Them: How do we add zero trust to this
-
"but agile..."
@maya_b do you want scaled agile? Because this is how you get scaled agile.
-
@maya_b do you want scaled agile? Because this is how you get scaled agile.
-
Them: How do we add zero trust to this?
Me: :stares:Zero trust, like least-privilege, is a framework for thinking about problems. It's not a seasoning you sprinkle over your eggs.
@petrillic *tells everyone to stop trusting the service* there, zero trust added
-
@sam part of the challenge is that vendors have weaponized the terminology to describe whatever new product or feature they're peddling.
My distillation is: 1) Everything secure always; 2) Everything means everything, no implicit trust; 3) Access is granted per-session/request and strictly enforced, explicit trust; 4) Policy and decisions account for all available surveillance data.
-
@sam correct, it should have eto establish trust as well. Certificates are part of it, but it's inadequate. Unfortunately, i don't think the industry has really grappled with this.
-
@sam correct, it should have eto establish trust as well. Certificates are part of it, but it's inadequate. Unfortunately, i don't think the industry has really grappled with this.
@petrillic there are a ton of cool cryptographic widgets coming down the pipe to be excited about, like zero-knowledge proofs, homomorphic encryption, etc. too!
-
Them: How do we add zero trust to this?
Me: :stares:Zero trust, like least-privilege, is a framework for thinking about problems. It's not a seasoning you sprinkle over your eggs.
I've rarely worked at a place where they let you build in security from the start, rather than something they think they can add after everything else is done.
And almost nobody, no matter the industry, will make an asset inventory for me to use.
-
I've rarely worked at a place where they let you build in security from the start, rather than something they think they can add after everything else is done.
And almost nobody, no matter the industry, will make an asset inventory for me to use.
@Emily @petrillic that's the only way to have good security. It's not something that can be effectively bolted on - it needs to be part of the design from day 1.
-
I've rarely worked at a place where they let you build in security from the start, rather than something they think they can add after everything else is done.
And almost nobody, no matter the industry, will make an asset inventory for me to use.
@Emily sadly, I can't disagree. This is why I continue to try and push for new ideas and new approaches. We've tried the same thing over and over, and failed. At some point, let's try something new, and potentially still fail, but at least maybe learn something.
-
Them: How do we add zero trust to this?
Me: :stares:Zero trust, like least-privilege, is a framework for thinking about problems. It's not a seasoning you sprinkle over your eggs.
@petrillic "Well, my trust in your organization already dropped significantly, throw in some post-quantum AI blockchain and I bet we can get to zero"
-
@sam @petrillic what I gathered from talking to a vendor at a security conference is that it's definitely not VPNs no matter the context when I told him that we had reimplemented parts of the OpenVPN protocol.
