[Info-vax] US Gov't "Zero Trust" Security Requirements

Kerry Main kemain.nospam at gmail.com
Fri Sep 23 20:39:58 EDT 2022 

> -----Original Message-----
> From: Info-vax <info-vax-bounces at rbnsn.com> On Behalf Of Simon Clubley
> via Info-vax
> Sent: September-21-22 9:21 AM
> To: info-vax at rbnsn.com
> Cc: Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP>
> Subject: Re: [Info-vax] US Gov't "Zero Trust" Security Requirements
> 
> On 2022-09-20, Phil Howell <phow9917 at gmail.com> wrote:
> > Perhaps you should ask those who have run such systems in "hostile
> > environments" for at least 25 years, like Sydney ASX?
> > Average daily transaction value is over $50 billion (AU) Hey, they
> > even have a job on offer, you surely know pascal?
> >
> > https://www2.asx.com.au/content/dam/asx/about/job-
> opportunities/securi
> > ties-and-payments/senior-analyst-programmer%20-chess.pdf
> >
> 
> No way is that in any way near the same thing.
> 
> Those systems were designed in an era where the internal network was
> considered to be much more trusted than external sources and the focus
> was on stopping the external sources from getting unauthorised access to
> the trusted internal network.
> 
> Today's zero trust network is very different. Today, the assumption behind
> zero trust is that the internal network _has_ been compromised and that
you
> still need to be able to operate your systems in such an environment.
> 
> That is a much much more aggressive thing to have to deal with and
requires
> a very different mindset to the one that VMS systems, even ones considered
> secure by the standards of yesteryear, have traditionally had to deal
with.
> 
> For example, don't forget that there are still some around here who
consider
> it 1) acceptable to run unencrypted protocols on the internal network
> because it is somehow considered to be safe and 2) that you can trust what
is
> coming from other internal systems on the same internal network.
> 
> However, in today's world of zero trust, there is no such thing as a
trusted
> internal network any more.
> 
> Simon.
> 

The issue of the internal network being a major security risk is nothing
new.  

This has been highlighted by security professionals for many years.

As examples: 2009 articles
<http://informationsecurityformanagers.blogspot.com/2009/03/again-internal-s
ecurity-threat.html>
Quote " Please repeat after me...there is no difference between the inside
and the outside anymore. Security solutions has to be built according to a
model where users only have access information "on a need to know basis"
REGARDLESS of where they happen to be for the moment (and according to how
secure the device is etc. etc.). Today's IT environment is far to complex
and users to mobile for an inside/outside model." End quote.

<https://www.darkreading.com/vulnerabilities-threats/reports-security-pros-s
hift-attention-from-external-hacks-to-internal-threats>
Quote "It's official: Today's security managers are more worried about
insiders leaking sensitive corporate data than they are about outsiders
breaking in to steal it.

In a soon-to-be-published survey of more than 400 IT and security
professionals conducted by Dark Reading and sister publication
InformationWeek, 52 percent of respondents said they are more concerned
about the possibility of internal data leaks -- both accidental and
malicious -- than they are about external threats" End quote

Another issue with some large companies today is that, imho, they have to
many internal FW zones i.e. Apars, WEB_RZ,  DB_RZ and numerous others. Each
zone will typically have a pair of FW's separating each zone.

The complexity of maintaining hundreds and usually thousands of rules in
EACH FW leads to an environment that becomes almost impossible to accurately
understand all the various flows.

Many of these FW rules are legacy, but few FW OPS staff want to clean these
up because they are afraid some legacy App or Service will break.  

This issue comes up all the time when doing DC Migration/Consolidations.

Zero Trust Networks (ZTA) is just a more modern term to address this old
issue.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com










-- 
This email has been checked for viruses by AVG antivirus software.
www.avg.com

More information about the Info-vax mailing list