(www.bastionzero.com)

656 points EthanHeilman | 1 comments | 27 Jan 22 15:06 UTC | HN request time: 0.253s | source

Show context

uncomputation ◴[27 Jan 22 17:33 UTC] No.30103419[source]▶

> “Enterprise applications should be able to be used over the public internet.”

Isn’t exposing your internal domains and systems outside VPN-gated access a risk? My understanding is this means internaltool.faang.com should now be publicly accessible.

replies(10): >>30103496 #>>30103558 #>>30103584 #>>30103588 #>>30103623 #>>30104344 #>>30104669 #>>30105221 #>>30106774 #>>30106879 #

enriquto ◴[27 Jan 22 17:44 UTC] No.30103558[source]▶

>>30103419 #

As I understand it, this sentence says that the application should be safe even if it was exposed to the public internet, not that it needs to be exposed. It is a good practice to securize everything even if visible only internally. The "perimeter defense" given by a VPN can be a plus, but never the only line of defense.

replies(3): >>30103607 #>>30103636 #>>30103760 #

servercobra ◴[27 Jan 22 17:58 UTC] No.30103760[source]▶

>>30103558 #

The memo does say each agency needs to pick one system that is not internet accessible and make it accessible in the next year. The way I read this memo is pushing that VPNs don't add much in the way of security (if you follow the rest of the memo) and should be removed.

replies(1): >>30104715 #

1. tptacek ◴[27 Jan 22 19:07 UTC] No.30104715[source]▶

>>30103760 #

The other way to read that part of the memo is that the exercise of exposing an application on the public Internet is a forcing function that will require agencies to build application security skills necessary whether or not they use VPNs. Note that the memo demands agencies find a single FISMA-Moderate service to expose.

↑

I read the federal government’s Zero-Trust Memo so you don’t have to