[HN Gopher] BeyondCorp is dead, long live BeyondCorp ___________________________________________________________________ BeyondCorp is dead, long live BeyondCorp Author : tptacek Score : 53 points Date : 2022-02-09 21:06 UTC (2 days ago) (HTM) web link (mayakaczorowski.com) (TXT) w3m dump (mayakaczorowski.com) | jiveturkey wrote: | ogazitt wrote: | The last paragraph is especially salient. To me, ZT is really | about recognizing that perimeter security is dead, and a modern | approach to authorization requires defense-in-depth. A zero trust | access proxy is just one layer (and is inherently coarse- | grained). The identity provider and API gateway can provide more | gates. And applications themselves should implement fine-grained | authorization in a manner that is complementary but independent | of upstream access controls. | niyikiza wrote: | The author makes some good points here: devices and CAs are the | most challenging part although I think it remains feasible for | some types of companies(likely more so than at Google). | | I was discussing about ZT with a friend recently and we were | agreeing that one of the problems with the USGov memo (and most | of ZT advocates) is referring to ZT as an "Architecture". The | memo paints a picture of ZT as a destination whereas it really | should be understood as a framework, culture and design | philosophy. And that makes it, by definition, a journey. Its | principles are supposed to guide your architecture design but | they are not the architecture i.e there can never really be a | point where you can call a friend and be like "Look at this, I've | finally 'built' a Zero Trust Architecture". And you can't have a | consultant come in and go back a few months later telling you | "Alright, here's your Zero Trust Architecture". ZT has to be | continuously entangled into your dev flow, ops, policies and day | to day technical decision making. | | I also suspect that another important missing piece (whether you | look at it as a journey or a destination) is how to | quantitatively MEASURE progress on Zero Trust. Having precise | reference metrics would help in actually enforcing the goal of | the memo or at least being able to tell that company A has a | better measured ZT progress than company B. | | I guess, like they say, "Zero Trust is like teenage sex: everyone | talks about it, nobody really knows how to do it, everyone thinks | everyone else is doing it, so everyone claims they are doing it." | | Disclaimer: Googler but I don't work on the BeyondCorp team. | 0xbadcafebee wrote: | But they do want to think of it as an architecture. They want | some "Architecture Group" to publish a "ZeroTrust Standard" | which every team will be required to mindlessly implement so | they don't have to actually understand the underlying concepts. | It's like those wonderful "security karate" mandatory training | courses where they require you watch a video and fill out a | multiple choice "test", and after that every application you | build will be totally secure by default. | | I think the whole DevSecWhateverOps thing fails to account for | the severe level of indifference large organizations have for | outside-the-box solutions. If you can't solve the problem from | your silo, it's too much. | jiveturkey wrote: | I think you're overselling it, but not by much. Indeed, ZTA is | not a destination. ___________________________________________________________________ (page generated 2022-02-11 23:00 UTC)