[cyrnel]

There's not a lot of "breaking down" happening here. It's the same vague recommendations that can be found in the NSA's own documents, further reinforcing the gap between the guidelines and practitioners.

NSA/NIST/CISA all admirably avoid referring to specific products, but that ship has already sailed. Security today _is_ (unfortunately) a constellation of security products, rather than open source protocols, etc.

[PLG88]

Dont forget you can have open source security tools, e.g., the one I work on, OpenZiti, a zero trust network overlay - https://openziti.io/.

[nyrikki]

While I personally don't find much value in this particular page:

The entire point is to move past the failed current model, which is based on disproven concepts from the pseudoscientific management theory of last century.

Possibly an accessible but distant enough to abstract away implementations and focus on the concept is Toyota’s Principles of Set-Based Concurrent Engineering.

The SOP based method, with strict enforcement of incomplete, inappropriate, and insufficient security theater for compliance at the cost of security model will always fail.

The specific products don't matter as you mentioned above.

> a constellation of security products, rather than open source protocols, etc

Those are implementation details, not a security strategy Using guardrails and runways will potentially help move past this problem, but only if people get on board with accepting that adapting and adjusting those implementation details is important to achievement of actual security.

It is horses for courses and which horse you choose absolutely depends on context. The correct product or protocol should arise through what an org learns, one shouldn't try to force the org to fit a particular vendor/framework model.

There are mathematical reasons for this, but malicious compliance is another example of how the existing model simply just fails.

[nonrandomstring]

These are sentiments I can agree with.

Replacing products with sound principles is a primary mission, and at its core is an educational project. I still think Ranum's "dumbest ideas in security" are a treasure-trove and so we debated them on Cybershow.

My reservations are:

Zero Trust is an unfortunate hyperbolic misnomer. For now it's the best we've got. Sure, it's a necessary reaction to the many awful and plainly wrong ideas in security still around today, but I think it can be misleading and even counterproductive. Nothing happens without trust. The big deal is whether you trust your verification methods. Obviously therein lie regressions and madness.

It is no surprise that NSA put emphasis on "continuous monitoring" as that's their core mindset. There ain't no such thing. See sampling theory and beware of grandiosity like "collect it all" and "total information awareness". Over-monitoring, and automating can lead to other regressive problems, like data management, and then monitoring the "autonomous" processes for trust. Visibility is not the only dimension to security and to think otherwise is omnipotent. Nowhere in these kind of documents do I see the word "correctness". Which is worrying for people who value formalities and mathematics. There is a gap between engineering and security mindsets - one that Ross Anderson tried so hard to bridge (with significant success)

Also, a plug for Zero Trust World 2025 [0] in Florida, which we'll be attending (boosting Threalocker's application whitelisting drive).

[0] https://ztw.com/