> CISA advises vulnerable organizations [...] to disconnect affected products from the public-facing Internet until an official patch is available.
It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
CISA is so so vital. Investigating incredibly wide ranging attacks like this, or the Salt Typhoon attack are vital for this nation. But the show is being run by a bunch of people who value political dogma far above anything else. https://www.techdirt.com/tag/cisa/
There's some truth to this in that all organizations ultimately have their own perpetuation as a goal...but this is also a little like saying "well, there are a lot of complicated macroeconomic drivers of theft" while you're stealing somebody's purse.
The harms here are not the result of some broad faceless force so distributed and ethereal as to avoid accountability. The people performing them know exactly what they are doing. They're choosing to do it, when no systemic factor forces them to. If they wanted to not harm people, they could do so at zero or even negative harm to themselves.
Systems-level thinking is a useful tool, but it can make you miss the trees for the forest when a single concrete human being in front of you is just a bad person.
Sometimes it looks as if it matters more whether people are good and work in good faith rather than what a particular system is.
However, the more extreme the system (be it anarchocapitalism or communism), the higher the requirement to the goodness of people.
As is, in current societes I find that the ambient chaos of general democratic capitalism counteracts the threat of small minority making wrong decisions (Mao’s famine, etc.) while strategic regulations help curb bad actors abusing the system (like selling people poison or dumping toxic waste into rivers).
Both are needed, and I usually suspect that people who call for one extreme or the other either have an agenda or have not thought it through. (In the West it is often pro-capitalist tendencies, though I encountered both.)
Only liberals could describe our system as "democratic capitalism" with a straight face, its absurd. I'm on the left, I'm not a liberal, so no, we are definitely not on the same side. I believe our intolerable levels of inequality and disparity is caused by systemic issues not some "bad actors".
So true, they make bullshit that affect security also on some security tools analyser … do not worry NSA everything is fine, you are not at risk against worms xD
Best practice is to assume the network is compromised - a VPN doesn't provide as much guarantee as people would like. In large fleets, devices are regularly lost, damaged, retired, etc. In organizations with high target value, physical penetration through any number of means should be assumed.
So you don't do that. You use zero trust and don't care that things are exposed to the internet.
Working from anywhere (remote sites, home, your phone) is a huge benefit. Organizations want to control their data entirely while still wanting their organization to be able to access it.
Microsoft’s version of “Zero Trust” doesn’t care if things are reachable from the public internet. They have been preaching “identity is the new perimeter” [1] for years, and it doesn’t wash.
The NIST Zero Trust Architecture (ZTA) implementation guides (SP 1800-35) [2] cut through the nonsense and AI generated marketing smoke.
In ZTA, ALL network locations are untrusted. Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.
Microsoft doesn’t have any products that can do full ZTA, so several pillars are missing from their “Zero Trust” marketing materials.
why bother when not a single vulnerability has resulted in any appreciable fines or loss of market share? it's absurd how untouchable their ubiquity has become.
That's pretty accurate, if you want modern practice and product quality you go to Google or Amazon, if you want compliance and reassuring the board, you go to Microsoft.
> Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.
What does it mean in technical terms? What kind of tunnels are whose and what is their purpose?
There are four different micro-segmentation variations in the NIST reference guide: device-agent/gateway, enclaves, resource portals, and application sandboxing.
Basically a policy evaluation point (PEP) evaluates the security posture of both parties before and after a handshake, then creates a logical or physical path of some kind of between the actor and the resource. This can be done with software-defined virtual networks and stateful firewalls, at one or more of the OSI layers.
So the policy evaluation point has the keys to the kingdom and is the single point of failure, vs standard distributed authorisation declaration that would be up to each component of the system to implement.
In zero trust "exposed to the internet" is a bit of a misnomer compared to how traditional security would use the term. A better description might be "you're allowed to form a session to it from over the internet but only after your identity and set of rights have been verified". From this view: "zero trust" < "vpn" < "wide open" (in terms of exposure).
So it's essentially a more seamless and granular analog of a VPN? A device sits in front of the network and requires some sort of authenticated handshake (ideally all SSO) before passing packets through to a target endpoint?
Yes, that's zero trust in a nutshell: A VPN that does a tunnel per TCP connection instead of one tunnel for all TCP connections.
The other salient point is that all connections are established outbound through a broker, and importantly this is the case from both sides: The appliance at the terminating end of the tunnel establishes reverse tunnels to the broker for the connections, so it's never "exposed to the internet".
The broker can then push to your SIEM or whatever so you can have your SOC log jockeys harass your employees for accidentally leaving NordVPN on after watching international sports.
There are actual benefits: You can do things like allow logins to system A from anywhere, but system B only from your home country, you can do JIT network access requests, etc... but mostly it's vendor marketing to get you to spend too much money.
Something I'll add to the other responses is "the network" isn't an assumption of zero trust. Whether it's a single server on the private corporate network or a multi-cloud multi-region service hosted on the internet zero trust treats them the same.
My way of mapping it to VPN mindset is "per app clientless VPNs straight to where the things are hosted". In an extremely open ruleset with all of the servers on a corporate network this could theoretically devolve into "a traditional clientless VPN to the office".
They can be implemented using a variety of technical patterns but they all share a common "each request is authenticated, encrypted" property instead of "anything goes once the tunnel is up" property.
HTTPS calls with any kind of authentication (cookies, tokens, even basic auth) are one way to be "authenticated, encrypted" for "each request". If they go to a reverse proxy at the entrance of a company network (a common setup for every internet facing http server) they are a way to do without a VPN.
And yet every customer of mine have some of their servers on a VPN. At the very least they enable ssh only on ports on the private network.
Think machine certs (stored in a TPM). Plus perimeter-enforced username/password/2FA. Plus additional policy checks, like making sure your machine is up to date on security patches.
It doesn’t matter what network you are connecting from, but it does matter that you’re connecting from a company-issued laptop that’s in a trustworthy state.
Sounds like multiple single points of failure to make a security infrastructure so hostile to the end user it would be considered the equivalent of being under persistent attack.
The big difference is once you’re in, with a VPN you have direct access to the whole network.
With a zero trust setup, access has to be granted to you (or your ACL group) on a per-application basis. It makes it much harder for an attacker to move laterally when everything is default-deny.
But you can combine VPNs with SSO and limited permissions. Real networks all work that way these days. Logging into the VPN doesn't get you very far, you'll need to be provisioned with specific apps and permissions too.
- You must "VPN in" to access any corporate resources of any type, even ones on the corporate network when you're sourcing from the corporate network
- The client forms a separate "VPN connection" (can be clientless, but same concept) per app you access, rather than assuming a single parent VPN server can get them to any resource
- Every default ruleset started with deny all and only specific allow rules were added over time
Then you've got enough to call it a zero trust implementation. You can also take things the other way, i.e. you could "deconfigure" a zero trust setup to look and function almost exactly as a normal corporate VPN tunnel.
Rather than go through this whole thread each time, people just refer to all of this as "zero trust networking".
At the end of the day "you get access to things based on proving your identity" is not a novel concept. How you deploy, operate, and enforce that is where the differences in technologies lie.
In a pure implementation, the same level of trust is implied (absolutely none at all) whether a device is connecting to a resource from the public internet or the same subnet.
Arainach is advocating for something called "Zero Trust" which, from a user's perspective, is very much like a VPN.
It's software your employer pre-installs on your work PC, that asks you to log in with your work SSO credentials, performs some endpoint security checks, then routes your traffic over a virtual network adapter, and thereby allows you to access workplace resources, even when working from home.
The main difference is it adds some semi-authenticated states. Correct device, username, password, and 2FA, but failed a device posture check because they plugged their phone into their laptop to charge it? The 'Zero Trust' system can block some systems, while letting them retain access to others.
The other big difference is the pricing - rather than paying a five-figure sum upfront for networking hardware, you instead pay $25 per employee per month, forever.
Zero trust is when every session with every service is like its own VPN, independently authenticated and encrypted. Consider the way an HTTPS session between a server and a browser is created anew every time the browser accesses a domain, and ends after a short flurry of requests needed to load a page.
There's a significant difference which my original message hints at and is subsequently clarified: there's still an intermediary. If there's an exploit in the service, like this case, it's still not directly exposed. The intermediary device is still sitting in between and won't allow any old traffic through without separate authorization
The product was explicitly promoted as being useful to run public websites. Before cloud took off we had Microsoft sales people in our office announcing the death of Wordpress with the latest Sharepoint release. That position may be old, but plenty of orgs live in the past.
> It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing.
Once upon a time Microsoft marketed it as, and a lot of Orgs adopted SharePoint as their Intranet. With SharePoint 2019 being sunset, a lot of Orgs are scrambling to implement replacements.
> It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
It likely will be entirely contained, at least in theory. Because is your IT and OT isolated? They should be, but man could I tell you something about the energy and public sectors... Let's just say, that if you're in an organisation with any sort of OT, then you may as well assume that everything you have is facing the internet in some way. I suspect it's frankly like this in any sort of enterprise organisation getting worse the more the org views IT purely as a cost center.
This is why we don't just rely on things like VPNs. Everything we have uses port security (mac-adresses) at a much more ganular level than the VPN does. At least for the parts of our systems landscape where this is possible. With something like SharePoint it's hard to allow specific devices because it's usually something everyone should have some sort of access to. Then you have all the organisations where SharePoint also has some sort of non-VPN access because some CEO level wanted it at one point since they can't be bothered to bring a work PC to their Holiday home.
The answer is contractors and consultants. State agencies routinely work with third parties that need to be able to share files. Obviously this isn’t universal but it isn’t uncommon.
That’s the whole thing with Azure; it blurs the line between on-prem and cloud “because you can.”
I never remember thinking years ago how nice it would be to have all of our private docs that we only need to access on our private network accessible to the public. I just wasn’t thinking outside the box enough.
It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.