Comment by old-gregg
20 hours ago
Your "life hack" is not a good advice. There's plenty of well-written explanations for why perimeter based security doesn't work. What is strange is that you've started in the right place: by being "constantly worried about security implications of each app". Unfortunately it's annoying and time consuming, but that's the right way to keep your data private. And if that's too much hassle, it means it's worth it to pay others to do it.
When I'm thinking about a hypothetical situation when I need to save the world by hacking into a hypothetical villain, my best hope will be him using your approach to security.
Any serious approach to security begins with a reasonable and clearly defined threat model, and my threat model for my home network doesn't currently include a team of superheros targeting my file backups in an effort to save the world. But I'll definitely keep your advice in mind when I do decide to start executing on my evil plots.
For now my threat model consists of script kiddies and abusive corporations. Self-hosting gets me away from the corporations and keeping my stuff off of the public internet keeps me away from script kiddies.
> There's plenty of well-written explanations for why perimeter based security doesn't work
It certainly helps when your attack surface consists of numerous web apps of unknown quality.
Drive-by RCEs (e.g. log4j) then suddenly become much less of a headache when none of it is reachable by the world at large.
Exactly how you do that, whether via an authenticating reverse proxy or VPN doesn’t really matter.
Could you provide an example of one of the well written explanations?
just go and look at any of the vendors selling “zero trust” solutions. They all have white papers available about how a) perimeter security is “dead” and b) how their specific flavor of zero trust is the One True zero trust and the only thing you can trust to protect your data.
You will without exception need to provide an email address to access these white papers, so their inside sales team can ensure you fully understand the importance of trusting their zero trust, and not trusting anyone else’s.
I’m not kidding - even a little.
It's sad that "zero trust" has become almost the opposite of what it originally meant. Now you can have the same insecure RDP server with admin/admin login but at least it's protected by a VPN that only a few tens of thousands of people have access to.