It’s an exciting week for this newsletter because, after much anticipation, the O’Reilly book - Zero Trust Networks: Building Secure Systems in Untrusted Networks is now available. Written by two former engineers at PagerDuty, the book dives deep into practical advice for companies looking to adopt their own Zero Trust security architecture. As proponents of the model, we are excited to see the book hit the streets.
ScaleFT is also pleased to be the exclusive provider of a free excerpt of the book. We are offering the chapter titled Realizing a Zero Trust Network, which covers practical advice on how to design your own system, along with case studies from Google’s BeyondCorp and PagerDuty’s Cloud Agnostic Network. It’s the best chapter to give away because it really gets to the heart of what it takes. Get your free chapter here!
Also, for those attending O’Reilly Velocity this week, the book authors, Evan Gilman and Doug Barth, will be giving a presentation on Thursday with the same title as the book. I’ll be there, so let me know if you will be too.
Here are a few additional things that caught my eye this past week.
What a digital organisation looks like [Medium]
You can replace every instance of Digital with Secure in this article and it still works (yes, I actually tried it). I do believe that the Zero Trust model is a seismic architectural shift on par with that of the cloud, making security transformation something that impacts the entire organization much like digital transformation. The good news is that we can look to best practices such as those in this article as a guide.
Forrester: Rapid Cloud Adoption Drives Demand for Security Tools [DarkReading]
On a similar note, the rise of Cloud adoption is driving the market for a new class of security tools that can adapt to these new environments. The distinction will lie in how cloud native the solutions are - not just in marketing speak, but in actual practice.
Identity at Scale: how the Internet of Things will Revolutionize Online Identity [The Security Ledger]
I often talk about how Zero Trust is redefining Identity, but usually only in the context of corporate Identity. With connected devices, we’re talking about machine-oriented communications over human-oriented, changing the notion of Identity. As these billions of devices hit the market, we need to come up with a new model of authentication and authorization because traditional PKI just won’t do. A real challenge indeed, but a possible solution is a more automated environment that decouples certificate issuance from the devices themselves. This makes sense, but the system would have to be globally distributed, highly performant, and based on standard protocols.
Identity Propagation in an API Gateway Architecture [Apigee Blog]
Somewhat related to the prior point, here’s an excellent technical post on end-to-end identity propagation across APIs. The key is preserving security context throughout the entire request. The pattern covered here is doing so through a token exchange using OAuth2 and OpenID Connect. Combine this with a central authorization engine, and you have the makings of a Zero Trust workflow.
Identity Management Metrics your Board of Directors Will Care About [Solutions Review]
If you’re ever stuck convincing someone the merits of a modern access management solution, these metrics will help. What I like about this list is they’re not obvious, and they convey actual user activity and real threat vectors, which make the justification to invest an easier pitch.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT