Shortly after sending out last week’s newsletter, Google published a blog post announcing the fourth research paper in the BeyondCorp series titled Migrating to BeyondCorp: Maintaining Productivity While Improving Security. As the title suggests, this paper covers the details of their rollout process - which is fascinating to say the least. At their level of scale, they went to great lengths to ensure there were no gaps in security, nor would the project hinder productivity. A monumental undertaking that they were able to pull off through careful planning and implementation.
The paper expands on a few key points from prior ones - it had to be a company-wide effort with strong executive support to succeed, and the implementation took numerous phases and iterations to get the system to a state where they could comfortably flow all traffic through. The way they deployed the BeyondCorp architecture alongside the traditional network was especially interesting - as each resource was placed behind an access proxy, they incrementally directed traffic through, continually monitoring and testing the results. When confidence in the outcome grew, more traffic would be directed through. Similarly, they installed the necessary client tools and certificates on all employee devices, continually testing against the access policies before allowing on the new network.
Another relevant topic was how they supported the employees throughout the migration with training and documentation. They even went as far as to run promotional campaigns, spreading the word with laptop stickers and posters pointing to self-service help and office hours. All in all, they experienced a 30% drop in support issues since rolling out BeyondCorp. This not only speaks to the benefits of the architecture itself, but also the importance of getting everyone involved early and often to ensure a smooth rollout across the organization.
As Google continues to be so transparent with their experiences, we can take their learnings towards our own Zero Trust initiatives. What I appreciate most about this paper is how they frame BeyondCorp as an achievable model for others to follow. On a related note, I started a blog series about how companies of all kinds can move in this direction. The first post covers the key benefits one takes away from going through a security transformation - How to Go Zero Trust: Part 1 - Why the Architecture Matters.
Here are a few additional things that caught my eye this week.
Google’s Elite Hacker SWAT Team vs. Everyone [Fortune]
There are a lot of folks in our industry who have nightmares of getting a Tweet from @taviso on a Friday afternoon. While some debate his methods of publicizing vulnerabilities, it’s hard to argue against the impact Google’s Project Zero has had in recent years. This article profiles the team leading the charge, and even mentions the infamous Operation Aurora hack in 2009 that sparked BeyondCorp in the first place. Great read.
The NSA Has Done Little to Prevent the Next Edward Snowden [Motherboard]
Unlike most blog posts on this topic, this one doesn’t get political, but rather points out some obvious negligence on the part of the NSA in terms of securing its own infrastructure. A DoD report from last year found that server racks and other sensitive equipment were left unlocked, and that privileged access was poorly managed. This is somewhat shocking given their own tactics - maybe time to start dogfooding some of their own tools.
Fired Employee Hacks and Shuts Down Smart Water Readers in Five US Cities [Bleeping Computer]
On the topic of high profile breaches, Adam Flanagan, who had used his privileged access to shutdown utility systems after being terminated, was sentenced to a year in prison. What is now becoming a common occurrence, IT administrators often leave their place of work with the knowledge - and more importantly, the privilege - to wreck havoc.
Your secure developer workstation solution is here, finally! [CSO Online]
One advantage that Google has in this arena is being able to mandate and manage all employee devices. We’ve talked about the benefits of company issued Chromebooks in the past, but it has less to do with the device itself and more about the profile. This article covers what a secure developer workstation looks like - from the hardware to how apps are accessed.
The New Access Management Magic Quadrant: Did Gartner Get it Wrong? [Solutions Review]
If you follow how the analysts cover the industry, you may have noticed a change with Gartner, who is now covering a single Access Management category. Only recently there were Web Access Management, Privileged Access Management, and Identity as a Service categories to cover the wide range of solutions. We had a feeling there would be a convergence, but it came around faster than I would have anticipated.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT