Hi, I’m wondering about the ZDEW concept. What if, in the future, the client cannot delete the identity (forget this identity)? Only the admin can delete it, or they might accidentally delete it. Is there any thought on it?
Besides, the ZAC documentation on how to use is not available yet, right?
Currently, I want to explore more on how security sides of OpenZiti.
I'm not sure what the problem is. All users should report the laptop as stolen/lost if that's the case so the admin can remove/revoke the identity. Alternatively, you can enable 2FA on the identity so that it can only be used with a successful 2FA.
There's no "how to use ZAC" yet, correct. The ZAC mirrors the concepts of the ziti CLI pretty closely. That, coupled with the doc, would hopefully be able to explain with enough details each screen/concept. We're always working on making doc better, if you have places you would like to see improvements, file and issue over on the repo.
Hope that helps
Let me restructure my question regarding the ZDEW. Is it possible only the admin can configure the client side like we want to restrict the client so that they cannot delete the identity, make their ZDEW stop, or something like that?
If you do not mind, let me construct what I understand into a use case example, and tell me if it needs editing.
We use Ziti to intercept all traffic on an endpoint as a business. Some traffic is microsegmented to access defined apps/services in our private DCs, and the rest of the traffic is routed to a Software Gateway/Firewall, which does inspection and rules - e.g., users cannot access gambling sites.
As a business, I do not want the user to be able to turn off ZDE and circumvent my security controls.
Oh, I see I misunderstood. No. At this time there's no way to prevent a logged in user from forgetting an identity. It's specifically designed to allow non administrators who are interactively logged in to perform that action. I am sure that this sort of feature could be implement, it's just not how it's currently implemented.
Yup, something like this