Hacker News new | ask | show | jobs
by UnoriginalGuy 2427 days ago
Google has gone the opposite direction.

I feel like throwing everything behind a VPN and pretending it is secure is a crux.

Several famous break-ins over the last ten years have hypothetically been on the inside of that wall.

Better to isolate services from each other limiting cross service jumping, than to build security around a single point of failure.
2 comments
oarsinsync 2427 days ago
> Better to isolate services from each other limiting cross service jumping, than to build security around a single point of failure

I agree that it is better, but let’s not forget that building security around a single point of failure is still an improvement, that is simultaneously both high and low friction.

Bad: everything exposed to the internet

Good: everything behind a VPN

Best: Every application on its own micro-segment with access control up to the application layer to restrict all forms of access beyond the bare minimum of what is required.

Perfect is the enemy of good.

> Google has gone the opposite direction

Google scale solutions are great for google scale organisations. They don’t always scale down very well.

link
samus 2427 days ago
> Every application on its own micro-segment with access control up to the application layer to restrict all forms of access beyond the bare minimum of what is required.

I hope for the operator team that they have good tool support to help administer all the access controls. Over time and across large organisations there are going to be a lot.

The even larger challenge must be auditing all these access controls. Services change, and if a connection is not required anymore, it should be painless for its operators to get rid of the corresponding access control.

link
heavyset_go 2427 days ago
Security is in layers, there's no reason you can't rely on both service and network isolation.

Service isolation alone doesn't help when my private data is potentially exposed by this exploit.

link