[ec109685]

Device attestation is an important piece of the zero trust design, which this esim approach helps facilitate.

ZT / BeyondCorp benefits from multiple layers of security, not the hard exterior and crunchy interior approach of VPNs, and this solution from cloudflare is aligned with that.

[zzz95]

Maybe I got it wrong, but the eSIM seems to be enabling a corporate VPN of sorts here.

[elithrar]

That’s not the case — note that we don’t say “trusted network” in the blog. That’s definitely not the right solution.

There’s two key parts:

1) we can filter and secure traffic _leaving_ the device, whether bound for the Internet or internal apps. This isn’t VPN like: this is part of our software gateway. When you click (tap!) on a phishing link, we can filter it and render it inert.

2) using the eSIM, which is associated with a specific employee, as an identity signal and device posture signal. This fits squarely into the Zero Trust model. ZT is about explicit identity, not the old days of implicit “I’m on the VPN and can move laterally!”.

(I work at CF)