←back to thread

I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)
656 points EthanHeilman | 3 comments | 27 Jan 22 15:06 UTC | HN request time: 0.632s | source
1. pledess ◴[28 Jan 22 02:30 UTC] No.30110052[source]
Our corporate IT folks have a Zero Trust Manifesto in which there are enrolled devices (laptops that remote SREs can carry around), there are enterprise applications, and there's connectivity between these (e.g., tunnel pairs). SREs often need to write scripts that operate on sensitive production data from the enterprise applications, but must do this work directly on an enrolled device.

Pre-Zero-Trust days seemed safer. Copying production data to a laptop wasn't allowed. Instead, each SRE had their own Linux VM in the data center, accessible from home and able to run the scripts (with connectivity to the enterprise application). This prevented a whole class of realistic attacks in which a laptop (while unlocked/decrypted) is taken by an adversary. Admittedly, in return, we're protected from a possible, but less likely, attack in which a Linux VM is compromised and used for lateral movement within one segment of the enterprise network. (An enrolled device has to be in the user's possession; it can't be any machine, Linux or Windows, in the data center or office.)

The only people who love this are our enterprise application vendors. Our bosses are paying them a TON more money to implement new requirements where, in theory, all possible types of data analysis can be done directly within the enterprise application. No more scripts, no more copying of data. No more use of Open Source. And, of course, people from these same enterprise application vendors advise the government that Zero Trust must be a top priority mandate.

replies(1): >>30110486 #
2. YokoZar ◴[28 Jan 22 03:42 UTC] No.30110486[source]
Why not combine the two and require using the secure VMs only from enrolled devices?
replies(1): >>30110781 #
3. pledess ◴[28 Jan 22 04:46 UTC] No.30110781[source]
There isn't a great reason. It's just that the people who set the policy wanted to prevent lateral attacker movement at all costs. The VMs and the enterprise applications are in the same building, but no longer have network connectivity because they don't routinely communicate (in the past, a VM would make an outbound TCP connection only after an SRE decided that a problem existed).