zlacker

[return to "I read the federal government’s Zero-Trust Memo so you don’t have to"]
1. uncomp+ow[view] [source] 2022-01-27 17:33:44
>>EthanH+(OP)
> “Enterprise applications should be able to be used over the public internet.”

Isn’t exposing your internal domains and systems outside VPN-gated access a risk? My understanding is this means internaltool.faang.com should now be publicly accessible.

◧◩
2. enriqu+Dy[view] [source] 2022-01-27 17:44:01
>>uncomp+ow
As I understand it, this sentence says that the application should be safe even if it was exposed to the public internet, not that it needs to be exposed. It is a good practice to securize everything even if visible only internally. The "perimeter defense" given by a VPN can be a plus, but never the only line of defense.
◧◩◪
3. jaywal+qz[view] [source] 2022-01-27 17:47:56
>>enriqu+Dy
No, the memo pretty clearly says that VPNs need to go away.
◧◩◪◨
4. MattPa+OD[view] [source] 2022-01-27 18:08:14
>>jaywal+qz
It says that VPNs and other network tunnels should not be relied on.

Where does it say they should go away?

◧◩◪◨⬒
5. nybble+nL[view] [source] 2022-01-27 18:40:09
>>MattPa+OD
"Further, Federal applications cannot rely on network perimeter protections to guard against unauthorized access. Users should log into applications, rather than networks, and enterprise applications should eventually be able to be used over the public internet. In the near-term, every application should be treated as internet-accessible from a security perspective. As this approach is implemented, agencies will be expected to stop requiring application access be routed through specific networks, consistent with CISA’s zero trust maturity model."

"Actions … 4. Agencies must identify at least one internal-facing FISMA Moderate application and make it fully operational and accessible over the public internet."

◧◩◪◨⬒⬓
6. shkkmo+vY[view] [source] 2022-01-27 19:34:11
>>nybble+nL
Which is saying that agencies have to stop relying on / requiring VPNs for authorization and access control, not that any user has to stop using VPNs.
◧◩◪◨⬒⬓⬔
7. nybble+s41[view] [source] 2022-01-27 19:57:21
>>shkkmo+vY
It's true that they didn't mandate detecting and blocking accesses from VPNs, if the user chooses to connect through one. However, they pretty clearly are saying that the application should be exposed to the public Internet, which is the opposite of what enriquto claimed[0] earlier in this thread:

> As I understand it, this sentence says that the application should be safe even if it was exposed to the public internet, not that it needs to be exposed.

[0] https://news.ycombinator.com/item?id=30103558

[go to top]