Another week gone by with the news dominated by the Equifax breach. There’s no reason for me to be yet another talking head on the subject, so moving right along – ScaleFT CTO and co-founder, Paul Querna, did a podcast interview with Derrick Harris of ARCHITECHT that was published yesterday. It’s definitely worth a listen as it speaks to the origins of BeyondCorp, and the parallels with the founding of ScaleFT. The conversation steered naturally towards improving the user experience of security, which is a key outcome of a Zero Trust implementation done right.
If you’re a regular reader of this newsletter, you’ve heard me speak to the top down mandate for BeyondCorp – it had to work, and the users had to love it. Both premises impacted the overall success of the project, but it was really the intersection of the two that made BeyondCorp the right reference model for the future of enterprise security architectures.
Now the way to build security that users actually love is to understand the common workflows that happen in day-to-day operations, and incorporate security controls that don’t get in the way. Of course, opening up your systems to the outside world makes you an easy target, but locking down your network with a VPN gets in the way. Finding the middle ground sweet spot is no easy task, and it took a complete redesign of Google’s IT architecture to get it right.
To me, it starts with the redefinition of identity as a user plus their device at a point-in-time – forming a session profile that can be fully authenticated and authorized in real-time. By attesting zero trust by default, everything becomes a policy decision from there. Putting forth a secure and likable user experience then comes down to incorporating policies that make sense, and enforcing controls around them.
If that sounds too easy, it’s because it is – tracking all user devices, forming a policy framework, and implementing zero trust access controls is quite the undertaking, no matter the size of the company. That’s why breaking BeyondCorp down into consumable services that can be incrementally adopted is my primary mission with building this community.
If you’d like to get more involved with the community, feel free to reach out to me directly, or better yet for those in the bay area – come to our upcoming Meetup on Thursday, Sep 28th at 111 Minna. It’ll be a casual gathering of the community, which we’re going to be doing more of on a regular basis. Come by anytime after 5 - food and drinks on us!
https://www.meetup.com/BeyondCorpSF/events/243289447/
Here are a few additional things that caught my eye this past week.
An Unexpected Security Problem in the Cloud [Wall Street Journal]
When security hits the WSJ, it’s a major story. Operation Aurora that sparked BeyondCorp made the front page back in 2009 (back when there was a “front page”). This article points to the dangerous consequences of making configuration errors when using cloud services, which is all too often the root cause of the breaches we read about on a weekly basis.
Cloud Security’s Shared Responsibility Is Foggy [DarkReading]
One of the challenges with cloud security is fully understanding the shared responsibility model of each provider. The AWS document referenced in this article is quite thorough, but it requires a strong level of understanding to get right. I will say that this article places too much of the onus on the cloud provider, however, which isn’t exactly actionable advice. Let’s hope the cloud providers continue to improve their platforms, but the users still need to understand who’s responsible for what.
Responding to typical breaches on AWS [Medium]
Speaking of the shared responsibility model, here is another fantastic deep dive from Magoo about what to do if AWS smells something fishy and sends you a notification from the Abuse department. He walks through the common case of a leaked credential or an exposed server, and how to respond accordingly. Great advice as always.
Threat Intelligence Strategies Suffer from Data Overload [InfoSecurity Magazine]
While auditing and alerting are always a good thing, knowing what to do with the data, and avoiding fatigue are a common challenge. If your data isn’t actionable, it’s not very useful. Being smart about the response means being smart about what is being captured and analyzed. When forming your access policy framework, keep this in mind – as in, don’t alert the IT Manager every time Bob logs into the corporate wiki.
What’s up with SPIFFE? [Scytale.io]
It’s great to hear an update from the folks working on SPIFFE. If you haven’t come across this yet, it’s a fresh take on identity in the microservices world, where services need to securely communicate with each other. I’m glad to see such strong momentum, and look forward to hearing more as the project progresses.
BeyondCorpSF Drink Up
Thursday, Sep 28
5PM - 8PM
111 Minna Gallery (map)
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT