Zero trust security: Difference between revisions
Jump to navigation
Jump to search
(Created page with "<!-- (not to be confused with Zero-Knowledge Proof) Zero trust security is a way of thinking about access between systems, and how to architect when these all needs to interact. Consider how companies historically often end up trusting certain central parts (LDAP, RADIUS servers) blindly ("well you have to do something"), and/or consider all devices within a company perimeter (physical or VPN) trustworthy to a smaller degree. Because it's easier. {{comment|Well,...") |
mNo edit summary |
||
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{#addbodyclass:tag_tech}} | |||
{{#addbodyclass:tag_security}} | |||
<!-- | <!-- | ||
Line 4: | Line 6: | ||
Zero trust security is a way of thinking about access between systems, and how to architect when these all needs to interact. | Zero trust security is a design principle, a way of thinking about access between systems, and how to architect when these all needs to interact, | ||
approximately to trust nothing until there is specific reason to. | |||
Consider how companies historically often end up trusting certain central parts (LDAP, RADIUS servers) blindly ("well you have to do something"), | Consider how companies historically often end up trusting certain central parts (LDAP, RADIUS servers) blindly ("well you have to do something"), | ||
and/or consider all devices within a company perimeter (physical or VPN) trustworthy to a | and/or consider all devices within a company perimeter (physical or VPN) trustworthy to a some degree ("well we put bring-your-own-device stuff on their own network, and it's internal anyway"). | ||
There are also cases where you say 'decentralized' and 'IoT', | |||
which somehow seem much easier to mess up security-wise than localized networks. | |||
What they share is that when security is easily made an afterthrought, | |||
it becomes a mess of "but can't you make it work?", continuous concessions and shifting goalposts. | |||
The larger the system, the more impossible this becomes to oversee. | |||
Zero trust takes a harder stance, by saying to never implicitly trust ''any'' device, unless you have a specific good reason to do so, based on verification (preferably verification in both directions). | |||
Zero trust also makes implications in larger systems more digestible. | |||
That said, exactly how this idea is still depends on implementation, | |||
because depending on the details, it may be in your way too much, | |||
and there is no security system circumvented faster than one that makes it impossible to do your work. | |||
Zero trust is easily compared to the principle of [[least privilege]], just a slightly different take on practice. | Zero trust is easily compared to the principle of [[least privilege]], just a slightly different take on practice. | ||
[[Least privilege]][https://en.wikipedia.org/wiki/Principle_of_least_privilege] tells you each module of a system should only be able to access the information necessary for its legitimate purpose. | [[Least privilege]][https://en.wikipedia.org/wiki/Principle_of_least_privilege] tells you each module of a system should only be able to access the information necessary for its legitimate purpose. |
Latest revision as of 00:51, 21 April 2024