←back to thread

I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)
656 points EthanHeilman | 1 comments | 27 Jan 22 15:06 UTC | HN request time: 0.217s | source
Show context
mikewarot ◴[27 Jan 22 20:43 UTC] No.30106322[source]
Does any of this protect against a zero day exploit running in the client device?
replies(2): >>30107683 #>>30110452 #
1. agar ◴[28 Jan 22 03:36 UTC] No.30110452[source]
In a true Zero Trust model, every client device would have the minimum number of network permissions necessary to do its job - as would every other device. Every device could only connect to known good/known necessary endpoints over specific ports and protocols. All else would be blocked.[1]

If the client device were compromised with a zero day exploit, the blast radius would be substantially smaller, the difficulty of an attacker mapping a network for later exploit would be exponentially larger, and time to response would dramatically shrink.

[1] (This is particularly relevant for fixed-function IoT and Operational Technology devices. General computing devices need broader controls, but again - the minimum necessary for that user, in that business context, to do their job.)