BeyondCorp Weekly 9
Ivan Dwyer - February 28, 2017
To say that last week was an eventful one in the InfoSec world would be quite the understatement. I mean who could have thought that a verified SHA-1 collision would be the second biggest news item of the day! Without getting too into it (and assuming I don’t need to tell you what happened with CloudFlare), building software at web scale is hard. Troy Hunt said it best in his article, Pragmatic thoughts on #CloudBleed - “Even the best has bugs and whilst we should continue striving to improve it, we’ve also come to expect that it will occasionally go wrong in spectacular fashion.” Even so, operating as a MitM over as much traffic as they serve comes with a certain responsibility, which CloudFlare has to accept and own the consequences when things do go wrong.
Another top story of the week involved Waymo, the self-driving car unit of Google, who issued a lawsuit against Otto and Uber, alleging that thousands of company documents were stolen. Where this will be interesting to watch from a BeyondCorp perspective is how much they really know about what was taken, and if their system was gamed illegally. Depending on the outcome, this lawsuit could be the first case where BeyondCorp in practice has a meaningful impact. I’ll be watching closely.
Here are a few other things that caught my attention this past week.
MITM-as-a-Service: The Threat Surface We Didn’t Know We Had [ShackF00]
Dave Shakleford points out a big picture by-product of the CloudFlare incident – how much trust are we willing to place into external services when it comes to sensitive data and mission critical systems? While one can easily look to CloudBleed as justification to never trust a 3rd party CDN, the alternative means significantly more time and money invested, without any real assurances that you’ll be better off. As always, the build vs buy decision must weigh the risks and the reward.
IaaS: The Next Chapter In Cloud Security [DarkReading]
As cloud becomes more common in the enterprise, Kaushik Narayan points out the differences between SaaS and IaaS with regards to security. IaaS has a larger attack surface than SaaS, with privilege to more sensitive resources. The shared responsibility principles implemented across the major IaaS providers means organizations need to incorporate policies to manage and track privileged access properly.
Health Organizations Spending Big on Cybersecurity [InfoSecurity Magazine]
Security considerations in the cloud affect some verticals more than others. With strict rules around personal data and connected devices, the healthcare industry will need to invest heavily in security solutions. However, simply investing for the sake of compliance is no longer enough – companies need to take a close look at their overall architecture to find the stress and pain points much like Google did with BeyondCorp.
BeyondCorp brings software-defined network security to Google [TechTarget]
Another pickup from the RSA Conference session by Rory Ward and Heather Adkins, but can we please not call BeyondCorp software-defined networking, nor compare it to the software defined perimeter standard? I think that completely misses the point as SDN/P only really speak to micro-segmentation, which at the end of the day is still segmentation. This goes against the core principles of BeyondCorp where access is granted based on the user and connecting device, not the network.
Incident management at Google — adventures in SRE-land [Google Cloud Platform Blog]
Even if it’s not your job, I highly recommend reading the Google book - Site Reliability Engineering. The first hand stories give you a real taste of what it’s like to operate at Google scale, and give hints as to why a security framework like BeyondCorp was needed to manage access to internal resources. This post gives a taste of what to expect across the entire book.
Upcoming Events
We’re in Austin this week, kicking off the inaugural BeyondCorpATX Meetup. For those in the area, come by on Thursday for some drinks.
BeyondCorpATX Happy Hour
Thursday Mar 2nd
5:00 PM - 8:00 PM
The Ginger Man
301 Lavaca St
Austin, TX 78701
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT
Ivan Dwyer
Ivan Dwyer is the VP of Product Marketing at ScaleFT, working with the community to raise awareness around BeyondCorp and Zero Trust for organizations of all kinds looking to modernize their security architecture.
