Dear Wendy —
I think I told you I was interested in the Developer Advocate job with a company called NetFoundry. They provide Zero Trust Networking security for just about any solution you can think of. It’s a cool company and a cool product, and I applied when I saw the listing.
They seem interested, and to kick off the application process, they sent me these two questions:
What are your thoughts on zero trust and how the term varies according to vendors?
What are your thoughts on OpenZiti (https://openziti.github.io/)?
Now, I have to confess that when they asked, I had but a basic knowledge about what Zero Trust is — but I can learn anything, right? So I set out to learn and thought I would explain it all to you to show what I know.
Okay — zero trust is an approach to cybersecurity where nothing and no one is trusted. Zero trust, get it? Everything is treated as untrustworthy to start, and that means every time you start. And that means everything. A company that lives and breathes zero trust will always authenticate and validate everything.
Because people are the scariest threat surface, users have to log in every time they come to a network. They might even have to login to get to new areas or resources. Passwords are terrible (I wrote about that here when I was at Passage) and so multi-factor authentication helps people be more secure. But even that can be hacked and “phished,” so a group called the FIDO Alliance developed a protocol which is commonly implemented as “passkeys” (which I also wrote about).
Computers and other devices like routers, switches, phones — everything — is assumed to be laced with malicious code and viruses and can’t interact until they can prove they can be trusted. Code is initially believed to be teeming with loopholes, vulnerabilities, and ways to be exploited. This is particularly tough, because while many non-secure coding patterns can be sniffed out, there is no way to scan for new vulnerabilities that no one has even heard of. But that can be mitigated by sequestering code into things like microservices, where the threat surface of any given chunk of code can be minimized and mitigated.
My thoughts on all this? It is the only way to think about a system or a network. Hackers are diabolically ingenious, and the only way to go is to approach everything as if it has already been compromised. Set things up so that no one thing can do too much damage. Make sure that you have methods in place to verify that things haven’t changed since the last time they were authenticated. If they have changed, check the hell out of them before trusting them. Don’t let any one thing talk to another thing without proving that it is who or what it says it is. Assume that even once they prove themselves that they might be compromised sometime in the future. I don’t see any other way, given the climate out there. I imagine a company like Coinbase must imbue a zero trust philosophy into the people that clean their buildings!
And they asked me about vendors. I interpreted that to mean, “What are the different approaches vendors take to zero trust?”
So probably the first obvious approach is the “whole body” solution. A vendor provides software solutions and maybe even hardware, that supports every aspect of a business's security needs. Shoot, I bet they even provide training solutions all the way down to the cleaning staff! Firms like banks (that’s where the money is!) probably think about security from the ground up, and some zero trust vendors will provide support for that in every conceivable way.
The market then probably has companies that of course need good security solutions but that don’t have targets on their backs as a cryptocurrency exchange does. They might be interested in zero trust solutions that aren’t quite as deep and intrusive. Vendors might be “additive” to existing solutions, so that a company that maybe didn’t start from the premise that they couldn’t trust anyone or anything can be secure. I’m guessing companies like want to create a balance between security and effectiveness.
Then, there are small companies out there that probably just worry about password security and would require nothing much more than a password manager. I’m guessing your average local landscaping company doesn’t have much larger of a concern than that, right?
Okay, so that’s zero trust. Pretty cool — more of a way of life than a specific solution, but certainly a rich marketplace.
Next up, they asked me my opinion of OpenZiti, their open source, zero trust network solution. As you know, I think in bullet points, so here are my thoughts.
I was an open source skeptic way back in the day, but now I’m a huge fan and believer. I can remember reading about Richard Stallman’s “crazy” ideas back in the early ‘90s. Give away your code? That’s nuts! But obviously, I was wrong. Open source has been a huge, unmitigated, and undisputable success. The world runs on the Internet, and the Internet runs on open source. That controversy is clearly over.
I love that NetFoundry is a business based on an open source project. Such a thing was another nutty thought not too long ago, but now is common and I love it. The model is pretty cool and straightforward: “Sure, you can set this all up and run it yourself, but why? Let us take care of it for you.” Some people will use the product for free, but many will appreciate the open source benefits and want someone (NetFoundry!) to manage and host it for them. Win all around!
I like that they have three solutions: Self-hosted and totally free, an SDK-based approach, and the paid cloud solutions.
This project is quite cool: It basically builds security into an application so that a company doesn’t have to rely on a VPN (which can be compromised) to secure access to its applications. VPNs are a blunt instrument, and OpenZiti provides granular control that makes compromising a whole system much, much more challenging. It allows a system to be completely “dark,” without open ports and exposed assets. And OpenZiti lets you keep a close audit trail on almost everything that goes on. Nice.
There are many other features that I can’t go into here, including things like E2E encryption and the fact that it is a completely software-based solution. And of course, it is zero trust throughout every fiber of the garment.
The project is active! Check-ins are happening daily, and the documentation (which is open source, of course) seems really good. It didn’t take much reading to figure out what was going on and what to do.
I have a lot to learn if I am going to be the Developer Advocate for NetFoundry. But I can learn anything — I taught myself to code, and, if you remember, I taught myself Angular in just a few months to give a day-long seminar at Philly Code Camp. I learn like I did to write this: Commit to something that forces me to learn about the topic, and then learn it!
Okay, that’s all for now. Thanks for letting me bounce these ideas off of you, and I hope you learned something. (I know I did!) And, of course, if you have any questions, let me know!
Yours,
Nick