if visible only internally. The "perimeter defense" given by a VPN can be a plus, but never the only line of defense.
replies(3): >>30103607 #>>30103636 #>>30103760 #
jaywalk ◴[27 Jan 22 17:47 UTC] No.30103607[source]
No, the memo pretty clearly says that VPNs need to go away.
replies(2): >>30103780 #>>30103879 #
MattPalmer1086 ◴[27 Jan 22 18:08 UTC] No.30103879{3}[source]
It says that VPNs and other network tunnels should not be relied on.

Where does it say they should go away?

replies(1): >>30104348 #
1. nybble41 ◴[27 Jan 22 18:40 UTC] No.30104348{4}[source]
"Further, Federal applications cannot rely on network perimeter protections to guard against unauthorized access. Users should log into applications, rather than networks, and enterprise applications should eventually be able to be used over the public internet. In the near-term, every application should be treated as internet-accessible from a security perspective. As this approach is implemented, agencies will be expected to stop requiring application access be routed through specific networks, consistent with CISA’s zero trust maturity model."

"Actions … 4. Agencies must identify at least one internal-facing FISMA Moderate application and make it fully operational and accessible over the public internet."

replies(2): >>30105162 #>>30108262 #
2. shkkmo ◴[27 Jan 22 19:34 UTC] No.30105162[source]
Which is saying that agencies have to stop relying on / requiring VPNs for authorization and access control, not that any user has to stop using VPNs.
replies(1): >>30105531 #
3. nybble41 ◴[27 Jan 22 19:57 UTC] No.30105531[source]
It's true that they didn't mandate detecting and blocking accesses from VPNs, if the user chooses to connect through one. However, they pretty clearly are saying that the application should be exposed to the public Internet, which is the opposite of what enriquto claimed[0] earlier in this thread:

> As I understand it, this sentence says that the application should be safe even if it was exposed to the public internet, not that it needs to be exposed.

[0] https://news.ycombinator.com/item?id=30103558

4. MattPalmer1086 ◴[27 Jan 22 23:00 UTC] No.30108262[source]
Yes, good point.

I wonder if that applies to all infrastructure, or just enterprise applications.