While 200% of most everyone’s attention was consumed by the Equifax debacle, I was fortunate enough to speak about BeyondCorp at the Bay Area Cyber Security Meetup event last Thursday, hosted at Yelp’s headquarters in SF. You can view the slides here. As I often do when giving talks on the subject, I polled the audience at the beginning to ask how many people had heard of BeyondCorp before. I usually get a mixed response, but this time everyone’s hand went up. Beauty.
The 30-minute talk was immediately followed by an hour of intense follow up, with a crowd of people waiting to hear more or ask the tough questions. I love it! The general response to my BeyondCorp talk is positive – people agree that Zero Trust is a much better security architecture than traditional perimeter-based methods, but often question whether it is really realistic for companies who don’t operate at Google’s level of scale? My entire presentation is centered around that being the case, but I’m still met with some skepticism.
It reminds me of the cloud 10 years ago or so, where it was obvious that it was the future, but so few were ready to make the leap. Many of my colleagues today were on the front lines at Rackspace, one of the true pioneers of the cloud. At the time I was a consumer, desperately trying to convince my IT department that we should use AWS to deploy our mobile app backends. It was a tough sell because the service catalog was limited, and there were so many question marks about infrastructure security. I existed in Shadow IT mode for a while, running an AWS account on my personal email and credit card (that would come back to bite me years later). It took a greenfield app in a hardly monitored business unit, with an easy to describe platform abstraction layer in Heroku for me to finally get buy in to use the cloud for an official project.
So what’s the lesson here in terms of BeyondCorp? Well, as I continue to advocate for people to adopt Zero Trust at their companies, I have to remember my own experience. First, it’s best start with a greenfield app, or even just a test app, and go from there once comfortable. Second, it may take the right abstraction layers to bring a BeyondCorp-inspired implementation to the masses. The sheer complexity of operating the system components, the need for seamless integrations across a wide range of environments, and the custom development work to create a policy framework may be out of reach for 99% of companies.
Excuse the obvious pitch, but this really is the primary challenge we’re looking to solve at ScaleFT – breaking down Zero Trust into a consumable platform that can be incrementally adopted with minimal impact. We know we have a ways to go, but we have the right building blocks and a community behind the effort, so I continue to be extremely optimistic about the future, much like I have always been with the cloud.
I am glad to hear feedback from all angles, and encourage the community to continue to challenge me when I give talks or write on the subject. Tell me – if anything, what’s holding you back from making the leap to a Zero Trust implementation?
Here are a few additional things that caught my eye this past week.
Farseeing: a look at BeyondCorp [thinkst]
For a purely practical view of BeyondCorp, this is a great article that breaks down the traffic flows, device attestation, and policy decision making in a very clear manner. I often point to the elimination of static credentials as one of the main benefits of the architecture, which is echoed here among other point about minimizing the attack surface.
How to design a network that meets all of your users’ needs [TechRepublic]
One of the challenges Google faced during the implementation phase was supporting such a wide range of environments. There were some cases where they had to draw the line and say no – RDP to Windows servers as an example. Here, Tom Hull, CTO at the Mofitt Cancer Center shares his thoughts on designing a secure network that supported the users.
Multiple Perspectives On Technical Problems and Solutions [KitchenSoap]
While not directly related to BeyondCorp, I liked this article for the thought process behind making significant architectural decisions. Solving a problem with technology only really works if there’s a real problem to be solved. Given the shift in architecture with a Zero Trust implementation, I could see a similar exercise being useful in the decision making process.
Workplace IoT Puts Companies on Notice for Smarter Security [DarkReading]
The importance of device identity only compounds with the growth of connected IoT devices. How to deal with these seemingly endless number of unknown devices with regards to network connectivity is a fear of many. I may not agree with the parts of this article that speak to network segmentation, I do agree that companies need to have policies in place for device connectivity and functionality with regards to the corporate network.
Equifax: highlighting the problems with social security numbers [NakedSecurity]
Okay, okay… just one Equifax hot take. Forget the breach for a second, and think about how poor SSNs are as unique identifiers. They carry zero security properties, and can’t be changed if compromised. It may not be the best example because of recent potential security issues, I do appreciate how Estonia went about issuing cryptographically verifiable id cards to the entire population that is used for secure identification. I can only imagine how many blockchain-based identity pitch decks are in the works after the Equifax breach. Brace yourself.
BeyondCorpSF Drink Up
Thursday, Sep 28
5PM - 8PM
111 Minna Gallery (map)
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT