[HN Gopher] BeyondCorp is dead, long live BeyondCorp
___________________________________________________________________
BeyondCorp is dead, long live BeyondCorp
Author : tptacek
Score : 53 points
Date : 2022-02-09 21:06 UTC (2 days ago)
(HTM) web link (mayakaczorowski.com)
(TXT) w3m dump (mayakaczorowski.com)
| jiveturkey wrote:
| ogazitt wrote:
| The last paragraph is especially salient. To me, ZT is really
| about recognizing that perimeter security is dead, and a modern
| approach to authorization requires defense-in-depth. A zero trust
| access proxy is just one layer (and is inherently coarse-
| grained). The identity provider and API gateway can provide more
| gates. And applications themselves should implement fine-grained
| authorization in a manner that is complementary but independent
| of upstream access controls.
| niyikiza wrote:
| The author makes some good points here: devices and CAs are the
| most challenging part although I think it remains feasible for
| some types of companies(likely more so than at Google).
|
| I was discussing about ZT with a friend recently and we were
| agreeing that one of the problems with the USGov memo (and most
| of ZT advocates) is referring to ZT as an "Architecture". The
| memo paints a picture of ZT as a destination whereas it really
| should be understood as a framework, culture and design
| philosophy. And that makes it, by definition, a journey. Its
| principles are supposed to guide your architecture design but
| they are not the architecture i.e there can never really be a
| point where you can call a friend and be like "Look at this, I've
| finally 'built' a Zero Trust Architecture". And you can't have a
| consultant come in and go back a few months later telling you
| "Alright, here's your Zero Trust Architecture". ZT has to be
| continuously entangled into your dev flow, ops, policies and day
| to day technical decision making.
|
| I also suspect that another important missing piece (whether you
| look at it as a journey or a destination) is how to
| quantitatively MEASURE progress on Zero Trust. Having precise
| reference metrics would help in actually enforcing the goal of
| the memo or at least being able to tell that company A has a
| better measured ZT progress than company B.
|
| I guess, like they say, "Zero Trust is like teenage sex: everyone
| talks about it, nobody really knows how to do it, everyone thinks
| everyone else is doing it, so everyone claims they are doing it."
|
| Disclaimer: Googler but I don't work on the BeyondCorp team.
| 0xbadcafebee wrote:
| But they do want to think of it as an architecture. They want
| some "Architecture Group" to publish a "ZeroTrust Standard"
| which every team will be required to mindlessly implement so
| they don't have to actually understand the underlying concepts.
| It's like those wonderful "security karate" mandatory training
| courses where they require you watch a video and fill out a
| multiple choice "test", and after that every application you
| build will be totally secure by default.
|
| I think the whole DevSecWhateverOps thing fails to account for
| the severe level of indifference large organizations have for
| outside-the-box solutions. If you can't solve the problem from
| your silo, it's too much.
| jiveturkey wrote:
| I think you're overselling it, but not by much. Indeed, ZTA is
| not a destination.
___________________________________________________________________
(page generated 2022-02-11 23:00 UTC)