HACKER Q&A
📣 palmermatt72

How to access IaaS and on-prem applications in zero trust fashion?


We are an enterprise with about 3000 employees. We have recently started moving some of our workloads to public cloud, and as a result of that we are looking at re-architecting our access for our private applications. With our on-premise deployments so far, we had VPN servers in our datacenter, and the users were accessing the private applications using traditional VPN based access. But we have started looking at Zero Trust Network Access, and wanted to architect our access using those principles. Couple of solutions have come up during our investigation. Zscaler Private Access, StrongDM, CloudFlare Access, Duo Access, Banyan Security. Has anyone out there tried any of those, and can tell me what are the differences among these solutions, and why they would prefer one over the other.

  👤 rshnotsecure Accepted Answer ✓
Zero Trust is incredibly cool, but exceedingly difficult to pull off. I would even say this is true attempting to do this at my house, obviously a very small environment.

Here are the strategies that have worked for me / companies I have worked with:

Doubling down on Google Cloud. Yes they get a lot of grief that is deserved for privacy, but the reality is your infrastructure and data is extremely insecure anywhere in today’s hostile cyberspace. It is the most secure, which might not even be that much, in GCP. There are so many good secure design patterns there that I can barely use AWS in good faith now with a customer even though I owe my whole career, at least the beginning part, to them.

Duo Access - Highly recommend. Great all around. Push notifications to user phones and require location within a specific country and with biometric authorization for the push alert. Add device certs for even more security.

Okta - don’t recommend at all for one reason. To me this felt like a big thing, and that was when signing up for they made you declare answers to security questions. This is a horrible pattern that NIST has come out against for some time. Whose idea was this?