I’m back from last week’s road show, where I was fortunate to meet & mingle with the local communities of Boston and New York. I’m back at it next week in Austin, which will close out this portion of our BeyondCorp road show. I’ll dedicate a newsletter issue to all the meaningful conversations I’ve had visiting a few local communities once I have time to digest. For this week, I want to cover the panel discussion we held in San Francisco a couple weeks ago featuring Marc Rogers from CloudFlare, Patrick Albert from AppDynamics, and Ryan Seekely from Quid. Many thanks to Heavybit for posting the recording on YouTube. Have a watch!
The goal of the panel was to hear what a few expert practitioners think about BeyondCorp, and how it applies to their day-to-day jobs. At the end of the day, the most important outcome for our BeyondCorp community efforts is to extract value from the context of Google alone, so that everyone can be successful within their own organizations. From the lively conversation on stage, here are a few key takeaways in that spirit.
BeyondCorp is true defense-in-depth
The headline is clear – nobody likes VPNs. Aside from the poor user experience and painful configuration, they force an egg shell approach to security. With BeyondCorp, security is no longer a binary decision based on network presence alone, we can incorporate granular access controls from the perspective of the endpoints and assets themselves. This allows us to enforce true defense-in-depth beyond simply bolstering the perimeter.
The architecture lets security (finally) become an enabler
Security and speed have traditional been in conflict, where security is often perceived as a blocker to productivity. The desire for security to be a business enabler has been there for some time, but only now is the architecture catching up to where it’s possible. For newer, cloud native companies like Quid, BeyondCorp is second nature, but what about larger companies? Thankfully the past decade of cloud evolution and migrations has done much of the leg work for enterprises to adopt BeyondCorp as their core security architecture.
Get to base camp first (but BeyondCorp isn’t necessarily the summit)
I often refer to the first step on the BeyondCorp path as “base camp”. That could mean different things to different people based on priorities and desired outcomes. For some, like Ryan at Quid, it starts with a use case like SSH access (ScaleFT plug). For others, like Patrick at AppDynamics, it starts with a learning exercise like gaining visibility into endpoints and networks. Where things get interesting is looking beyond BeyondCorp (no pun intended). The ability to identify behavioral patterns enables for more proactive security controls, as opposed to purely reactive. BeyondCorp does provide the foundation to do so, but there’s more to build.
Security as a SaaS is inevitable (and welcome)
Traditional security is painful and expensive because we end up having to buy a bunch of appliances that will be out-of-date soon after being installed (if they even make it that far). The BeyondCorp architecture allows companies of all kinds to build robust security without breaking the bank. The key is the delivery model, and SaaS makes security easy to consume and adopt. For smaller companies like Quid, SaaS is really the only option. Larger companies will need to get past the stigma of using services for security, but it’s only a matter of time if we look at how cloud adoption has grown. One thing to mention for the vendors – don’t just make it easy to consume the product, make it easy to buy. Things like charging extra for features like 2FA are really a security anti-pattern, and don’t lead to a friendly buying experience.
BeyondCorp makes compliance easier to audit (but the checklist needs a refresh)
Here’s your regular reminder that compliance does not equate to security. My past few presentations at BeyondCorp Meetups have been about what I refer to as the Adherence Gap – a written policy that isn’t enforceable in practice. Again, what makes BeyondCorp stand out in this regard, is how the architecture itself enables better security by design, built into the underlying workflows themselves. It will take some time, however, for the auditors to catch up, as most compliance controls follow traditional models (that don’t always work). The good news is that the security benefits that follows with BeyondCorp – up-to-date devices, eliminating static credentials, audited access logs, etc. – are met, which is what true practitioners care about most.
The panel uncovered a ton of gold, and I hope to continue the conversation throughout the community. As always, if you’d like to participate in any of our events, wish to share your own experiences, or have questions about BeyondCorp in practice, don’t hesitate to reach out to me directly.
With that extra long intro, I will forego the usual list of articles and additional commentary, and note that I’ll be making a guest appearance at tonight’s Bay Area Cyber Security Meetup, hosted at CloudFlare HQ.
BeyondCorpATX
Feb 28th
Uncle Julio’s (map)
5-8 PM
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT