
Ask HN: How to access IaaS and on-prem applications in zero trust fashion? - palmermatt72
We are an enterprise with about 3000 employees. We have recently started moving some of our workloads to public cloud, and as a result of that we are looking at re-architecting our access for our private applications. With our on-premise deployments so far, we had VPN servers in our datacenter, and the users were accessing the private applications using traditional VPN based access. But we have started looking at Zero Trust Network Access, and wanted to architect our access using those principles. Couple of solutions have come up during our investigation. Zscaler Private Access, StrongDM, CloudFlare Access, Duo Access, Banyan Security. Has anyone out there tried any of those, and can tell me what are the differences among these solutions, and why they would prefer one over the other.
======
rshnotsecure
Zero Trust is incredibly cool, but exceedingly difficult to pull off. I would
even say this is true attempting to do this at my house, obviously a very
small environment.

Here are the strategies that have worked for me / companies I have worked
with:

Doubling down on Google Cloud. Yes they get a lot of grief that is deserved
for privacy, but the reality is your infrastructure and data is extremely
insecure anywhere in today’s hostile cyberspace. It is the _most_ secure,
which might not even be that much, in GCP. There are so many good secure
design patterns there that I can barely use AWS in good faith now with a
customer even though I owe my whole career, at least the beginning part, to
them.

Duo Access - Highly recommend. Great all around. Push notifications to user
phones and require location within a specific country and with biometric
authorization for the push alert. Add device certs for even more security.

Okta - don’t recommend at all for one reason. To me this felt like a big
thing, and that was when signing up for they made you declare answers to
security questions. This is a horrible pattern that NIST has come out against
for some time. Whose idea was this?

~~~
luke_skiwalker
Call me old fashioned. But, i don't understand what is the big deal about zero
trust. Isn't the principle of least privilege was what security was all about
for last 20 years? We had VLANs since the dark ages. Then vendors sold us
micro-segmentation as the next big thing. Now with zero trust they seem to be
saying lets do VPN everywhere and have a firewall between everything. Just for
fun, lets use TLS instead of IPSec and it'll solve all our problems. You just
need to buy fifty more boxes from us and life will be better.

Don't get me wrong. I'm in complete agreement with using identity as the new
perimeter. I highly recommend reading Google BeyondCorp papers. They are well
written. We moved everything to Okta years ago and we've been very happy with
it. But, I'm very unhappy with what security vendors are selling us. They seem
to be completely missing the point.

~~~
palmermatt72
We are also using Okta for SSO, and it has definitely made our life easier for
enforcing identity based access. But the issue is Okta is only involved at
session setup. We want to model our access based on google beyondcorp
recommendations. But from your post, looks like you don't think there is
anything out there currently, that can help us architect that kind of access
model? What do other readers think? Seems too extreme to me.

