I’m losing hair trying to reconcile Zero Trust Architecture and Secure Authenticated and Authorized Connections. The ZTA people who truly believe it’s architecture and not product are closer to understanding the holy grail, however, as I continue to muddle around in this space there are plenty of caveats like assuming nothing else fails.

assuming nothing else fails

But the problem with this approach is that security officers are still waving magic wands like a magician.

• Firewalls are great unless the attacker spoofs an IP
• Microsegments are great unless you have an admin network
• Microsegments are great unless your switch(s) are compromised
• Microsegments are great unless there is data in the clear and someone is listening
• VPNs like wireshard can be used to create microsegments in a DC, however, they are IP based
• virtual machines are great but they are usually on the same machine; attack the host or the guest

If you understand that the boundary between the VM guest and host is jail like and the same for docker guests and host. And generally speaking where docker/container implementations support encrypted microsegment SDN … they are most vulnerable when the guest is an OS+app and it usually is, bug when it’s just an application to application … then the application itself is the attack vector. A SQL injection that might reveal a complete customer list; but that does reduce the surface area; except just like VMs a host compromise is still critical.