I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)

656 points EthanHeilman | 3 comments | 27 Jan 22 15:06 UTC | HN request time: 0s | source

Show context

staticassertion ◴[27 Jan 22 15:56 UTC] No.30102061[source]▶

This is pretty incredible. These aren't just good practices, they're the fairly bleeding edge best practices.

1. No more SMS and TOTP. FIDO2 tokens only.

2. No more unencrypted network traffic - including DNS, which is such a recent development and they're mandating it. Incredible.

3. Context aware authorization. So not just "can this user access this?" but attestation about device state! That's extremely cutting edge - almost no one does that today.

My hope is that this makes things more accessible. We do all of this today at my company, except where we can't - for example, a lot of our vendors don't offer FIDO2 2FA or webauthn, so we're stuck with TOTP.

replies(15): >>30103088 #>>30103131 #>>30103846 #>>30104022 #>>30104121 #>>30104716 #>>30104840 #>>30105344 #>>30106941 #>>30107798 #>>30108481 #>>30108567 #>>30108916 #>>30111757 #>>30112413 #

1. mnd999 ◴[27 Jan 22 22:25 UTC] No.30107798[source]▶

>>30102061 #

Bleeding edge or complete fantasy? This is going to be very very expensive and guess who’s going to be paying for it?

replies(1): >>30108946 #

2. tssva ◴[28 Jan 22 00:09 UTC] No.30108946[source]▶

>>30107798 (TP) #

As with most OMB memos it is complete fantasy and agencies won't comply by the date, any date close to it or really ever. The answer to the question "who's going to be paying for it?" is nobody which is why it will never actually get done.

replies(1): >>30125644 #

3. mnd999 ◴[29 Jan 22 11:56 UTC] No.30125644[source]▶

>>30108946 #

Government contractors are expert at getting paid to deliver nothing.

↑