BeyondCorp Weekly 33
Ivan Dwyer - August 29, 2017
The ROI of security is a complicated topic given all the factors, intangibles, and pure randomness that goes along with it. On one side you often have executives who treat security costs as purely insurance, and on another side you often have vendors who make up fictional scenarios to sell products. No matter how you spin it, it’s a challenge to find a meaningful outcome. In this article, Robert Graham argues that ROI should be calculated as risk analysis more so than anything else. I would agree with that sentiment, however we’re still talking about a purely hypothetical return on investment, so how much does that really change the conversation?
This has always been a point of tension within companies, as IT departments are all too often perceived as purely a cost center. But what’s happened in the past decade or so? While every company across every industry has transformed into a software company in some shape or form, we’ve seen IT departments become innovation centers. The ability to ship software faster and more effectively contributes more to the bottom line than anything else, and in turn, investments into IT have skyrocketed.
Yet, somehow security still lags behind in conversations around innovation – stuck as purely a cost center. Can we ever escape that, or will we always play the risk mitigation game? This is where I believe BeyondCorp really shines over anything else – it wasn’t purely a better security architecture for Google, it truly transformed how employees get work done by removing common barriers and headaches. I mention this stat all the time – since implementing BeyondCorp across the company, Google recognized a 30% reduction in IT support tickets. That is a crystal clear return on investment in terms of support cost, but it goes even further – imagine how much productivity is gained when your global workforce is not blocked from work due to security controls. Now we’re talking about an innovation center, which flips the ROI conversation on its head. Boom.
Here are a few additional things that caught my eye this week.
The Spectrum of Mobile Risk: Protecting Your Corporate Data [Security Ledger]
While we’re still talking about risk, mobile devices pose a number of threats to a company’s security posture. This was a key reason for Google implementing BeyondCorp as they needed a way to account for the dynamic nature of users on the mobile devices attempting to connect to sensitive company resource. Here, the firm Lookout put together the Mobile Risk Matrix, covering the threat vectors and components of risk in a clear format.
90% of Companies Get Attacked with Three-Year-Old Vulnerabilities [Bleeping Computer]
A key component to mobile risk is keeping up with vulnerabilities and patches. It’s hard enough for IT departments to track devices, it’s another thing entirely to enforce their upkeep. This stat from a Fortinet study should wake anyone up - 90% of attacks are from 3 year old vulnerabilities. Yikes. The policies associated with a BeyondCorp-inspired system can help this by enforcing users to self-remediate when software updates become available. Better posture through encouragement.
The TLS 1.3 Controversy, and Why We Need to Choose Stronger Security [Securosis Blog]
The good folks at Securosis are back with another solid and comprehensive analysis of a key topic - the controversy surrounding TLS 1.3. If you recall, there are some proposed changes that close a commonly used loophole that companies often use to monitor traffic. Here, Rich Mogull breaks it down to a highly convincing point – always go for better security.
A Brief History of Open Source from the Netflix Cloud Security Team [Netflix Tech Blog]
Netflix has always been a company to admire, from their early adoption of the cloud to their distributed microservices architecture - their content catalog as well, of course. Here the cloud security team reviews all of the open source projects they’ve released. Some of these I’m familiar with, like BLESS and Stethoscope, others I’m just reading about for the first time. A nice peek into an advanced team’s efforts.
GoT & the Inside Threat: Compromised Insiders Make Powerful Adversaries [DarkReading]
Spoiler alert! This article takes the concept of a secure perimeter, and places it in the land of Westeros. How did I not think of this first?! Stolen credentials give anyone the keys to the kingdom, where an attacker can easily get past the walls by masquerading as an insider – in this case, Arya as a Faceless (Wo)man. This is the exact scenario BeyondCorp was designed for, so best to alert the writers for the next season!
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT
Ivan Dwyer
Ivan Dwyer is the VP of Product Marketing at ScaleFT, working with the community to raise awareness around BeyondCorp and Zero Trust for organizations of all kinds looking to modernize their security architecture.
