By Philip Griffiths and Clint Dovholuk
Protecting applications is getting more complicated and complex. Applications must attach to networks exposing them to all the insecurities that come with it. What if we could stop all attacks that start with scan and exploit and make the traditional network security[1] entirely irrelevant? Threats could exist on the network and not attack our applications. What if it was easy, free and open source?
Security must be easy to adopt, run, maintain.
Before we answer the question of making traditional network security irrelevant as a standard, let’s position the problem:
- We all care about security – but man, it’s hard. It’s so hard that we don’t have the time to spend on it. We end up focusing our time on implementing features – NOT security.
- All networks are insecure. Period. The purpose of a network is transmitting, exchanging or sharing data and resources – not security.
- Insecure networks have us being crushed in the cybersecurity war. It‘s too cheap and easy for malicious actors to launch attacks, laterally move and exploit. We implement elaborate, time-consuming and costly controls and infrastructure to protect our applications, and still, malicious actors make massive revenue causing enormous costs for society.
- System operators must be ever vigilant to stop vulnerabilities being exploited by malicious actors across the network – watching email lists, scanning for updates, coordinating change windows and downtime, implementing patches.
- The zero trust security model was created to reduce network risks by leveraging strong identities and the idea of “never trust, always verify” but it is historically hard to implement and put the onus on the application consumers, not application creators.
Security is hard. But it is mandatory. Security must be easy to adopt, run, maintain. When it is, it becomes standard to the benefit of everyone.
Let’s demonstrate this using a case study. A little over ten years ago, when using a browser to access websites, all data was transferred using the unencrypted HTTP. Then (free and open source) technologies like HTTPS Everywhere and Let’s Encrypt came along. HTTPS was a great idea and became so easily accessible and vastly available that ALL major browsers implemented it, leading to the retirement of HTTPS Everywhere.
We need to go through the same process to secure our applications. Securing the network, which is impossible, must become a thing of the past, just like HTTPS Everywhere.
Foundational truths about networks
The best way to protect our applications is to make security so easy and free that it becomes a standard that everyone can implement. The network as we know it is no longer sufficient. We need to reinvent it.
Luckily, we have the core technology concepts to deliver this. We need to use first principles thinking to dig deeper until we are left with only the foundational truths of a situation.
- Zero trust security model: This provides principles including strong identity, authentication and authorization, account-based access control policies, etc.
- Network virtualization: This allows us to create overlays virtual networks independent of the underlying transport networks.
The foundational truth is that networks are built to transmit, exchange, and share data. While zero trust and virtualization can be applied to networks, we are bolting on solutions that do not fully solve the problem. We need easy and secure, not complex and bolted on. It is only by recognizing that just because “we’ve always done it this way” does not mean we always have to; we can reinvent the network.
Reinvent the network by eliminating the network
The only way to square the circle is to embed zero trust, programmable networking into our applications based on open source technologies that are easy and free. This reinvents the network by putting it inside the application. As Bruce Lee said, “be water, my friend”. Put zero trust networking inside the app and it becomes the app, run your application on the internet and it becomes the internet. Application connectivity is secure by default while isolating apps from the internet, local, and host OS networks. App communication cannot occur until explicitly authenticated andauthorized based on a strong embedded identity. This isolation from the underlay, including no exposed/listening ports, stops malicious external actors from exploiting the network. These attacks include zero-day/CVE exploit, DDoS, port scanning, credential/password stuffing, phishing, etc. We have made traditional network security irrelevant.
Free and open source application embedded networking does not just have profound security advantages and the ability for us to focus on value-added services and features instead of hard security; it also helps us to reduce business costs and vendor lock-in. These applications only require commodity outbound internet and eliminate the need for public DNS, VPNs, bastions[2], complex firewall rules, inbound ports, or other proprietary tools and infrastructure. We can programmatically manage the overlay and policies using DevOps tools and methodology without requiring networking engineering skills.
NetFoundry created OpenZiti to provide an open source, free and easy way for the world to embed zero trust, programmable networking into anything and everything. Embedding every application in the world with zero trust will take time – just like securing browsers took time and VPNs were the past! This is why while we keep app-embedded as our north star, we can help you get there by providing applications for all major desktop/mobile operating systems which we call tunnelers. You can use these local programs to protect your existing applications and infrastructure and allow your brownfield solutions to participate in the new, identity-driven zero trust overlay network. 
Existing applications implement zero trust of the local and internet networks providing an immediate and huge reduction in attack surface. Accessing your apps exclusively over the zero trust overlay network raises the bar on attackers by orders of magnitude. Bad actors can no longer attack targets from afar. They need to be local to the machine to launch an attack reducing the return on investment for malicious actors such as ransomware operators. Uniquely, we have built NetFoundry and OpenZiti so that anyone can employ them in any use case, including hybrid/multi-cloud, edge and IoT, user access (incl. DevOps or user remote access) or app-embedded [3].
The only question is, do you want to host your OpenZiti overlay network or let NetFoundry host, run and maintain it for you (including free-forever tiers)?
The network is dead, long live the application network.
Try for free – with OpenZiti or NetFoundry
[1] We refer to traditional network security as things such as public DNS, VPNs, MPLS, bastions, APNs, proxies, complex firewall rules, inbound ports or other proprietary tools and infrastructure.
[2] Read about how NetFoundry took our bastions offline here
[3] If you just want to see more Ziggy outfits, check out this blog
