NIST 800-207A: Implementing Zero Trust Architecture(infoq.com)
infoq.com
NIST 800-207A: Implementing Zero Trust Architecture
https://www.infoq.com/presentations/nist-800-207a/
12 comments
It seems to me that much of the zero trust architecture is relevant to enterprises with a lot of users. For individuals or home users, there might be just one or few users, who need to access it all. There, a simple VPN server might be all you need. There is not so much need for segmentation, identity based authentication, etc given that they often come at the expense of the reliance on third parties.
I think one of the core lessons in network security in the past 10-20 years is that the VPN model is fundamentally broken from a security perspective.
There is another entirely seperate argument that I think you’re making which says zero trust is still a huge pain in the ass which I would largely agree with.
To the point that it wouldn’t even be in consideration for individuals although I will say that if you were in a situation where something like ChromeOS and a $5/m workspace account might fit your needs you could actually get yourself a pretty great setup from a security perspective and all the zero trust stuff is handled for you when it comes to anything in that ecosystem.
There is another entirely seperate argument that I think you’re making which says zero trust is still a huge pain in the ass which I would largely agree with.
To the point that it wouldn’t even be in consideration for individuals although I will say that if you were in a situation where something like ChromeOS and a $5/m workspace account might fit your needs you could actually get yourself a pretty great setup from a security perspective and all the zero trust stuff is handled for you when it comes to anything in that ecosystem.
What I wonder is about Qubes [0].
For a long time zero implicit trust is my default way of configuring small systems of 3 or 4 hosts and a handful of services. But I get tired of the administration overhead.
Does anyone who knows Qubes well, and has a sound understanding of what's implied by this NIST advice, think it's a good fit for meeting some of the advice? It seems less work.
WRT third parties? Why would anyone outsource trust in a domestic, or small office system?
[0] https://en.wikipedia.org/wiki/Qubes_OS
For a long time zero implicit trust is my default way of configuring small systems of 3 or 4 hosts and a handful of services. But I get tired of the administration overhead.
Does anyone who knows Qubes well, and has a sound understanding of what's implied by this NIST advice, think it's a good fit for meeting some of the advice? It seems less work.
WRT third parties? Why would anyone outsource trust in a domestic, or small office system?
[0] https://en.wikipedia.org/wiki/Qubes_OS
I sometimes use Qubes and I find it very useful for securing individual workstations. You can run applications such as a browser in disposable VMs. A vulnerability in the application doesn’t compromise most of the system. Different components such as networking or USB run in isolated environments. That’s segmentation part of the NIST advice (at OS level, not network). It’s especially useful against targeted attacks, that often rely on the zero day exploits. As far as I know, it’s very difficult to chain two vulnerabilities, one in the browser and one in the Xen hypervisor to escape the hypervisor security boundary. There are also a host of other security features, such as air gapping some of data, built in support for Whonix (probably the most secure way to access the Tor network), Gpg Qube, etc.
Qubes-OS is usable, although it has to be made more user friendly. You can organize your digital content in isolated “computers” which simplifies your setup. Like, one VM for each project or client. Highly recommended!
Another thing: the OS is not backed by a company. You have to trust independent developers (but they are known publicly), in addition to Debian or Fedora developers.
Qubes-OS is usable, although it has to be made more user friendly. You can organize your digital content in isolated “computers” which simplifies your setup. Like, one VM for each project or client. Highly recommended!
Another thing: the OS is not backed by a company. You have to trust independent developers (but they are known publicly), in addition to Debian or Fedora developers.
Thanks. Does it make running identity based compartmentalisation
across multiple bits of hardware any easier? Anything to
replicate/migrate VMs across a network securely or owt like that? Or
is it more "single workstation" model as you say?
It’s definitely meant to be a single user operating system. It does have a VM back up system, and you can back up your home data with the usual third party tools.
Cheers aborsy. Still on my todo list to harden individual nodes.
NIST 800 in general typically doesn't apply to home users.
Exactly!
There are a lot of posts on mesh VPNs on HN. They are useful for startups to control access using ACLs in a granular manner (centralized cloud based firewalls, device context, logging etc). I don’t see the utility in small setups where there isn’t whole lot to segment anyways. The main appeal is probably the ease of installation.
There are a lot of posts on mesh VPNs on HN. They are useful for startups to control access using ACLs in a granular manner (centralized cloud based firewalls, device context, logging etc). I don’t see the utility in small setups where there isn’t whole lot to segment anyways. The main appeal is probably the ease of installation.
As someone who uses a ZTNA-like VPN (Tailscale specifically) it has its benefits, it’s a more understandable auth for less technical users, just log in with Google or Apple.
It then allows me to segment the potentially more skilled users to apps I only want them to have, for example only I have access to server backends for example, granted this is niche, outside most home user requirements and general house holds won’t even have any infrastructure at home.
But yes, Zero Trust is for business, home users do not face the same threats, instead they should be more concerned with theft or ransomware than anything else.
I personally will still fall under that same category, I’m not someone important, and the easiest way to breach my accounts will be phishing, but heck, it’s fun regardless.
But yes, Zero Trust is for business, home users do not face the same threats, instead they should be more concerned with theft or ransomware than anything else.
I personally will still fall under that same category, I’m not someone important, and the easiest way to breach my accounts will be phishing, but heck, it’s fun regardless.
I have done it. Net segmentation , net auth .1x and identity governance are must do implementations.
[deleted]