Zero-Trust Network Access

Zero-Trust Network Architecture. ZTNA. Moving the security from perimeter-based to user+resource based.

Industrial Air Gap – A Tale Of 2 Users

Don Bowman
2022-05-192022-05-19

Devices on industrial control system networks are ill-equipped for the hardships associated with the Internet and remote access. Low-speed processors, infrequent firmware upgrades, spotty security research, Common Vulnerabilities and Exposures (CVE) publishing, etc.

This leads to a natural conflict: the operator is responsible for the security, and they are not willing to sacrifice security for accessibility since their business and reputation is at stake. The vendor wants the opposite – to have the least constraints and the most simplicity across their customer base.

Is there a better way? One that meets the security requirements of the operator’s IT department as well as the access requirements of the vendors?

Yes: a Zero-Trust Industrial Network Architecture.

Top 5 Cybersecurity Resolutions to Cross off Your List in 2022

Bridget Vandenbosch
2022-01-062022-01-06

Cybercriminals had a record breaking year with the business cost of a cyber breach reaching new heights in 2021. With clear cybersecurity goals in mind, businesses can avoid becoming just another hacking news headline.

NIST sp 800-63A: Introduce Yourself

Don Bowman
2021-12-292021-12-29

Who are you? Identity involves knowing who you are, and then later proving it. NIST sp 800-63A enrollment is the first step, let’s talk about that!

NIST sp 800-63B: How Well Do I Know You?

Don Bowman
2021-12-292021-12-29

Zero-Trust Network Architecture has 3 steps: Authenticate (Who), Authorise(What), Access(How). 3 Levels of strength of the who are defined in NIST sp 800-63B. Does the goldilocks principle apply to you? Read on!

Zero-Trust Remote Access to Fix VoIP DDoS

Don Bowman
2021-09-202021-09-21

Reconfigure a VoIP PSTN gateway remotely via Zero Trust with Multi-Factor Authentication and single-sign-on to avoid a DDoS.

Authentication, Authorisation, and API Keys

Don Bowman
2021-08-082021-09-17

e encouraged to create API keys by many SaaS tools, and, these present real authorisation challenges.

Mind the gap between the web app and the desktop

Don Bowman
2021-07-212021-09-17

We want a web app. We have a desktop. Use zero-trust to make any desktop available to any device without a VPN.

A ’round tuit’ to get your internal web apps available

Don Bowman
2021-07-212021-07-21

You have an internal tool. Grafana, Prometheus, …. You get an alert, its via Slack, Chat, etc. You click. The link goes nowhere. You curse. We fix!

The Pipeline Ransomware Came Via The VPN

Don Bowman
2021-06-052021-10-24

A criminal group takes over a nations energy via a VPN. Its time to treat the VPN as a risk, not a security solution. Zero Trust is better.

SSH To Server. No IP? No Problem!

Don Bowman
2021-05-302021-05-30

SSH to the server fleet. No Public IP? No problem. No VPN. No firewall changes. End-to-end encryption. Any user.

Keep The Share, Ditch The Ransomware With Zero Trust

Don Bowman
2021-05-282021-05-28

Keep The Share. Ditch The Ransomware. Simple Zero-Trust allows any user, any device, any share, no VPN, no ransomware. Simple single sign-on.

Zero Day Zero Trust Is Your Defense in Depth

Don Bowman
2021-05-262021-05-26

Zero Trust. The principle of limiting access to user resource pairs. It is part of a good defense in depth strategy. It is also a key defense to Zero Day.

SCADA, Zero-Trust, Content-Security-Policy

Don Bowman
2021-05-192021-05-19

A Florida water treatment plant breached. People nearly poisoned. A SCADA device exposed via Windows & Team Viewer. Not where we want to be. How did it happen, how do we prevent systematically? Read On!

Quis, quid, cur, quomodo, ubi, quando, quibus auxiliis

Don Bowman
2021-05-062021-05-06

Grade 10 English, the W5 (Who, What, Why, When, Where, How). A common framework to frame something. Apply it to the problem domain of Zero Trust Networking.

Identity Sprawl And Shadow IT

Don Bowman
2021-04-102021-08-22

Empowered people make pragmatic decisions to improve productivity. This can create Shadow IT, and, Identity sprawl. Fix via Identity Aware WAF

Better Than Nothing Bonding With Remote Access: Starlink + 2xDSL Backup

Don Bowman
2021-03-212021-03-21
5 Comments

Summary: deploy OpenWRT on a Mikrotik to achieve SpaceX Starlink + bonded DSL backup, with Zero-Trust Network Access inbound from any user, any network, any device.

Embracing Zero Trust Security Model: NSA Guidance

Don Bowman
2021-03-102021-03-10

Embracing Zero Trust: Assume that a breach has (or will occur), use defense in depth, fine grained authorisation and audit, everywhere, always.

Time and Encryption are Inter-related: Certificate Transparency

Don Bowman
2021-02-122021-02-14

Time and Encryption. Certificates have a not-before and not-after. If your time is wrong, you can be tricked. Learn how the certificate transparency helps you.

Zero Trust Secure SCADA Could Make Your Water Safe To Drink

Don Bowman
2021-02-112021-11-10

A water treatment plant was breached, looking to poison people. How did the hacker get in, and how would zero-trust secure scada?

OAuth 2.0 Security Best Current Practice

Don Bowman
2021-01-252021-01-25

OAuth 2.0 is deceptively simple: create client id, client secret, set a few environment variables, and watch the black magic take effect. Learn about the best current security practices.

OAuth 2.0 Protected Resource Threats

Don Bowman
2021-01-142021-01-04

The OAuth 2.0 protected resource. It takes the access token and uses it to grant access. Watch out for it becoming compromised.

OAuth 2.0 Refresh Token Threats

Don Bowman
2021-01-132021-01-04

OAuth 2.0 refresh tokens are used to obtain new access tokens on the user’s behalf. If lost, they can allow an attacker to masquerade.

OAuth 2.0 Token Endpoint Threats

Don Bowman
2021-01-122021-01-04

The OAuth 2.0 Token Endpoint. Its were authorisation becomes real. Secure it to prevent guessing

Your password policy is wrong: NIST SP 800-63B

Don Bowman
2021-01-112021-12-30

Your password policy is wrong. So says this NIST standard. By trying to be too strong, you end up being weak. The users write it down!

OAuth 2.0 Authorisation Endpoint Threats

Don Bowman
2021-01-112021-01-04

OAuth 2.0 Authorisation Endpoints are the front-door skeleton-key creator of all your front-doors. So protect them carefully.

OAuth 2.0 Client Threats

Don Bowman
2021-01-082021-01-03

OAuth 2.0 and the client. Use Defense In Depth. Secure the client, and then assume it can still be compromised. Zero Trust.

OAuth 2.0 Threat Model and Security Considerations

Don Bowman
2021-01-072021-01-04

OAuth 2.0 has simplified authentication and authorisation for many applications, shifting from custom code to simple library import. However, as more applications come to rely on it, this makes its weaknesses more interesting. An attacker can gain access to a broader set of data via a smaller set of tactics and techniques. First lets understand the threat areas, and then, the best current practices for addressing them.

Merger, Acquisition: Federated Identity And Zero Trust

Don Bowman
2021-01-072021-01-07

Merger Acquisition Zero Trust. Two competitive or orthogonal companies become one. Achieve quick and secure with Federated Identity, Zero Trust.

Joint Venture: The Case For Federated Identity And Zero Trust

Don Bowman
2021-01-072021-01-07

Joint Ventures: Good Business strategy, complex access strategy. Does one VPN to the other? Dual accounts? Zero Trust Federated Identity FTW!

Zero-Trust Reduces Ransomware Risk

Don Bowman
2021-01-042021-05-21

Target ransomware with Zero Trust. Defense in Depth with better audit, reduced access, increased simplicity.