←back to thread

I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)
656 points EthanHeilman | 1 comments | 27 Jan 22 15:06 UTC | HN request time: 0.208s | source
Show context
uncomputation ◴[27 Jan 22 17:33 UTC] No.30103419[source]
> “Enterprise applications should be able to be used over the public internet.”

Isn’t exposing your internal domains and systems outside VPN-gated access a risk? My understanding is this means internaltool.faang.com should now be publicly accessible.

replies(10): >>30103496 #>>30103558 #>>30103584 #>>30103588 #>>30103623 #>>30104344 #>>30104669 #>>30105221 #>>30106774 #>>30106879 #
1. rodgerd ◴[27 Jan 22 21:20 UTC] No.30106879[source]
The thing is that over-focus on perimeter security is still a huge problem, and one reason that e.g. ransomware owns orgs with depressing regularity. There's nothing wrong with perimeter controls in and of themselves. But they become a substitute for actually security what's on the internal network, so once you've bypassed the perimeter, it's all too easy to roam at will.

The people over-relying on perimeter security are the folks buying a big sixties car and assuming that seatbelts and traction control are no substitute for chrome bumpers.