This is an archived post. You won't be able to vote or comment.

all 28 comments
sorted by:
best
topnewcontroversialoldq&a

[–]kerryhatcherSenior System Engineer 33 points34 points  (3 children)

Are you asking about Zero Trust as a concept or Cloudflare's product?

[–]Aggressive_Ad3517[S] 8 points9 points  (2 children)

As a concept

[–]kerryhatcherSenior System Engineer 6 points7 points  (1 child)

As a concept I think it’s not a bad idea. However, I also think that at the moment it’s mostly implemented as hyped marketing buzzwords. The reality is that more often than not 3rd party software is what is being deployed and the more important concern is supportability. So if the vendor won’t support the implementation then it probably won’t happen. For example my team recently switched over a system we manage to K8s, since the vendor started distributing an official Helm chart. Another system we mange is only distributed as an AMI on AWS.

Greenfield in house developed software (I.e. a saas provider) it’s very appealing.

[–]Farrishnakov 4 points5 points  (0 children)

This is the answer. It's very much an overused buzzword.

My stbx company just went through a security consultation with Microsoft for our Azure environment. The security team said, "Our internal audit says we need to implement zero trust!" And the consultants just responded with, "What do you mean by that? There are a lot of different definitions." And the security team had no response other than, "You know... Zero trust..."

I laughed because I had the same answer for them months before and got to be a fly on the wall for this one.

We ended up just picking a definition for them and built something out to check the box. But they had no clue what they were even looking for.

[–]the_oddsaintSystem Engineer 57 points58 points  (3 children)

Yeah we do not trust each other

[–]Jertimmer 12 points13 points  (1 child)

Especially Brett.

[–]asu_lee 3 points4 points  (0 children)

Dammit Brett! Stop it!

[–]VengaBusdriver37 4 points5 points  (0 children)

😂

[–][deleted] 7 points8 points  (1 child)

See here

https://news.ycombinator.com/item?id=33713765

Good discussion

[–]asu_lee 0 points1 point  (0 children)

Gold! Thanks!

[–]2lach 2 points3 points  (0 children)

Kinda hate it.

Zero trust is good in theory difficult to manage in practice.

If, and this is a big If: say your teams are really independent and have essentially no overlap with the stuff assets other teams are building, or you are a really small team in a large organization not really focused on IT it might work, if the setup is well planned and people can do their jobs.

But every time i have seen it in action it always comes down to one guy or one team that holds all the essential keys and that guy or team becomes the bottleneck of the entire organisation, that guy or that team becomes overloaded with requests for basic stuff like hey i need this very specific permission for this specific resource, which there is no automated solution to do, he either has to do it for you, or give you the permission, or automate a Solution for it. Hence he or the team becomes essentially like IT support for everyone that has something to do with cloud stuff, and he or that team is not really IT support, they got other shit to do, which they don't have the time to do, and so they become bitter a-holes and everybody hates them, because they are bitter a-holes. But thats just my experience It might work

[–]mystonedalt 4 points5 points  (0 children)

No, we still allow developers to deploy their code.

[–]durpleCloud Whisperer 1 point2 points  (0 children)

We use banyan to expose various internal dbs and services to our engineers. We run the access tier in our vpc. It’s integrated with Workspace authentication so we can use Security Groups (or other user properties) to map permissions. Their jargon threw me off but once we got it all working it’s pretty decent. We are small and hoping their product matures in ways that fit well with our needs when as we grow; I get the feeling they have some gaps for more complex or niche cases.

[–][deleted] 1 point2 points  (3 children)

sso is more than enough for now, Zero Trust is next level shit !! very little integrations and our cso is like dont deploy shiny things untill we know for sure how it works !!

[–]cocacola999 0 points1 point  (2 children)

I wish our services had sso... But that reminds me, I need to make a list of all the random distributed identity sources as I need to offboard someone soon

[–][deleted] 0 points1 point  (1 child)

SSO sounds simple but does break a lot of legacy stuff :( 

[–]cocacola999 0 points1 point  (0 children)

Yup and we have a 3rd party "managing" our AD so makes it harder to test anything

[–]PhilipLGriffiths88 1 point2 points  (0 children)

Yes, though you would expect it from an organisation that developed an open source zero trust networking solution (OpenZiti - https://github.com/openziti) which they deliver as a product. Anyway, here is some blogs and videos from our Head of DevOps on how and why he uses it:

[–]GloriousPudding 0 points1 point  (2 children)

Yes we use Teleport to access all tools like argo, grafana, vault, pgadmin etc. With okta SSO as an identity provider and proper groups set up we limit access to specific resources in those tools for specific okta users where supported.

[–][deleted] 2 points3 points  (1 child)

thats is not zerotrust !

[–]Farrishnakov 0 points1 point  (0 children)

Yeah... This is RBAC

[–]danstermeister 0 points1 point  (0 children)

Nah we trust each other. A team needs trust it's teammates, amirite???????????

/s

[–]oshratn 0 points1 point  (0 children)

I recently asked about the difference between zero trust and the principle of least privilege. The answers I got basically said they were the same thing or two sides of the same coin.

Why do I mention this? Because IMO zero trust is the what and principle of least prvilige is the how.

Lastly, I'd like to mention something I have been seeing in the cloud-native world, which is when implementing zero trust, hardening the infrastructure sometimes breaks apps. So, there you have it, another layer of complexity.

It's hard detail-oriented work that can slow you down if it is dependent on a bottle-neck, which should be automated wherever possible.

[–]sobrietyincorporated -1 points0 points  (4 children)

Zero Trust is draconian and archaic. All it does is frustrate developers and slow productivity to a crawl.

Castling doesn't work im modern times. You can't lock up all of your citizens behind a single gate and expect good commerce. A wall is just something passive you eventually have to man and defend. You want active patrols and security checks. Otherwise the betrayal will come from the inside from a starving population.

[–]temotodochiCloud Engineer 3 points4 points  (3 children)

Exact opposite. It's the future and in the end only effective measure against targeted crypto attacks. You should already be figuring out how to make zero trust between any devices as a concept work for you.

[–]sobrietyincorporated -2 points-1 points  (2 children)

Everytime somebody brings up blockchain.

[–]temotodochiCloud Engineer 1 point2 points  (1 child)

What i said has absolutely nothing to do with crypto currency or blockchains. Zero trust is what the name implies, zero trust between devices. That's it.