[Info-vax] US Gov't "Zero Trust" Security Requirements

[Simon Clubley]

On 2022-09-20, Phil Howell <phow9917 at gmail.com> wrote:
> Perhaps you should ask those who have run such systems in
> "hostile environments" for at least 25 years, like Sydney ASX?
> Average daily transaction value is over $50 billion (AU)
> Hey, they even have a job on offer, you surely know pascal?
>
> https://www2.asx.com.au/content/dam/asx/about/job-opportunities/securities-and-payments/senior-analyst-programmer%20-chess.pdf
>

No way is that in any way near the same thing.

Those systems were designed in an era where the internal network was
considered to be much more trusted than external sources and the focus
was on stopping the external sources from getting unauthorised access
to the trusted internal network.

Today's zero trust network is very different. Today, the assumption behind
zero trust is that the internal network _has_ been compromised and that
you still need to be able to operate your systems in such an environment.

That is a much much more aggressive thing to have to deal with and requires
a very different mindset to the one that VMS systems, even ones considered
secure by the standards of yesteryear, have traditionally had to deal with.

For example, don't forget that there are still some around here who consider
it 1) acceptable to run unencrypted protocols on the internal network because
it is somehow considered to be safe and 2) that you can trust what is coming
from other internal systems on the same internal network.

However, in today's world of zero trust, there is no such thing as a trusted
internal network any more.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.