undefined | Better HN

0 pointsPLG881y ago0 comments

I would add, doing Zero Trust Networking properly means deny by default (VPNs are open by default), service based access (not whole host or network), microsegmentation (not whole network), and least privilege. You should also use posture checks to ensure the end device is compliant and personally I prefer 'authenticate before connect' with outbound only connections from source and destination.

Note, I am biased though as I work on an open source zero trust networking project - https://openziti.io/.

0 comments

nmadden1y ago

I took tptacek’s comment as implying that ZTNA solutions do do microsegmentation. Otherwise, if I get a shell in one app and have access to the entire network then what was the point of any of it? Are you saying they don’t do microsegmentation?

tptacek1y ago

Yes: "microsegmentation" is a good way to describe one strategy (the most popular one) for retrofitting a notion of OMB-style "Zero Trust" onto existing networks. It's the selling point of things like this.

PLG88OP1y ago

Agreed. My point was that ZTNA requires more than just micro segmentation, it should also include deny by default, service based access, least privilege, endpoint posture checks etc.

tptacek1y ago

Not really, no.

j / k navigate · click thread line to collapse

0 pointsPLG881y ago0 comments

Note, I am biased though as I work on an open source zero trust networking project - https://openziti.io/.

0 comments

nmadden1y ago

tptacek1y ago

PLG88OP1y ago

Agreed. My point was that ZTNA requires more than just micro segmentation, it should also include deny by default, service based access, least privilege, endpoint posture checks etc.

tptacek1y ago

Not really, no.

j / k navigate · click thread line to collapse