Heavy Strategy 56: FU to the Followup
Heavy Strategy - En podcast af Packet Pushers - Tirsdage
Kategorier:
Taking your feedback and followup and discussing the questions you bring us. Zero Trust Defintions, Out of Band in Zero Trust, Johna and/or Greg is/are insufferable and re-evaluating the Tech Job Debacle with hindsight. FU Number 1: Definitions of Zero Trust Just wanted to say that Network Break 435 was interesting on the topic of Zero Trust and Greg vs. Johna interpreting “zero trust” differently. I’d really love to see a full break-down episode more from a engineering/architect role rather than a vendor sales pitch. As an example, some of my questions about zero trust: Is this an actual standard, or a marketing buzzword along the lines of “Military Grade Encryption”?–YES, standard If not a standard that can be easily reviewed by experts, how in the world is that a good security idea?–It’s like saying “you need firewalls and DMZs”. The bad guys already know you have them; the good guys need to understand where to put them for optimal efficacy. Does it mean all applications are exposed to public internet with no firewalling and are 100% responsible for their own security? Great! Also, good luck with that after developers have spent the last 25 years assuming firewall protection. It can, and more sophisticated organizations do exactly that…. JTJ to follow response. Does it require installing some type of application on each client/user. If so, how in the world is that going to scale just from a helpdesk perspective? JTJ to respond If the above is true, doesn’t the security risk belong entirely to the client, which by the way is usually the least secure thing on the network? JTJ to respond Isn’t this yet another example of moving security problems around, rather than fixing them? IMO, Serverless and Containers are already shrinking the scope of what’s exposed on the network better than any security product or model could The two most common forms of exploitation are still phishing and business email compromise. Does Zero trust solve either of those? Partially. FU #2: Zero Trust and OOB, and Johna is insufferable! Does anyone else find Johna insufferable? Yes. Talk to my mother! Her just shouting over Greg “you can’t, you can’t”, and then states that zero trust is an “architecture” like it is this fixed concept with only one way to do things. She is just rude, and wrong whilst being rude at that. Zero Trust is just a framework or approach and is not prescriptive as to how to implement. You can absolutely use OOB management networks as part of a zero trust approach. In fact the directive from CISA even lists that a remote admin VPN is acceptable as long as the management interface is not published directly to the internet. VPN access to jumphosts that then have access to OOB management networks is also acceptable according to the directive. https://www.cisa.gov/news-events/directives/binding-operational-directive-23-02-implementation-guidance Cybersecurity and Infrastructure Security Agency CISA Binding Operational Directive 23-02 Implementation Guidance | CISA IMPLEMENTATION GUIDANCE FOR CISA BINDING OPERATIONAL DIRECTIVE 23-02: MITIGATING THE RISK FROM INTERNET-EXPOSED MANAGEMENT INTERFACES Background ————— On the recent NB435 episode Johna made a couple comments about the recent CISA “Binding Operational Directive” as well as the notion of “Zero Trust” that I feel could use some clarification. First, I just read the actual CISA Directive as well as their accompanying “Implementation Guidance” document (both are easy to find at the “cisa.gov” web site) and they explicitly state that an “isolated ma...