ZeroTrustOps: Securing at Scale

Let’s start simply. How many of you are tired of hearing the term “zero trust”? And what does “zero trust” even mean? Wendy Nather (@WendyNather) explains in her All Day DevOps presentation.

What Is Zero Trust?

With zero trust, you should assume everything on the network isn’t safe. Yes, your internal network too. It doesn’t mean that you shouldn’t trust anyone ever. But you have to check trust explicitly. So even if it’s on your network and got past your firewall, you still need to make sure it’s safe.

The important thing to think about is that successful attackers look exactly like insiders. For example, an attacker once acquired a sysadmin’s credentials, came in through a VPN, and looked safe. The only thing that warned anyone was that the keyboard had been changed to Chinese.

Let’s say you’re in a club and your bouncer is the firewall. Zero trust means the bartender then still requires customers to see IDs. The bartender doesn’t rely on checks and authentication from the bouncer or anyone else. That’s because they may be allowing someone in the door based on different policies and conditions. Additionally, someone might not have even come through the bouncer’s door. Maybe they came through the back patio. Therefore, we need to verify identity as close as possible to the point of access. And that’s why the bartender will still ask for your ID.

What’s Wrong With Implicit Trust?

Implicit trust is a problem. For example, the Colorado Department of Transportation ran into issues that resulted in ransomware and several weeks of outage. Take some time to look into this story by googling it.

Let’s look at some trust assumptions.

Trust assumptions from Wendy Nather’s “ZeroTrustOps: Securing at Scale” presentation.

Trust assumptions

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Sylvia Fronczak. Read the original post at: https://blog.sonatype.com/zerotrustops-securing-at-scale