As the 4th of July holiday hit this time last week, I opted out of sending a newsletter. I’m back in action today with another set of relevant articles to share. As mentioned from the prior issue, I’m in the midst of writing a blog series covering the steps a company should take on the path to their own Zero Trust architecture similar to Google’s BeyondCorp. The first post highlighted a few of the key benefits one takes away from going through this type of security transformation - How to Go Zero Trust: Part 1 - Why the Architecture Matters.
The second post dives into the activities a company should start doing - beginning with the data to collect ahead of time. Moving towards Zero Trust is a significant architectural shift that affects the people, processes, and technology across the entire organization, and having a strong understanding of the impact is critical. In their research papers, Google often talks about the challenges they faced along the way, and what they did to solve them. Luckily, we can look to their experience as a guide in our own efforts. For a deeper dive, read the whole article here - How to Go Zero Trust: Part 2 - Collecting Relevant Data.
The next post in the series will talk about creating the right access policy framework for your organization. Stay tuned for that. In the meantime, here are a few things that caught my eye this past week.
Two-Factor Authentication is a Mess [The Verge]
Clearly an attention grabbing headline meant to spark a reaction, but this article does bring up a few good points. The outcome isn’t that 2FA is wrong, it’s that it’s often poorly implemented. We’re a ways away from any agreement on standards or specifications (FIDO currently leading), and the UX is still lacking for non-technical users. That’s not to say we’re not on the right path, but 2FA is part of a larger trust workflow, not the silver bullet as some may promise.
Why NotPetya Kept Me Awake (& You Should Worry Too) [tisiphone.net]
There was certainly no lack of coverage in the latest malware flavor of the month, along with the typical responses to patch, and of course… buy more software. This article cuts deeper, focusing on the poor network security architecture that enables these exploits to keep popping up. If we’re to get past this cycle, we need a new architecture, which is really what Zero Trust brings to the table.
How I learned to stop worrying (mostly) and love my threat model [Ars Technica]
An excellent piece grounded in reality and practicality. The outcome of this article is a meaningful threat assessment model - aptly dubbed the Ars Threaty McThreatface Assessment Model. What I really like about this is mapping each asset to its potential threats. This allows us to place the proper protections accordingly instead of blanket coverage or policies that may not line up.
Wildcard Certificates Coming January 2018 [Let’s Encrypt]
Another win for the future of a more secure Internet courtesy of the good folks at Let’s Encrypt - further lowering the bar to broad HTTPS support. This matters to the Zero Trust movement because if all applications are deployed to the public Internet, all traffic must be fully encrypted from end-to-end. Building the PKI to support such a model is no trivial task, but making certificates so easily attainable sure does help.
New Google Security Controls Tighten Third-Party Data Access [DarkReading]
In response to the recent OAuth phishing attack that hit many G Suite users, Google has implemented a new feature that allows admins to whitelist specific apps to a corporate domain. While not directly related to BeyondCorp per se, there are similarities in how the access policies are created and managed. Yet another example of Google leveraging their internal security practices into their products.
We’re excited to be at the Black Hat conference as a sponsor in a couple of weeks. Come by the ScaleFT booth #IC24 in the Innovation Center to talk all things BeyondCorp and Zero Trust!
Black Hat 2017
Jul 26-27
Mandalay Bay
Las Vegas
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT