Protecting applications is getting more complicated and complex. . What if we could attacks. Threats could exist on the network and not attack our applications. What if it was Applications must attach to networks exposing them to all the insecurities that come with it stop all easy, free and open source? Security must be easy to adopt, run, and maintain. Before we answer the question of making traditional network security irrelevant as a standard, let’s position the problem: It’s so hard that we to spend on it. We end up focusing our time on implementing features – NOT security. We all care about security – but man, it’s hard. don’t have the time The purpose of a network is transmitting, exchanging or sharing data and resources – not security. All networks are insecure. Period. Insecure networks have us being crushed in the cybersecurity war. It‘s too cheap and easy for malicious actors to launch attacks, laterally move and exploit. We implement elaborate, time-consuming and costly controls and infrastructure to protect our applications, and still, malicious actors make massive revenue causing enormous costs for society. System operators must be – watching email lists, scanning for updates, coordinating change windows and downtime, implementing patches. ever vigilant to stop vulnerabilities being exploited by malicious actors across the network The was created to reduce network risks by leveraging strong identities and the idea of ” but it is historically hard to implement and put the onus on the application consumers, not application creators. zero trust security model “never trust, always verify Security is hard. But it is mandatory. . When it is, it becomes standard to the benefit of everyone. Security must be easy to adopt, run, maintain Let’s demonstrate this using a case study. A little over ten years ago, when using a browser to access websites, . Then like and . HTTPS was a great idea and became all data was transferred using the unencrypted HTTP (free and open source) technologies HTTPS Everywhere Let’s Encrypt came along so easily accessible and vastly available that ALL major browsers implemented it, leading to the retirement of HTTPS Everywhere. We need to go through the same process to secure our applications. Securing the network, which is impossible, must become a thing of the past, just like HTTPS Everywhere. Foundational truths about networks The best way to protect our applications is to The network as we know it is no longer sufficient. We need to reinvent it. make security so easy and free that it becomes a standard that everyone can implement. Luckily, we have the core technology concepts to deliver this. We need to use first principles thinking to dig deeper until we are left with only the foundational truths of a situation. This provides principles including strong identity, authentication and authorization, account-based access control policies, etc. Zero trust security model: This allows us to create overlays virtual networks independent of the underlying transport networks. Network virtualization: The foundational truth is that networks are built to transmit, exchange, and share data. We need easy and secure, not complex and bolted on. It is only by recognizing that just because “we’ve always done it this way” does not mean we always have to; . While zero trust and virtualization can be applied to networks, we are bolting on solutions that do not fully solve the problem. we can reinvent the network Reinvent the network by eliminating the network The only way to square the circle is to . This reinvents the network by putting it inside the application. . Put zero trust networking inside the app and it becomes the app, run your application on the internet and it becomes the internet. Application connectivity is secure by default while isolating apps from the internet, local, and host OS networks. embed zero trust, programmable networking into our applications based on open source technologies that are easy and free As Bruce Lee said, “be water, my friend” App . This isolation from the underlay, including no exposed/listening ports, These attacks include zero-day/CVE exploit, DDoS, port scanning, credential/password stuffing, phishing, etc. communication cannot occur until explicitly authenticated and authorized based on a strong embedded identity stops malicious external actors from exploiting the network. We have made traditional network security irrelevant. Free and open source application embedded networking does not just have profound security advantages and the ability for us to focus on value-added services and features instead of hard security; it also helps us to reduce business costs and vendor lock-in. These applications only require commodity outbound internet and or other proprietary tools and infrastructure. We can programmatically manage the overlay and policies using DevOps tools and methodology eliminate the need for public DNS, VPNs, bastions, complex firewall rules, inbound ports, without requiring networking engineering skills. Embedding every application in the world with zero trust will take time – just like securing browsers took time and VPNs were in the past! Use these local programs to protect your existing applications and infrastructure and allow your brownfield solutions to participate in the new, identity-driven zero trust overlay network. is an open source, free and easy way for the world to embed zero trust, programmable networking into anything and everything. OpenZiti Existing applications implement zero trust of the local and internet networks providing an . Accessing your apps exclusively over the zero trust overlay network raises the bar on attackers by orders of magnitude. . They need to be local to the machine to launch an attack reducing the return on investment for malicious actors such as ransomware operators. immediate and huge reduction in attack surface Bad actors can no longer attack targets from afar The network is dead, long live the application network. [1] We refer to traditional network security as things such as public DNS, VPNs, MPLS, bastions, APNs, proxies, complex firewall rules, inbound ports, or other proprietary tools and infrastructure. Also Published here