BeyondCorp Weekly 12
Ivan Dwyer - March 21, 2017
The video from last week’s BeyondCorpSF Meetup is still in post-production, so it’ll be in next week’s newsletter. Until then, I wanted to take a brief moment to share a thought on the community. It was only a few month ago that BeyondCorp was only barely known outside of Google as a couple of research papers. Now it’s capturing the attention of IT & Security professionals from all sorts of organizations across the globe. While still early days, I’ve been pleased to see the community grow at such a rapid pace, and have enjoyed the great conversations I’ve had with folks every day who are interested in taking the architecture and principles of BeyondCorp into their own initiatives. I’d love to hear from more of you, so tell me what you’re up to. Hopefully I can help!
Here are a few things that caught my eye this past week.
US-CERT Warns of Security Impact of SSL Interception [On the Wire]
DHS issued a warning related to MitM appliances, stating that they often don’t verify the certificate chain when forwarding traffic over HTTPS, meaning that the client can’t fully trust the connection. This is an important warning because a key component of BeyondCorp is the Access Proxy, which is a reverse proxy that acts as a man-in-the-middle for all traffic. If implementing a similar product in your network, verify the certificate chain and inspect the traffic to prevent any weaknesses in the connections.
Introducing Threat Operations: Accelerating the Human [Securosis Blog]
A fantastic post on the human aspect of security operations – the second in a series, which are always top notch from the folks at Securosis. In this post, Mike Rothman explains the importance of monitoring and alerting with automated systems, and ensuring that people can quickly understand the context to make educated decisions.
The Industrial Revolution of Application Security [Medium]
At the risk of sounding buzzword-y, I would say that we’re in the midst of a security transformation in terms of network design and access management, much like the digital transformation taking place with regards to applications and infrastructure. In this post, Mike Kail comes to a similar conclusion about application security, pointing out that security needs to be ingrained in the software development lifecycle.
Stronger authentication and a great customer experience can coexist [SC Magazine]
I couldn’t agree more with the headline here, but there’s more to it than simply telling people to use multi-factor auth. A key reason BeyondCorp was successful within Google was that they looked at it through the lens of the end users, and designed workflows that fit. This means being smart about decision making, and using additional factors when appropriate.
Three Pillars of a Successful Security Strategy [Security Solutions Review]
The title may sound a bit fluffy, but this article is right to point out that security impacts the people, processes, and technology within an organization. Written from the perspective of risk & compliance, the items tend to fit the traditional models, however cover all the elements to consider.
Upcoming Events
InfoSec Southwest
Apr 7 - 9
Austin, TX
Rocky Mountain InfoSec Conference
May 9 - 11
Denver, CO
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT
Ivan Dwyer
Ivan Dwyer is the VP of Product Marketing at ScaleFT, working with the community to raise awareness around BeyondCorp and Zero Trust for organizations of all kinds looking to modernize their security architecture.
