The ROI of security is a complicated topic given all the factors, intangibles, and pure randomness that goes along with it. On one side you often have executives who treat security costs as purely insurance, and on another side you often have vendors who make up fictional scenarios to sell products. No matter how you spin it, it’s a challenge to find a meaningful outcome. In this article, Robert Graham argues that ROI should be calculated as risk analysis more so than anything else.
Yesterday was rather monumental, with the solar eclipse captivating most everyone’s attention throughout the day (while severely lowering productivity across the workforce). As a San Francisco resident, my view was primarily that of Karl the Fog, which means I managed to get a lot done without distraction. I hope you had a better view of the spectacle… with the proper protective eyewear, of course. Despite the incessant warnings, however, plenty of folks still made the mistake of staring right into the sun (I won’t say who).
For those who have been following my blog series on How to Go Zero Trust, I’m pleased to announce that I’ve published the fifth and final piece - Migrating Resources Behind an Access Fabric. As you know from prior newsletters, we recently introduced the term Access Fabric at ScaleFT to represent the globally distributed processing engine that backs our Zero Trust platform. With access controls in place that are capable of performing real-time authentication, authorization, and encryption, the logical next step is to start migrating resources over to this new environment.
If you happened to see me or any other ScaleFT folks at Black Hat, you may have noticed our clever “No VPN” t-shirts. Partially an homage to the outcome of Google’s BeyondCorp, and partially meant to spark a reaction in a slightly controversial manner - which it did. I had some funny encounters, but the most common reaction to our t-shirts was, “hey, I thought VPNs were good?!”” This is where I would enter clarification mode and reply, “we’re talking about corporate VPNs.
Last week I descended on the city of Las Vegas like so many of my peers for the Black Hat conference. It was my first time attending, and I’d love to tell you I experienced all it had to offer and more, but I was strictly relegated to our 6’ x 6’ booth in the upstairs Innovation City. I only managed to catch the main expo hall roughly 15 minutes before closing time on a last minute swag run.
I’ve kept this newsletter relatively vendor neutral so as not to interfere with the broader message, but last week was a big one for us at ScaleFT, so I wanted to take a quick moment to point out what we’ve been working on as it relates to BeyondCorp. It’s been our goal to help companies achieve a BeyondCorp-inspired architecture of their own, and the release of our Access Fabric is an important step in that direction.
For those who have been following my blog series of how to go Zero Trust, I published part 3, which gets into creating the right access policy framework for your company. If you missed the prior posts, here is part 1 that covers the primary benefits, and part 2 that talks about the data you should be collecting ahead of time. Now if you’ve read any of the BeyondCorp research papers from Google, you’ll know that one of the biggest challenges they faced was formulating the right access policy framework that covered their range of employees, company resources and communication protocols.
As the 4th of July holiday hit this time last week, I opted out of sending a newsletter. I’m back in action today with another set of relevant articles to share. As mentioned from the prior issue, I’m in the midst of writing a blog series covering the steps a company should take on the path to their own Zero Trust architecture similar to Google’s BeyondCorp. The first post highlighted a few of the key benefits one takes away from going through this type of security transformation - How to Go Zero Trust: Part 1 - Why the Architecture Matters.
Shortly after sending out last week’s newsletter, Google published a blog post announcing the fourth research paper in the BeyondCorp series titled Migrating to BeyondCorp: Maintaining Productivity While Improving Security. As the title suggests, this paper covers the details of their rollout process - which is fascinating to say the least. At their level of scale, they went to great lengths to ensure there were no gaps in security, nor would the project hinder productivity.
It’s an exciting week for this newsletter because, after much anticipation, the O’Reilly book - Zero Trust Networks: Building Secure Systems in Untrusted Networks is now available. Written by two former engineers at PagerDuty, the book dives deep into practical advice for companies looking to adopt their own Zero Trust security architecture. As proponents of the model, we are excited to see the book hit the streets. ScaleFT is also pleased to be the exclusive provider of a free excerpt of the book.