[this_steve_j]

Microsoft’s version of “Zero Trust” doesn’t care if things are reachable from the public internet. They have been preaching “identity is the new perimeter” [1] for years, and it doesn’t wash.

The NIST Zero Trust Architecture (ZTA) implementation guides (SP 1800-35) [2] cut through the nonsense and AI generated marketing smoke.

In ZTA, ALL network locations are untrusted. Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.

Microsoft doesn’t have any products that can do full ZTA, so several pillars are missing from their “Zero Trust” marketing materials.

[1] https://www.microsoft.com/insidetrack/blog/securing-the-bord...

[2] https://doi.org/10.6028/NIST.SP.1800-35

[tacticus]

> several pillars are missing from their “Zero Trust” marketing materials.

TBH several pillars are missing from their entire security posture.

[Tokumei-no-hito]

why bother when not a single vulnerability has resulted in any appreciable fines or loss of market share? it's absurd how untouchable their ubiquity has become.

[sneak]

They’re the Boeing of software. They go down with the ship, but, critically, it means they also can’t go down until and unless the ship also does.

It’s a symbiotic relationship that allows them to stop having to spend resources to compete in the market on merit.

[realusername]

That's pretty accurate, if you want modern practice and product quality you go to Google or Amazon, if you want compliance and reassuring the board, you go to Microsoft.

[betaby]

> Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.

What does it mean in technical terms? What kind of tunnels are whose and what is their purpose?

[this_steve_j]

There are four different micro-segmentation variations in the NIST reference guide: device-agent/gateway, enclaves, resource portals, and application sandboxing.

Basically a policy evaluation point (PEP) evaluates the security posture of both parties before and after a handshake, then creates a logical or physical path of some kind of between the actor and the resource. This can be done with software-defined virtual networks and stateful firewalls, at one or more of the OSI layers.

[ptsneves]

So the policy evaluation point has the keys to the kingdom and is the single point of failure, vs standard distributed authorisation declaration that would be up to each component of the system to implement.

How is this PEP better?