On Wed, Jul 10, 2024 at 11:46 AM Christian Huitema <huitema@xxxxxxxxxxx> wrote:
On 7/10/2024 7:58 AM, Phillip Hallam-Baker wrote:
> And when we get to corporate networking, it is very much the same. Every
> customer I have ever had has always wanted a model in which their network
> is separated from the Internet by a moat with clearly defined physical and
> logical access points.
The "crunchy on the outside" model of security would only work if you
could trust every person and every device inside the perimeter, and if
there were no uncontrolled bridge to the outside. But in practice you
cannot really do that. So ultimately some kid of virus makes it in,
roams freely "inside the moat", and you get a ransomware attack or a
data dump. It reminds me of the big walls of medieval cities. They might
have protected the inhabitants against bandits and raiders, but they
certainly did not prevent rats from bringing in the plague.
-- Christian Huitema
Agree absolutely. And the corporate world responded with initiatives like the Jericoh Forum which talked about 'Deperimeterization' but entirely failed to influence because they presented deperimeterization as something they wanted to happen rather than something which would inevitably happen and people needed to be ready for.
And now they are pushing 'Zero-Trust' which is essentially the same set of ideas but with the cloud added. And this is even worse because 'zero' trust is impossible. You are always going to put some degree of trust into every service provider and every employee. The real issue is MANAGING trust and minimizing the number of parties you trust and the degree to which you trust each one. Once people say the objective is ZERO, they have cut themselves off from all the tools they need like separation of duties.
One of the reasons I want to rationalize and simplify the architecture is so we can impose strong controls. So I buy a coffee pot, today it has unlimited access but only to my local net. Which is better than unlimited access to the whole Internet and being infected with a virus and trying to DDoS the root DNS servers like the nanny cams did.
But my ideal is that I unpack the coffee pot, I scan a barcode on the bottom, it is now connected to my network and I can tell it to warm up so I can make coffee any time I like. But the coffee pot is on an isolated virtual network and cannot see ANY OTHER device on the network except for the pair of IoT gateways that manage communication with it.
In my model the coffee pot has the absolute least privilege required to perform its function and it doesn't even know who owns it. It doesn't know if it is sitting in my house or the break room at the NSA.
Back when I was working on the security of the email publication system MIT AI built for the Clinton EOP, they wanted to install a DEC AI tool that scanned the net for anomalous behaviors. So I tried it out and it turned out to be pretty sucky. I was in the AI lab after all. It might be possible to make that approach work. But surely the first step is to know what is connected to the network and what the range of functions it requires actually is. Having devices declare their functions seems a lot more reliable than guessing.