[Info-vax] US Gov't "Zero Trust" Security Requirements

Alexander Schreiber als at usenet.thangorodrim.de
Wed Sep 21 10:04:19 EDT 2022 

John Dallman <jgd at cix.co.uk> wrote:
> In article <tgevio$1qglo$1 at dont-email.me>,
> clubley at remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:
>
>> Today's zero trust network is very different. Today, the assumption 
>> behind zero trust is that the internal network _has_ been compromised
>> and that you still need to be able to operate your systems in such 
>> an environment.
>
> The rise in compromises that necessitated this change of mindset seems to
> have been largely due to the tendency of managers and salescreatures with
> laptops to take them out of the office and get them infected with malware.
> Then /targeted/ malware started being distributed via e-mail phishing. At
> this point, a lot of IT departments' management concluded the secured
> world of the past was no longer viable, except under very special
> circumstances. 

Worse. It starts with the classic coconut security model (hard perimeter,
soft core), continues with the office network having unrestricted access
to the production network (be it a data center or a factory floor with
computer controlled machinery), usually 'because it is convenient' and
continues with people having way more access than they need (no, the
CEO of WeMakeWidgets does _not_ need full admin privileges on the
production database). And then you are one malware loaded email away
from getting your systems encrypted, just because someone clicked where
they were told not to click (and honestly, that's not that persons
fault).

Yes, proper internal security boundaries take work to properly define,
set up and maintain. They can also make the difference between "we
have to re-image one project manager's laptop" and "production is
down hard because it all got encrypted".

The times of "the internal network is a safe place" have been over
for quite some time.

Kind regards,
           Alex.
-- 
"Opportunity is missed by most people because it is dressed in overalls and
 looks like work."                                      -- Thomas A. Edison

More information about the Info-vax mailing list