This past week, SF was dominated by the RSA Conference, where thousands of security professionals were met by hundreds of vendors. As mentioned in last week’s newsletter, I chose to spend most of my time at a nearby Google Cloud event, which was more focused and personal than anything found at the main conference. I wrote up a quick blog post about the event, highlighting the Identity & Access panel that took place with members of ScaleFT, Duo, Okta, and Ping.
While that was happening, two of the original architects of BeyondCorp within Google, Heather Adkins and Rory Ward, gave a fantastic presentation on the main stage at RSA walking through the history, migration path, and implementation details of the seven year project. I highly recommend browsing through the slide deck here [PDF]. There has been a positive reaction from the community, and the session was picked up by CSO Online and Threatpost.
Here are a few additional things that caught my attention this past week.
After data breaches, Verizon knocks $350M off Yahoo sale, now valued at $4.48B [TechCrunch]
Putting a price on security is hard… they said. The breaches at Yahoo get more cringeworthy with every new story, but now we’re seeing a hard monetary impact. A company’s security practices have as much to do with risk assessment as they do data protection, and putting an actual dollar figure to it makes it real – which is good for anyone trying to promote security to management.
Introducing Netflix Stethoscope [Netflix Tech Blog]
The Netflix engineering team continues to open source internal projects to the community. What’s interesting about Stethoscope is that it really gets to the “why” an auth decision is made, with an emphasis on putting forth a good user experience that encourages better security practices. Great work as always.
using yubikeys everywhere [tedunangst]
Speaking of user experience, this post (and accompanying HN thread) show how far we still have to go to deliver secure auth solutions that fit within the average user’s workflows. No easy task given how different services implement across a wide range of workflows.
The conflict between data science and cybersecurity [Information Management]
An interesting look at how big data analytics goes against the security principle of granting least privileged access. What this article misses, however, is distinguishing between data coming in and data coming out. Stakeholders only really need to see outcomes, so maybe there isn’t as much an issue as long as role based access controls are implemented throughout the data extraction and transformation phases.
IBM Data Science Experience: Whole-Cluster Privilege Escalation Disclosure [wycd]
Yet another example of static credentials being openly exposed. Luckily this was caught without any impact, but it points to the continued trend of basic security measures being overlooked in the container era. The technologies themselves are certainly improving, however dev and ops need constant education and reminders to remain safe.
We’re expanding our Meetup presence to Austin, where we expect to find another vibrant local community of security professionals interested in BeyondCorp. If you’re in the area, come by next week. I’m told this bar is fantastic!
BeyondCorpATX Happy Hour
Thursday Mar 2nd
5:00 PM - 8:00 PM
The Ginger Man
301 Lavaca St
Austin, TX 78701
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT