Next step in identity-based network security
- Tailscale
- OpenZiti
- Wireguard
Identity vs Network Perimeter
OpenZiti is an example of a networking overlay that uses identities instead of a network perimeter as a basis for access control. So what is an identity-based control vs network perimeter control? Metaphorically, basing security on a private network perimeter is like saying “You’re allowed to knock on my front door if you can look up my address in a public directory and walk into my yard.” whereas requiring an identity for an invisible service is like saying “You’re allowed to knock on my front door if I sent you the secret map to my neighborhood and you have your own unique PIN for the front gate.” The identity that permits you to knock on the door is separate from the login credential, like the key that lets you open the front door.
A familiar example of network perimeter control would be limiting access to the Jenkins UI login prompt to private user network addresses on a VPN or the VPC’s private subnets attached to an SSH bastion. An example of an identity control is that your device was issued a certificate that allows you to access the Jenkins server’s login prompt from anywhere. In other words, it’s who you are (your verifiable identity), not where you are (your address with respect to the perimeter).