
From Zero to Zero Trust - gk1
https://gravitational.com/blog/zero-to-zero-trust/
======
Vmody2
Hey everyone, author here. I wrote this post in an attempt to better
understand how cybersecurity evolved to the Zero Trust model, and what that
means, practically.

If your organizations have implemented some form of Zero Trust or you are
aware of other resources, please comment so I can keep learning.

Here are some resources I found useful for further reading:

[https://about.gitlab.com/blog/2019/04/01/evolution-of-
zero-t...](https://about.gitlab.com/blog/2019/04/01/evolution-of-zero-trust/)

[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft2.pdf)

[https://www.oreilly.com/library/view/zero-trust-
networks/978...](https://www.oreilly.com/library/view/zero-trust-
networks/9781491962183/ch01.html)

~~~
basch
[https://telegra.ph/ZeroTrust-Vendors-04-23](https://telegra.ph/ZeroTrust-
Vendors-04-23)

If it's missing anyone important, let me know.

~~~
ithkuil
Does [https://www.pomerium.io/](https://www.pomerium.io/) fit there?

------
someonehere
Currently looking at bastion/jit solutions to move away from ssh keys. Two
options we’ve looked at were PrivX from ssh.com and ScaleFT (now owned by
Okta). Both offer role based access to servers. PrivX seems better because it
allows ssh session recordings with metadata playback search. Perfect to find
out who ran the wrong command and what happened before and afterwards. They
also keep a copy of any files transferred in/out over the ssh session. ScaleFT
is good it’s very expensive compared to PrivX.

But we are looking at using a service like this as we move to zero trust.

~~~
jiveturkey
> Currently looking at bastion/jit solutions to move away from ssh keys.

You lost me. How does bastion get you away from ssh keys?

~~~
Vmody2
Could mean moving away from manual SSH key management to something like a
bastion-hosted SSH Certificate Authority.

------
viahoptop
I've been working on a Zero Trust project that requires client certs and
implementing SCEP for cert distribution has been a huge headache.

The best part of this Zero Trust movement is that it seems most of these
projects are "moving away" from painful specs like IPSec, 802.1x, and SAML to
much more simple & modern solutions.

------
gpcastle
to ZeroTier. [https://www.zerotier.com/](https://www.zerotier.com/)

