I’ll resist doing a Halloween-themed newsletter because “spooky security” is exactly the type of FUD I try to avoid here. I couldn’t come up with anything more creative than the thousands of horror movie scripts based on Amazon Key, anyway. Yikes!
Instead, I want to expand on something I mentioned last week – the recent uptick in SSH Keys being targeted by attackers. I wrote a post explaining our view at ScaleFT, which I think you’ll enjoy. In my mind, it comes down to the fact that our industry continues to recycle the same best practices over and over again – knowing full well that they will be misused. Protecting static credentials is an exercise in rigorous key management, which is incredibly challenging to get right. Too loose and you’re basically handing over the keys to the kingdom to an attacker. Too tight and you have frustrated employees blocked from being able to do their work.
What if a better architecture similar to BeyondCorp could eliminate the threat vector entirely? That’s what we advocate for at ScaleFT, through a client certificate-backed PKI. Remove all trust from the network and from static credentials. Only issue an ephemeral credential after a request has been authenticated AND authorized based on the surrounding context – the user on a device at a point-in-time attempting to access a specific resource.
Commercial interests aside, I do hope to see more folks in our industry come around to this type of thinking, where we advocate for better security outcomes through architecture design, not just through keeping up with so-called best practices. Only when security is built into our daily workflows will our overall posture improve.
Here are a few additional things that caught my eye this past week.
Preventing Credential Theft: A Security Checklist for Boards [Dark Reading]
This post drives home what I wrote about regarding static credentials. All of the advice in this article is spot on, and things everyone should of course be doing – that is, until you adopt a new architecture that eliminates the threat vector entirely! We should all be thinking about how to achieve the right future state versus the same old story.
10 steps to doing security from the inside out [TechBeacon]
Here’s a quick list of tips that would be great advice to follow while adopting a Zero Trust architecture. Google talks about designing BeyondCorp from the inside out as well, which is essentially focusing on the employees first and foremost. From here you have a better idea of what you are protecting, and how the security controls fit within day to day workflows. That mindset is the only way to achieve a security framework that works and is loved by the users.
Google to Ditch Public Key Pinning in Chrome [Threatpost]
Pseudo-related to the idea of eliminating static credentials, this move by Google echoes the point that it’s not about the security characteristics of the credential itself, it’s about its use. Focusing purely on the crypto behind security features without considering its practicality can be counterproductive.
Best practice: Security operations automation before orchestration [CSO Online]
One thing I’ve been talking to folks about lately is finding the right first steps to get started down the Zero Trust path. If BeyondCorp is Mt. Everest, what’s basecamp? This article by Jon Olstik focuses on automation, which is one angle. It does stand to reason that companies should first attempt to solve for specific tasks before orchestrating a full blown environment.
Cloud-Native, Seven Years On… [TheNewStack]
A good read of a retro on the state of cloud-native from the person who originally coined the term. There are numerous parallels to BeyondCorp and Zero Trust. I think it’s both about a similar architecture and the motivations behind redefining how systems and people operate.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT