title says it all. i work at a large org and we are basically crawling to the back of the success line with this tech philosophy. anyone else out there suffering under the poorly implemented yoke of zero trust?
Much like the namesake of this sub, zero trust has been perverted by tool vendors and the like to the point it has lost a lot of its original intent IMO.
All it should take is requiring authentication at all services, no trusting network access to be enough. And I tend to include short lived admin sessions that require escalation via secondary auth/approval.
And how come ever since we implemented single sign-on now I gotta sign in like 500 times a day?
Nope. Ours works great for regular secure workloads. Sometimes developers hit road blocks but that is usually because they are trying to do something insecure or trying to do shadow IT.
Zero trust is great when done correctly. Lots of organizations are not doing zero trust correctly, or even understanding what it means. Yes you need to have VPNs and firewalls in a zero trust environment.
Yep, instead of connecting to a VPN and having traffic flow through an appliance. We get to enjoy having multiple crapware endpoint solutions like CrowdStrike, Ava Reveal, tanium, etc running and trying to “protect” the systems.
Having to auth constantly and repeatedly. I think I auth at least 4-6 times just starting out in AM. It’s a ritual I hate.
Security folks are mostly clueless and spend more time coming up with silly policies without doing any kind of research about the policies applied to products. When things go wrong, it’s always, can you explain this again so I make sure I fully understand.
Company just block all binaries from being run on laptops unless it’s explicitly whitelisted
All quality of life tools like fzf, ruff, kubectl etc are all banned. Even binaries I wrote myself are blocked.
We have zero trusted everything. It’s all in implementation and planning.
Also if you have shitty devs…it’s gonna be really bad.
Our works well. We have a few guys who got trained to work in such environment. We try to retain them at all cost and we make it clear what the expectations are when we hire new ones. Trusted libraries are uploaded to the company’s inventory after scanning them for vulnerability so no pulling things from internet. Everything is fully automated and trigger though pipelines with review when needed. We just put defense in depth in every layer. Everything is denyALL by default at network level. No one but the apps have access to the DB. There are some who have ran long running jobs on environments that weren’t mature just to prove a point. Apps sit behind load balancer and firewall and there’s ingress and egress rules clearly defined. Role based access to APIs, cluster based security, policy based security control to keep things in the check and secure coding with lot of scanning for vulnerability. Role based MFA authentication. It takes a while for the team to get used to it but once they sink it all in, it gets easier from there. With cyber attacks being a big thing it’s hard to trust anyone. Sometimes the guys that threat comes from aren’t from outside but are the ones that are close to you.
Single sign on but login 50 times a day. But dw, racks still unlocked in public spaces and console password cisco.
Oh lets not forget the amazing 55 layers of security but make sure permit any is on a firewall…make sure we capture them hackers. Lol, failed industry.
Zero trust is great - unless you’re on-prem or in AWS.
GCP has an identity-aware proxy that basically lets you be zero trust for no more work than setting up good IAM.
If you’re in GCP and SSH to a private compute instance via the console, it’s using IAP transparently.
The root issue is that security teams often have people who don’t understand software engineering. They are IT people not software people.
Nope. With all the integrations and automations the developers running around with sysadmin, domain admin and root access couldn’t get done before, (while they watch youtube with said DA account in google chrome on the accounting SQL server) that finally got implemented, schedules are faster and less likely to get busted and there aren’t random organization wide outages anymore because a java developer decided they knew group policy better than the AD administrators.
I’ve moved at least 50 companies to zero trust & only saw 3 fail. 1 kept firing entire departments & they forget they we starting a zero trust network several times. 1 just wasn’t happy with it. The other was hit with roadblocks from an employee that was scared it would replace him. Overall it can be done really well
As a developer by trade, I love it! Nothing jiggles my jammies the way as the wasted time and brainpower of hitting the wall of the zero-trust, and just finding a workaround either way because neither both me nor and my team [just] wants to work.
Sincerely, in no particular order:
- Build times from 3 minutes to 50 due to disk scanning
- Sites blocked because they use forbidden keywords
- Signed off releases, so instead of 10 minutes to prod we had 5-6 days, with no one in the signing off chain noticing that we are using the same “reason”, plan etc every single time
- Lack of privileged access to Dev machine, so installing any tool becomes a couple day ordeal
- Lack of access to web resources, because “devs don’t need x”, from jira up to the whole DevOps stack
- Locked instances of Ci
And I really could go on and on
e: Small correction. That’s what you get when you write on a phone with minimal sleep; you loose the thought and the context 
Its going preetty well. The devops team are getting smashed with work tho.
I am working for a ZTNA vendor. One of the mainly goal is to impact as less as possible the users.
If done correctly, zero trust should not be a hindrance or stifling innovation. Shame the IT at your place is not listening to what is likely to be a profit generating function.
Sounds like a poor or cheap implementation
i just joined a company and running into basic issues with this zero trust crap. On paper its great, deny everything but man trying to do some work and running into connection errors is just ridiculous.