I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)

656 points EthanHeilman | 1 comments | 27 Jan 22 15:06 UTC | HN request time: 0.232s | source

Show context

uncomputation ◴[27 Jan 22 17:33 UTC] No.30103419[source]▶

> “Enterprise applications should be able to be used over the public internet.”

Isn’t exposing your internal domains and systems outside VPN-gated access a risk? My understanding is this means internaltool.faang.com should now be publicly accessible.

replies(10): >>30103496 #>>30103558 #>>30103584 #>>30103588 #>>30103623 #>>30104344 #>>30104669 #>>30105221 #>>30106774 #>>30106879 #

formerly_proven ◴[27 Jan 22 17:45 UTC] No.30103584[source]▶

>>30103419 #

It's a different framing to get rid of figleafs. Everything has to be built so that it actually has a chance of being secure - if your state of mind is "this is exposed to the public internet", BS excuses like "this is only exposed to the TotallySecure intranet" don't work any more, because they don't work in the first place. Perimeter security only works in exceedingly narrow circumstances which don't apply - and haven't applied for a long time[1] - to 99.999 % of corporate networks.

[1] Perimeter-oriented security thinking is probably the #1 enabler for ransomware and lateral movement of attackers in general.

replies(2): >>30103686 #>>30120243 #

1. lethargic_meat ◴[28 Jan 22 20:56 UTC] No.30120243[source]▶

>>30103584 #

This sounds like the meme of holding a riffle like a pistol, so your fear for getting smacked with the butt makes you impervious to recoil.

↑