Thanks for dissecting ZTA and pointing out some of the current technical liabilities.
Perhaps this is wandering off-topic, but I wonder, do you have any concern with the fact that the current market for ZTA seems to be in the hands of commercial entities that are bundling ZTA with Security Service Edge (SSE) or Secure Access Service Edge (SASE) offerings, which not only proxy all traffic to proprietary services but also to public SAS services and the Internet at large, layering on CASB and SBI and all sorts of security layers? It seems to me that, in time, it's possible that these entities may become the gatekeepers to the Internet, on the one hand, assuring users that they're safer not connecting to the unmediated Internet but that all Internet access should be safeguarded by use of their services and, on the other, assuring corporations and SAS providers that they're better off only serving requests that originate from customers whose "trustworthiness" they've assessed (and whom they can identify and track). And then there will be different Internets for different customers and service providers based on which ZTA/SSE/SASE provider they've managed to contract with and/or keep on the right side of. Indeed, there may be Internet have-nots who won't be able to get onto the Internet in any meaningful way at all if they can't pay to play or nobody wants to bother to take their money because they can just extract more rent from the "haves" who are already locked in.
Again, apologies if this is way out of line with the tenor of your blog. I just don't have any more appropriate place to give voice to some of these concerns I have about "Zero Trust" possibly becoming the default access policy of the Internet, locking out anybody who doesn't have the wherewithal to buy or demand to be "trusted".
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
ZTA doesn't solve all the problems; does it make for even bigger ones?
Date: 2022-04-06 04:26 am (UTC)Thanks for dissecting ZTA and pointing out some of the current technical liabilities.
Perhaps this is wandering off-topic, but I wonder, do you have any concern with the fact that the current market for ZTA seems to be in the hands of commercial entities that are bundling ZTA with Security Service Edge (SSE) or Secure Access Service Edge (SASE) offerings, which not only proxy all traffic to proprietary services but also to public SAS services and the Internet at large, layering on CASB and SBI and all sorts of security layers? It seems to me that, in time, it's possible that these entities may become the gatekeepers to the Internet, on the one hand, assuring users that they're safer not connecting to the unmediated Internet but that all Internet access should be safeguarded by use of their services and, on the other, assuring corporations and SAS providers that they're better off only serving requests that originate from customers whose "trustworthiness" they've assessed (and whom they can identify and track). And then there will be different Internets for different customers and service providers based on which ZTA/SSE/SASE provider they've managed to contract with and/or keep on the right side of. Indeed, there may be Internet have-nots who won't be able to get onto the Internet in any meaningful way at all if they can't pay to play or nobody wants to bother to take their money because they can just extract more rent from the "haves" who are already locked in.
Again, apologies if this is way out of line with the tenor of your blog. I just don't have any more appropriate place to give voice to some of these concerns I have about "Zero Trust" possibly becoming the default access policy of the Internet, locking out anybody who doesn't have the wherewithal to buy or demand to be "trusted".