BeyondCorp principles and the modern architectures they power have come of age. We’ve seen more attention and adoption in the last 3 months than in the previous 9 combined. Thank you to everyone who has contributed to the movement and our community so far. We are delighted to announce a fresh slate of BeyondCorp meetups in San Francisco, Seattle, Boston, New York, and Austin. With these groups, we’re kicking off the BeyondCorp Road Show of 2018.
I hope you’ve noticed as much as I have how much the awareness and interest in BeyondCorp has skyrocketed in just the past few months alone. Every day I hear something new from an enterprise starting an internal initiative, an industry journalist with a fresh take, or a practitioner finding a gotcha in one of the research papers. Much different story than a year ago when I first started advocating for BeyondCorp, where many were skeptical it would become a thing outside of Google.
I will forego my usual commentary this week to highlight a couple upcoming events that should be of interest to readers of this newsletter. First, I’m honored to be a guest speaker at the upcoming Portland ISSA meeting next Wednesday, Nov 15th. I will be speaking about BeyondCorp, and how other companies can achieve a similar outcome as Google with minimal effort. The more I speak and write about the subject, the more I realize what is most valuable to people is finding the right first steps to take.
I’ll resist doing a Halloween-themed newsletter because “spooky security” is exactly the type of FUD I try to avoid here. I couldn’t come up with anything more creative than the thousands of horror movie scripts based on Amazon Key, anyway. Yikes! Instead, I want to expand on something I mentioned last week – the recent uptick in SSH Keys being targeted by attackers. I wrote a post explaining our view at ScaleFT, which I think you’ll enjoy.
If you’re like me, you look back on your college years fondly. I had the time of my life, stumbled on a burgeoning tech industry, and formed my circle of friends for life. The news of this past week took a different view, as leaked audio of Facebook’s security chief, Alex Stamos, compared their corporate network to that of a college campus. The media jumped on this fast, and people flipped.
I had hoped to write about something that’s been on my mind lately, but then KRACK happened. Thankfully, my take on the matter was boiled down nicely into a single Tweet from everyone’s favorite InfoSec parody account, which means I can write about what’s on my mind. Thanks Tay! Now if you follow this newsletter, then you know that I often talk about the importance of access policies. It’s my belief that getting policies right is the hardest part of any security framework, with no real standards or specifications to follow.
A couple weeks ago, I shared a podcast interview with ScaleFT co-founder and CTO, Paul Querna, where he discussed the importance of putting forth a good user experience when implementing security controls across an organization. In a strikingly similar spirit, Google released their fifth BeyondCorp paper last week, this time focusing on the user experience of the employees using the system. Readers of this newsletter know how much I focus on the human element of any enterprise security framework, and I’m pleased to see Google continue their series with a dedicated paper on the subject.
a·nach·ro·nis·tic /əˌnakrəˈnistik/ Adjective belonging to a period other than that being portrayed. ”‘Titus’ benefits from the effective use of anachronistic elements like cars and loudspeakers” belonging or appropriate to an earlier period, especially so as to seem conspicuously old-fashioned. “she is rebelling against the anachronistic morality of her parents” If you’re wondering why I am starting this week’s newsletter with the dictionary definition of an obscure word, it’s because said obscure word was spoken onstage at TechCrunch Disrupt by Google’s Information Security Manager, Heather Adkins.
Another week gone by with the news dominated by the Equifax breach. There’s no reason for me to be yet another talking head on the subject, so moving right along – ScaleFT CTO and co-founder, Paul Querna, did a podcast interview with Derrick Harris of ARCHITECHT that was published yesterday. It’s definitely worth a listen as it speaks to the origins of BeyondCorp, and the parallels with the founding of ScaleFT.
While 200% of most everyone’s attention was consumed by the Equifax debacle, I was fortunate enough to speak about BeyondCorp at the Bay Area Cyber Security Meetup event last Thursday, hosted at Yelp’s headquarters in SF. You can view the slides here. As I often do when giving talks on the subject, I polled the audience at the beginning to ask how many people had heard of BeyondCorp before. I usually get a mixed response, but this time everyone’s hand went up.