I’m just returning from a few days at Disney World with my future in-laws from Brazil, and it was in a word - magical! (Yes, I have to say that if I want to keep my wedding plans in tact). It’s been nearly 30 years since my grandparents took me as a bright eyed child, and while the attractions had a familiar feel, the park experience was a whole new world. After watching my fiancee (a true Disney pro) with her Magic Band, I started to think about Identity in a way that I often talk about in the context of BeyondCorp.
When in the perimeter of the park, Disney knows your every move, and builds a profile accordingly for both the safety and experience of the guests. This is most certainly only the beginning of their capabilities, soon enough they’ll be personalizing everything from the character appearances to the ride simulations – and of course the merchandise!
So how does this relate to BeyondCorp? Well, I’d say it has everything to do with how an Identity profile is built with contextual information, and where the line between personal and corporate Identity is drawn. Within the park, Disney monitors your activity, your location, and your behavior through the Magic Band. Once out of the park, the Magic Band is no more than a bracelet, and your personal anonymity and privacy are restored.
While no longer confined to a perimeter in that sense, companies that adopt the Zero Trust model treat employee behavior in a similar manner. To gain access to a metrics dashboard, for example, you must be authenticated and authorized, and all activity is closely monitored. However, the same shouldn’t necessarily be done for general web browsing. While all traffic should be treated as untrusted, you should only really be concerned with the company resources you are protecting. As you design your own security architecture, think about both the safety of your resources and the experience of your employees.
Here are a few additional things that caught my eye this past week.
Verizon’s 2017 Data Breach Investigations Report [Verizon]
Now in its 10th edition, Verizon delivers in-depth analysis of the prior year’s data breaches. I love the humorous tone of the report - it makes it much easier to digest. Much of the findings feel similar to previous reports, however they go into more detail within specific verticals. The motivations, methods, and targets will vary from healthcare to retail, for example. Interesting to read as always.
OWASP Top 10 - 2017 Release Candidate [OWASP]
The OWASP organization released an updated top 10 most critical web app security risks – the first since 2013. Much of it appears to be the same old story with only minor changes to reflect the times. I’d say that the surrounding landscape has changed significantly more so than what is shown here, making me think a new model should emerge. One notable change, however, is the reintroduction of Broken Access Control – which was on the list back in 2004.
Users have little confidence their company can protect their mobile device [CSO Online]
A study by Check Point Software found that 64% of respondents weren’t confident in their company’s ability to protect their mobile devices. This is clearly an area where learning from Google’s experience implementing BeyondCorp can help.
Network Security Creates a “Black Hole” of Overhead [InfoSecurity Magazine]
Those of us who believe in the perimeterless architecture of BeyondCorp understand the waste in placing more and more security controls at the network layer. A study conducted by 451 Research found that many companies are fed up with the amount of time and money spent protecting the network. More signs that we’re moving towards a future architecture driven by the Zero Trust model.
Profiling The Insider Threat - Breaking Down a Complex Security Term [InfoSecurity Magazine]
With every new report or list that comes out, one thing that remains consistent is that the risk of insider threats is top of mind at every company. Here, Dr Jamie Graves of Zone Fox shares five profiles to better understand the risk and ways to mitigate.
Next week is the Rocky Mountain InfoSec Conference, where I’ll be giving a talk titled BeyondCorp: Google Security for Everyone Else. I expect it to be a great event and hope to see some of you there. If you’ll be in attendance, let me know so we can setup a time to chat in person.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT