BeyondCorp Weekly 32
Ivan Dwyer - August 22, 2017
Yesterday was rather monumental, with the solar eclipse captivating most everyone’s attention throughout the day (while severely lowering productivity across the workforce). As a San Francisco resident, my view was primarily that of Karl the Fog, which means I managed to get a lot done without distraction. I hope you had a better view of the spectacle… with the proper protective eyewear, of course. Despite the incessant warnings, however, plenty of folks still made the mistake of staring right into the sun (I won’t say who). It just goes to show that preventative measures, no matter how obvious and glaring (no pun intended), are still too often overlooked.
What does this have to do with BeyondCorp, you ask? Everything, when you consider the impact a person’s individual presence has on a company’s overall security posture. Companies are investing heavily into training programs in the hopes that everyone from the system administrators to the knowledge workers do their jobs safely and securely. While there may still be a new high profile breach making headlines week after week, it does at least feel like the message is starting to resonate. But how can one really tell if things are getting better?
Calculating the ROI of security can be challenging to pinpoint, but one way is to perform a cost benefit analysis on the cost of a breach vs the cost of the measures. This article by Isaac Kohen walks through the meaning behind such an exercise. According to research by The Ponemon Institute, “the average cost of just one insider incident is $206,000. Throughout the course of a year the cost averaged out to be around $4.3 million.” The same report found that “large enterprises were spending roughly $4 million annually”, on preventative measures – training programs and technology solutions. That may seem like a wash, however given that most insider breaches are due to negligence, the programs will pay off in the long run.
For these investments to really make a difference, however, the training must be meaningful and the technology must be useful. That sounds obvious, but most of the solutions on the marketplace in both regards are still centered around traditional models and methods, which are proving to break down in the modern cloud era. That’s one of the key reasons BeyondCorp was so successful – Google flipped the model on its head and really got to the heart of the issue. It reasons that companies following a similar path would also make the smart investments in their people and the technology they implement.
Here are a few additional things that caught my eye this week.
Global Security Spending to Top $86.4bn This Year [InfoSecurity Magazine]
On the topic of spending, Gartner forecasts that the worldwide spend of security products and services will reach $86.4 billion in 2017, a 7% increase over 2016. While all encompassing, they are attributing much of the rise to security testing, GDPR, and managed services. Where they are forecasting a decline is with hardware solutions given the rise of cloud services and SaaS applications. As evidenced by BeyondCorp, the days of VPN appliances are numbered, with software solutions capturing mindshare and market share.
50% of Ex-Employees Can Still Access Corporate Apps [DarkReading]
It’s no wonder that insider attacks top the list of insider breaches year after year – a recent study by OneLogin found that nearly half of all respondents had ex-employees with continued access to corporate resources. This is really a function of Identity Governance in the cloud era. No longer can you simply remove an employee from the database, you have to be sure that deprovisioning propagates throughout all the cloud services and SaaS applications.
Steering oceans of content to the world [Facebook Research]
If you recall from the past few newsletters, we at ScaleFT have introduced the concept of an Access Fabric - a globally distributed authentication, authorization, and encryption engine capable of making fast trust decisions based on dynamic conditions. In this post, Facebook shares the details of its Edge Fabric, their networking environment. Naturally, it’s pretty impressive technology, and speaks to the challenges of building large scale distributed systems.
The State of CRLs Today [Tactical Secret]
While no longer in favor with the public Internet, CRLs are still common practice for managing privileged access to corporate resources. Here J.C. Jones points out some of the downfalls of CRLs within the public Internet, however, many disadvantages such as their size apply to a corporate environment. Not having to maintain CRLs is one of the many benefits of moving towards a Zero Trust architecture because the backing credentials are ephemeral, meant for single use only.
An OSI layer model for the 21st century [davidad]
Here;s an interesting idea to update the traditional OSI layer model to be more aligned with modern cloud environments. What I like about this approach is how it’s more outcome-oriented vs pure functional. We’ll see if it catches on.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT
Ivan Dwyer
Ivan Dwyer is the VP of Product Marketing at ScaleFT, working with the community to raise awareness around BeyondCorp and Zero Trust for organizations of all kinds looking to modernize their security architecture.
