[zzz95]

How is this even Zero Trust. Admittedly, there is no precise definition for ZT, but Cloudflare's solution seems to run counter to the idea of perimeter-less ZT philosophy. Instead of assuming that phones can be insecure and developing appropriate crypto based mechanisms, Cloudflare is proposing to bring the phone inside a 'trusted' network. Remember, ZT does not rely on trusted network.

Solutions like this will increase confusion and fragment the already 'interpretation led' as opposed to definition led ZT landscape.

[jchw]

I don't see anything about a trusted network, it looks like this is about authorizing devices. It seems a little bare on the details of how it works, but apparently it ties into a Cloudflare product called Magic WAN. Authorizing specific devices is still a good strategy even with zero-trust networking.

[ec109685]

Device attestation is an important piece of the zero trust design, which this esim approach helps facilitate.

ZT / BeyondCorp benefits from multiple layers of security, not the hard exterior and crunchy interior approach of VPNs, and this solution from cloudflare is aligned with that.

[zzz95]

Maybe I got it wrong, but the eSIM seems to be enabling a corporate VPN of sorts here.

[elithrar]

That’s not the case — note that we don’t say “trusted network” in the blog. That’s definitely not the right solution.

There’s two key parts:

1) we can filter and secure traffic _leaving_ the device, whether bound for the Internet or internal apps. This isn’t VPN like: this is part of our software gateway. When you click (tap!) on a phishing link, we can filter it and render it inert.

2) using the eSIM, which is associated with a specific employee, as an identity signal and device posture signal. This fits squarely into the Zero Trust model. ZT is about explicit identity, not the old days of implicit “I’m on the VPN and can move laterally!”.

(I work at CF)

[yellow_lead]

Yeah I thought the same. Sounds like the marketing team got a bit excited here