MTLS Everywhere

All the Fuzz about Zero Trust

With all the hype around Zero Trust, I've been really struggling to find proper information that explains what this is all about.

Sure, it is the new buzzword, not even that fancy, since it is unusually evoking a negative vibe.

Nice Ones

Most buzzwords we're used to are about good feeling, things that everyone loves, or at least have some sort of romantic connotation: how can you not like to spot fluffy figures in the Cloud ? How can you not like to connect your toaster to the Internet Of Things? Wasn't a Layered Architecture so much appealing at the times because it evoked some sort of informations Lasagna ?

Microservices... it sounds like you could carry them around in your pocket, or maybe not.

Orchestration: difficult to find something so powerful and evocative... like some virtuous music director, it looks you're gently signaling to peer musicians the way, while what you are actually doing is swearing all the way because the damn thing keeps giving out of memory and the infos in the container are gone.

For Real

Buzzwords apart, what I understand Zero Trust really means is: mTLS Everywhere! Give every asset (digital or physical) a TLS certificate, give every service a certificate, and when an handshake happens, the server-side certificate is validated, and the server enforces validation of the caller via client certificates.

The groundwork for this is basically X509 certificates, and what it means is, under the hood every organization should take the effort and implement a Private CA.

Create a Private CA, bury the secret key somewhere offline after having created a set of Intermediate Certificates, sign everything with those, different intermediate certificates for different areas.

Each pair of asset/services talking to each other should validate their peer certificate and drop communication with everything that hasn't a valid one.

Manage keys carefully, be ready to deprecate, have a framework for renewals.

This probably sounds a bit uncool, but effective indeed. Of course the effort is not negligible, but I see that the number of contexts where this is needed are just on the rise.

Shall we call it with its real name ? MTLS Everywhere!



[git] [certificate] [x509]