Which solutions (security controls) do you use to have zero trust architecture?
Zero trust shouldn’t be a product, but an overall design approach. Zero trust should make you think about each interaction as potentially compromised/insecure.
For the IAM domain - extensive use of OAuth as authentication/authorization controls. Make sure tokens are validated by the API gateway and each APIs. Enforce fine grained authorization using scopes.
Continuously audit and attest what authorizations level each app has.
Enforce strong controls for Client applications requesting tokens. Only use client credentials or auth code flow with pkce. Use signed assertions where possible over client_secret.
None. I have zero trust in them.
1 rule in all firewalls and proxies, Drop All /s
deleted when I found out that Reddit now embeds ads within comments. Yikes.
We are currently moving everyone from VPN/VDI solutions to Zscaler proxy (zero trust networking solution). which has kinda been hard as developers are used to having a wide open network to work on & not having to think about host names, IP addresses, port numbers etc. so its a lot of troubleshooting to say the least.
“Zero Trust” is a network architecture. The DoD Zero Trust framework currently has 7 capability pillars:
- User
- Device
- Application & Workload
- Data
- Network & Environment
- Automation & Orchestration
- Visibility & Analysis
CISA’s Zero Trust Maturity Model 2.0 says, “The goal is to prevent unauthorized access to data and services and make access control enforcement as granular as possible.” So, solutions have to deliver defense-in-depth without operational complexity. As far as vendors go, there are tons of them; all claiming to address Zero Trust. You have to prioritize what your network requires against your budget to choose the right one. https://blueridgenetworks.com/wp-content/uploads/2023/10/ZeroTrust-DoD-WhitePaper-SEPT-2023.pdf
I wear zero trusted branded sunglasses at work. Its good at blocking.
Zero trust is not a solution. It’s a framework. If you have vendors trying to sell you on this, look elsewhere cause they are lying to you.
I’d tell you, but I don’t trust you.
I have zero trust that things will be used securely in our environment. So my own brain and logs.
It’s a design philosophy that starts from authentication, to data on the wire, data at rest, logging, on-prem and off-prep, east-west, south-north.
It’s a marketing term but my take is to look for companies that are modern, built with new architecture rather legacy companies trying to shoehorn their good old tech to a new concept. A good example is legacy VPN vendors claiming ‘zero-trust’ where fundamentally the way VPN works is simply an attack vector.
Build it yourself if you’re feeling brave.
Kafka, open policy agent, Envoy proxy and Istio Service Mesh
None. Dont trust em.
Zero trust isn’t a product, it’s a design framework. Anyone trying to sell you zero trust is lying. Anyone who thinks they can implement a product and have zero trust is lying.
The basis of ZT is interrogating and confirming access to a resource at the time of request based on a number of factors. It relies on strong identity, authentication, and having access controls applied to every resource in your environment.
In all the implementations I’ve done so far, I’ve always recommended the Zero Trust concept to be applied both on the traffic side and the application side - no website/traffic connection and no software that are not previously approved should be allowed to connect/execute…
Now, this comes with a huge operational cost (as always, security and flexibility are on the opposites sides of the scale 
)
We usually ended up in agreeing some middle line between these, on the most sensitive machines/servers we applied my way, on the more “safe” ones, there was a mix of this.
Appgate SDP and Menlo Security
Myself- the devs want access and I don’t trust 'em
My company created open source zero trust networking solution OpenZiti; we have a SaaS version, too.
Suffice to say, we dog food the technology internally a lot, for example, only giving ephemeral access to customer environments for support engineers if the customer opens tickets - https://blog.openziti.io/business-rule-driven-ephemeral-network-access. Otherwise, their environments are unreachable across any networks.
None, because zero trust is a busted buzzword with no teeth. Lets look at KASMWEB for example. Awesome tool, but only recently adopted a ‘zero trust’ sticker. Was it not zero trust before? If it was before why only now did it gain the tag line /buzzword? Everyone is jumping on this ‘zero trust’ bandwaggon and its all the same junk we’ve had for years and sometimes decades. Putting a buzzword to something isnt going to magically make it suddenly work better.