Skip to content
Zero-Trust Network Access

Zero-Trust Network Access

Zero-Trust Network Architecture. ZTNA. Moving the security from perimeter-based to user+resource based.

Industrial Air Gap – A Tale Of 2 Users

Devices on industrial control system networks are ill-equipped for the hardships associated with the Internet and remote access. Low-speed processors, infrequent firmware upgrades, spotty security research, Common Vulnerabilities and Exposures (CVE) publishing, etc.

This leads to a natural conflict: the operator is responsible for the security, and they are not willing to sacrifice security for accessibility since their business and reputation is at stake. The vendor wants the opposite – to have the least constraints and the most simplicity across their customer base.

Is there a better way? One that meets the security requirements of the operator’s IT department as well as the access requirements of the vendors?

Yes: a Zero-Trust Industrial Network Architecture.

NIST sp 800-63B: How Well Do I Know You?

Zero-Trust Network Architecture has 3 steps: Authenticate (Who), Authorise(What), Access(How). 3 Levels of strength of the who are defined in NIST sp 800-63B. Does the goldilocks principle apply to you? Read on!

SCADA, Zero-Trust, Content-Security-Policy

A Florida water treatment plant breached. People nearly poisoned. A SCADA device exposed via Windows & Team Viewer. Not where we want to be. How did it happen, how do we prevent systematically? Read On!

Shadow IT Identity Sprawl

Identity Sprawl And Shadow IT

Empowered people make pragmatic decisions to improve productivity. This can create Shadow IT, and, Identity sprawl. Fix via Identity Aware WAF

user authenticating

OAuth 2.0 Security Best Current Practice

OAuth 2.0 is deceptively simple: create client id, client secret, set a few environment variables, and watch the black magic take effect. Learn about the best current security practices.

OAuth 2.0 Client Threats

OAuth 2.0 and the client. Use Defense In Depth. Secure the client, and then assume it can still be compromised. Zero Trust.

OAuth 2.0 Threat Model and Security Considerations

OAuth 2.0 has simplified authentication and authorisation for many applications, shifting from custom code to simple library import. However, as more applications come to rely on it, this makes its weaknesses more interesting. An attacker can gain access to a broader set of data via a smaller set of tactics and techniques. First lets understand the threat areas, and then, the best current practices for addressing them.