top | item 44641612

(no title)

Microsoft’s version of “Zero Trust” doesn’t care if things are reachable from the public internet. They have been preaching “identity is the new perimeter” [1] for years, and it doesn’t wash.

The NIST Zero Trust Architecture (ZTA) implementation guides (SP 1800-35) [2] cut through the nonsense and AI generated marketing smoke.

In ZTA, ALL network locations are untrusted. Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.

Microsoft doesn’t have any products that can do full ZTA, so several pillars are missing from their “Zero Trust” marketing materials.

[1] https://www.microsoft.com/insidetrack/blog/securing-the-bord...

[2] https://doi.org/10.6028/NIST.SP.1800-35

discuss

tacticus|7 months ago

> several pillars are missing from their “Zero Trust” marketing materials.

TBH several pillars are missing from their entire security posture.

Tokumei-no-hito|7 months ago

why bother when not a single vulnerability has resulted in any appreciable fines or loss of market share? it's absurd how untouchable their ubiquity has become.

betaby|7 months ago

> Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.

What does it mean in technical terms? What kind of tunnels are whose and what is their purpose?

this_steve_j|7 months ago

There are four different micro-segmentation variations in the NIST reference guide: device-agent/gateway, enclaves, resource portals, and application sandboxing.

Basically a policy evaluation point (PEP) evaluates the security posture of both parties before and after a handshake, then creates a logical or physical path of some kind of between the actor and the resource. This can be done with software-defined virtual networks and stateful firewalls, at one or more of the OSI layers.