For those with zero trust in zero-trust networks, this industry alliance may help The Cloud Security Alliance is trying to cut through the myriad zero-trust approaches and solutions out there and attempt to offer some practical info for corporate network admins. Zero-trust security continues to be one of the hottest marketing phrases in an industry that loves its buzzwords. But despite so many so-called …
I have no trust in these multinational corporations shoving ever more hoops in to jump simply to read a story or see my checking account balance. And why are they allowed the power to badger me night and day with their idiotic important messages like, "online bill pay now available"? And, don't get me going about ads and..."telemetry".
Zero-trust still misses the mark by a long mile today. You can monitor everything the heck you want but when your OS runs a bunch of background services unnecessarily possessing SYSTEM user rights, real-world security will always remain piss poor. In 2022, Windows end-user devices still run the Server service by default allowing remote users access to piss about with anything they like via C$ shares, Linux computers still have questionable SUID binaries on them and full isolation between GUI applications is still a pipe dream outside of mobile operating systems. By default, most software can still access any/all files the user account has authorisation to access, meaning zero-trust still falls down the moment your PC gets infected with serious malware.
Fix these kinds of endpoint issues and computers can begin to automatically store private keys in HSMs, relegating passwords to a mere second factor of authentication, killing phishing attacks (and a lot of social engineering attempts) for good. For authorisation, computers could store multiple keys for various roles within the same user account and then separate roles per-process, meaning for example that Word can’t touch any data used by Sage Accounts by default. With regards to accounting, a monitoring process could be set up to attest to what it believes each process has accessed, which could be used by enterprises to automatically compare notes, with anything unaccounted for resulting in an automatic account lockout until an investigation can be performed.
Android and iOS are pretty much there (minus accounting), macOS is somewhat there (if you only use App Store apps) but the desktop market leader is a broken mess and Linux is in some respects even further behind Windows nowadays.
TL;DR: Don’t waste your money until the correct foundations are in place. Optimise security for the model you have now until your platform is ready.
The main inhibitor for Zero Trust is complexity. Sys Admins and Sys Progs would have to manage an exponentially larger set of authorities because they have to test each interaction point, not just the boundary test. Testing the correctness of this huge web of checks manually is beyond the capability of shrinking admin teams (blame the bean counters). Test automation and lowering complexity without compromising impermeability is the path. This is a crackable problem!
stupidity? ignorance?
"The internet is becoming the new network," said Kavitha Mariappan, EVP of customer experience and transformation at Zscaler.
What does she think internet means. The definition has always been "a network of networks". How much more networky does she think the internet can yet become.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022
