It’s been an action packed couple of weeks approaching the end of the year. After a busy AWS re:Invent in Las Vegas, I ventured to Austin last week to hang with the container crowd at KubeCon. As expected, it was a strong showing of open source community leaders. Unexpected, however, was the snow! I sponsored the first KubeCon with my previous company just a few years ago, and have watched the event grow from a couple hundred people in a room in SF to over 4,000 in a convention center in Austin. That’s the growth path I’m hopeful for with this community.
While there, the good folks who run the CloudAustin Meetup offered up the group for us to run a BeyondCorp-themed event for the KubeCon community. I gave a new version of my go-to BeyondCorp talk, placing more emphasis on what I refer to as the Adherence Gap – the ability to enforce a written policy in actual practice. It seems to me that the cause of most high profile breaches were caused by something that should have been prevented by policy. Not checking in API keys to public GitHub repos, not revoking credentials when an employee leaves, or allowing privileged access from unpatched devices to name a few. The common response in the industry is to blame the user for not adhering to the policy, but what if we could instead engineer a solution that automates the encouragement of good choices?
I believe that is one of the many things Google got right with BeyondCorp – building good security posture into the workflows of the user, encouraging people to do the right thing. A perfect marriage of people, process, and technology that led to a positive outcome. For a peek into the talk, here is a link to my slides.
https://www.slideshare.net/fortyfivan/beyondcorp-closing-the-adherence-gap
Here are a few additional things that caught my eye this past week.
NIST Releases New Cybersecurity Framework Draft [DarkReading]
The National Institute of Standards and Technology has released another draft of their security guidelines originally crafted in 2014. Interestingly enough, the CyberSecurity Lead of the framework mentioned adherence as a common topic that comes up in practice.
Killing “Chicken Little”: Measure and eliminate risk through forecasting. [Medium]
Another excellent piece from Ryan McGeehan aka Magoo, this time tackling the topic of risk forecasting. I often speak about BeyondCorp as a way to make smarter trust decisions in real-time, but rarely do I think about in terms of forecasting as this article covers.
Searching for the perimeter in cloud security: From microservices to chaos [ZDNet]
Take the time to read this whole article. An incredibly well written piece on software architectures, with a reference to everyone’s favorite geometry-based thriller, Flatland. Scott Fulton speaks to the changing perimeter that has spawned modern security architectures such as BeyondCorp.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT