←back to thread

I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)
656 points EthanHeilman | 2 comments | 27 Jan 22 15:06 UTC | HN request time: 0s | source
Show context
staticassertion ◴[27 Jan 22 15:56 UTC] No.30102061[source]
This is pretty incredible. These aren't just good practices, they're the fairly bleeding edge best practices.

1. No more SMS and TOTP. FIDO2 tokens only.

2. No more unencrypted network traffic - including DNS, which is such a recent development and they're mandating it. Incredible.

3. Context aware authorization. So not just "can this user access this?" but attestation about device state! That's extremely cutting edge - almost no one does that today.

My hope is that this makes things more accessible. We do all of this today at my company, except where we can't - for example, a lot of our vendors don't offer FIDO2 2FA or webauthn, so we're stuck with TOTP.

replies(15): >>30103088 #>>30103131 #>>30103846 #>>30104022 #>>30104121 #>>30104716 #>>30104840 #>>30105344 #>>30106941 #>>30107798 #>>30108481 #>>30108567 #>>30108916 #>>30111757 #>>30112413 #
warner25 ◴[27 Jan 22 23:29 UTC] No.30108567[source]
"...fairly bleeding edge best practices..."

By the time we implement any of these things, if ever, they certainly won't be. I work on military networks and applications, and it's hard for me to believe that I'll see any of this within my career at the pace we move. This is the land of web applications that only work with Internet Explorer, ActiveX, Siverlight, Flash, and Java Applets, plus servers running Linux 2.6 or Windows Server 2012.

The idea of "Just-in-Time" access control where "a user is granted access to a resource only while she needs it, and that access is revoked when she is done" is terrifying when it takes weeks or months to get action on support tickets that I submit (where the action is simple, and I tee it up with a detailed description of whatever I need done).

replies(2): >>30110767 #>>30111071 #
1. post_from_work ◴[28 Jan 22 05:49 UTC] No.30111071[source]
It took us NINE MONTHS to get a server installed in a data center a few years back. This was Marine-Corps fielded hardware running an ATO'd[1] software stack for real-world situational awareness, going into a Marine Corps data center. The people that run the data center have a glacial Change Management process, exacerbated by everyone in their organization not talking to each other, even though they are separated by cubical walls.

I too have no faith of seeing this stuff implemented anytime soon...

[1] (Authority to Operate, basically approval from the highest IT authorities to utilize something on a DoD network)

replies(1): >>30111318 #
2. warner25 ◴[28 Jan 22 06:26 UTC] No.30111318[source]
Haha, yes, my day-to-day work for the past two years has been fighting exactly this same fight on the Army side.