Zero trust security: Difference between revisions

From Helpful
Jump to navigation Jump to search
mNo edit summary
mNo edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
{{#addbodyclass:tag_tech}}
{{#addbodyclass:tag_security}}
<!--
<!--


Line 4: Line 6:




Zero trust security is a security design principle, a way of thinking about access between systems, and how to architect when these all needs to interact.
Zero trust security is a design principle, a way of thinking about access between systems, and how to architect when these all needs to interact,
approximately to trust nothing until there is specific reason to.




Consider how companies historically often end up trusting certain central parts (LDAP, RADIUS servers) blindly ("well you have to do something"),
Consider how companies historically often end up trusting certain central parts (LDAP, RADIUS servers) blindly ("well you have to do something"),
and/or consider all devices within a company perimeter (physical or VPN) trustworthy to a smaller degree.
and/or consider all devices within a company perimeter (physical or VPN) trustworthy to a some degree ("well we put bring-your-own-device stuff on their own network, and it's internal anyway").
Because it's easier.
{{comment|Well, except you then immediately start having  "Oh yeah that's on its own isolated network because anything resembling Bring Your Own Device would be a bad idea otherwise"}}


There are also cases where you say 'decentralized' and 'IoT',
which somehow seem much easier to mess up security-wise than localized networks.


Zero trust aims to make implications in larger systems more digestible, by saying to never implicitly trust ''any'' device, unless you have a specific good reason to do so, based on verification (preferably verification in both directions).


What they share is that when security is easily made an afterthrought,
it becomes a mess of "but can't you make it work?", continuous concessions and shifting goalposts.
The larger the system, the more impossible this becomes to oversee.


It is also a useful reminder that when you say things like 'decentralized' and 'IoT' - these things are so much easier to fuck up security-wise than localized networks, and you should not make your security terrible by making it an afterthought.


Zero trust takes a harder stance, by saying to never implicitly trust ''any'' device, unless you have a specific good reason to do so, based on verification (preferably verification in both directions).


Zero trust also makes implications in larger systems more digestible.
That said, exactly how this idea is still depends on implementation,
because depending on the details, it may be in your way too much,
and there is no security system circumvented faster than one that makes it impossible to do your work.


Exactly how meaningful the idea of zero trust is will still depend on implementation.




Zero trust is easily compared to the principle of [[least privilege]], just a slightly different take on practice.
Zero trust is easily compared to the principle of [[least privilege]], just a slightly different take on practice.


[[Least privilege]][https://en.wikipedia.org/wiki/Principle_of_least_privilege] tells you each module of a system should only be able to access the information necessary for its legitimate purpose.
[[Least privilege]][https://en.wikipedia.org/wiki/Principle_of_least_privilege] tells you each module of a system should only be able to access the information necessary for its legitimate purpose.

Latest revision as of 00:51, 21 April 2024

Retrieved from "https://helpful.knobs-dials.com/index.php?title=Zero_trust_security&oldid=95652"