Heavy Strategy | September 27, 2023
Heavy Strategy 56: FU to the Followup
Podcast: Download (24.2MB) | Embed
Greg
Ferro
Johna Till
Johnson
Listen, Subscribe & Follow:
Taking your feedback and followup and discussing the questions you bring us. Zero Trust Defintions, Out of Band in Zero Trust, Johna and/or Greg is/are insufferable and re-evaluating the Tech Job Debacle with hindsight.
FU Number 1: Definitions of Zero Trust
Just wanted to say that Network Break 435 was interesting on the topic of Zero Trust and Greg vs. Johna interpreting “zero trust” differently. I’d really love to see a full break-down episode more from a engineering/architect role rather than a vendor sales pitch.
As an example, some of my questions about zero trust:
Is this an actual standard, or a marketing buzzword along the lines of “Military Grade Encryption”?–YES, standard
If not a standard that can be easily reviewed by experts, how in the world is that a good security idea?–It’s like saying “you need firewalls and DMZs”. The bad guys already know you have them; the good guys need to understand where to put them for optimal efficacy.
Does it mean all applications are exposed to public internet with no firewalling and are 100% responsible for their own security? Great! Also, good luck with that after developers have spent the last 25 years assuming firewall protection. It can, and more sophisticated organizations do exactly that…. JTJ to follow response.
Does it require installing some type of application on each client/user. If so, how in the world is that going to scale just from a helpdesk perspective? JTJ to respond
If the above is true, doesn’t the security risk belong entirely to the client, which by the way is usually the least secure thing on the network? JTJ to respond
Isn’t this yet another example of moving security problems around, rather than fixing them? IMO, Serverless and Containers are already shrinking the scope of what’s exposed on the network better than any security product or model could
The two most common forms of exploitation are still phishing and business email compromise. Does Zero trust solve either of those? Partially.
FU #2: Zero Trust and OOB, and Johna is insufferable!
Does anyone else find Johna insufferable? Yes. Talk to my mother! Her just shouting over Greg “you can’t, you can’t”, and then states that zero trust is an “architecture” like it is this fixed concept with only one way to do things. She is just rude, and wrong whilst being rude at that.
Zero Trust is just a framework or approach and is not prescriptive as to how to implement.
You can absolutely use OOB management networks as part of a zero trust approach. In fact the directive from CISA even lists that a remote admin VPN is acceptable as long as the management interface is not published directly to the internet. VPN access to jumphosts that then have access to OOB management networks is also acceptable according to the directive.
Binding Operational Directive 23-02 Implementation Guidance | CISA
IMPLEMENTATION GUIDANCE FOR CISA BINDING OPERATIONAL DIRECTIVE 23-02: MITIGATING THE RISK FROM INTERNET-EXPOSED MANAGEMENT INTERFACES Background
—————
On the recent NB435 episode Johna made a couple comments about the recent CISA “Binding Operational Directive” as well as the notion of “Zero Trust” that I feel could use some clarification.
First, I just read the actual CISA Directive as well as their accompanying “Implementation Guidance” document (both are easy to find at the “cisa.gov” web site) and they explicitly state that an “isolated management network” is an acceptable alternative to deploying Zero Trust capabilities, though CISA does prefer the ZTA option. The well managed out-of-band management network Greg described would fit this requirement, as long as it was not directly reachable from the Internet, which I assumed was part of Greg’s suggestion. Here’s the exact text from the Directive:
“Within 14 days of notification by CISA or discovery by an agency of a networked management interface in scope for this Directive, agencies will take at least one of the following actions:
a. Remove the interface from the internet by making it only accessible from an internal enterprise network (CISA recommends an isolated management network);
b. Deploy capabilities, as part of a Zero Trust Architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself (preferred action).”
The key CISA requirement is that Management Interfaces not be directly accessible from the Internet, and it is acceptable (though not preferred) to achieve this without deploying Zero Trust concepts. This is clearly not a case of “turn it off or go Zero Trust” as Johna described.
Additionally, Johna’s insistence that “Zero Trust” is only an “architecture” and not a “concept” is at odds with other CISA and NIST documents, such as the recent CISA “Zero Trust Maturity Model, Version 2.0” document from April 2023, which says this:
“Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
ZTA is an enterprise’s cybersecurity plan that uses zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a ZTA plan.”
I normally assume that hosts of a mostly live discussion format podcast will sometimes summarize things in a less than completely precise way and I’m usually fine with that, but Johna sounded so very confident with her statements that I thought it might be useful to your other listeners to clarify a few of these details.
Thanks for the great shows, and for your diligence in soliciting and at least reading these “FU” comments!
FU:3: HS050 – The Tech Job Debacle
Sort of just a comment with what we’ve been seeing with the huge job laid offs of 2023. The demand for remote jobs is off the charts, even more than with the pandemic. I’m talking to HR people who had an IT position posted and in week received 300 applications.
Other companies have been so overwhelmed with the applications that are returning these positions back to physical/local (they moved those to hybrid or remote after the pandemic effects).
Sort of chaotic times these past months.
That was my comment lol. Anyways, thank you guys for always such a good show. Heavy Strategy is one if not my favorite podcast at the moment.
Share this episode
