Cloudflare floats cloud grand unification theory based on zero-trust access and security Network infrastructure biz Cloudflare this week launched a service called Cloudflare One that combines various identity, access, and security offerings in an effort to make the unruly internet more like a tame corporate network. Cloudflare One, not to be confused with Cloudflare 1.1.1.1, the company's DNS service, combines …
Can anyone explain how this "zero trust" concept is supposed to work? From my admittedly comfy work from home chair it seems that one has to trust:
...the device hardware / firmware / OS (closed source, hardware vendor controlled)
...the service provider and its software (closed source, provider controlled with a smattering of hardware vendor control underneath)
...the distribution system for updates to above closed components
...governments not to require backdoors in any of the above
...all over a public WAN, where any flaw in any of this could compromise the entire network / organization
Compare to the relatively small, known border of a traditional VPN solution (especially one built on open source software), where there is at least a tiny bit of defense-in-depth, and I see a ton of additional risk flags. In fact something smells distinctly snaky and feels oily about this...
In ancient times (actually until a mere few decades back), trust was something you voluntarily awarded on the basis of your own judgement (and, ideally, exhaustive research). Now however, "trust" is something you're forced to assign to unknown parties and services that it's impossible to research to the standard required to be able to genuinely trust them in the old way. This is not a recent outcome of "cloud" - indeed its seeds were apparent in the US DoD Orange Book of 1983, where trust was assigned on the basis of "clearance" rather than behaviour. What it means though is that there is in reality no way to trust - everything is a leap into the dark. If you want the service you have to blindly accept unknown and unquantifiable consequences.
By network as a service they mean you route ALL your endpoints to somewhere on the internet through a fat pipe.
They will do routing/firewalling/segmantation/security for you with the most advanced AI/BigData/MachineLearning.
Zero trust I'm not certain, but I guess it relates to trust and the service they provide...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
