BeyondCorp Weekly 17
Ivan Dwyer - April 25, 2017
One of the guiding principles of BeyondCorp is how access decisions are made based on dynamic user and device conditions as opposed to traditional network-based methods. Within Google, their own Trust Inferer system continuously collects employee device data, which is then processed to determine its Trust Tier. Through configurable Access Policies, each resource is assigned a minimum Trust Tier based on the sensitivity of the data. To be granted access to a resource, the device Trust Tier must meet that of the resource.
In their continued effort to disclose their internal security practices, Google has released another document detailing their methodology around Trust Tiers as it relates to device and access management. The eBook can be read here: Mobility best practice - Tiered Access at Google. I highly recommend reading as there are some strong recommendations for how to implement tiered access.
One of the most common questions I get around BeyondCorp is what the policies should look like. There’s no easy answer as there are no standards, and every company will have different opinions. What I like about Google’s approach is that the Tiers provide a simple framework for granular access, while accommodating for further fine-grained rules. I think it’s best to start simple like Google has – untrusted, basic, privileged, and highly privileged – or some variation of that. With a policy format that make sense, you can move on to the access decision making, which involves authorizing requests against the policies themselves.
Here are a few additional things that caught my eye this past week.
Machine Learning in Security: 4 Factors to Consider [DarkReading]
This article is focused on predicting attacks, but when I talk about ML in the context of BeyondCorp, I do so in terms of authorization decision making. What if access policies could adapt based on historical context, and either introduce or remove factors during the auth workflow? There’s potential, but also danger in that, so tread carefully.
Multi-Cloud Key Management: Selection and Migration [Securosis Blog]
The good folks at Securosis are back with another series of high quality posts, this time taking on the complexities of managing credentials across clouds. The second post here is focused on how to Bring Your Own Keys. Often drive by compliance, there are setup and integration considerations to work within the cloud’s environment, which are different from vendor to vendor. My POV is to avoid ‘lift and shift’ scenarios when possible, and focus on working with the native cloud primitives.
On-Prem versus SaaS Information Security Compliance [Gravitational Blog]
Every SaaS vendor faces the on-prem decision at some point, influenced by the dollars a big company may be willing to pay. Despite the rapid rise of the cloud, many companies are still hesitant, especially when it comes to compliance and sensitive customer data. Often times the sweet spot can be in a Dedicated or Private SaaS, where the vendor manages single-tenant environment within the customer’s cloud account. The folks at Gravitational walk through the considerations in the context of the Vendor Security Alliance questionnaire.
Google Patches Unicode Domain Phishing Bug in Chrome [On the Wire]
This one was downright scary because of how nearly impossible it is to spot. In case you missed it, a previously known hack resurfaced, where it was discovered that urls could be spoofed by using unicode characters - as in the browser would display ‘apple.com’, when the domain is really ‘xn–pple-43d.com’. You can even acquire an SSL cert to make it look like a trusted domain. It’s been on the radar for some time now, but the recent attention forced Google act fast.
Facebook Delegated Account Recovery SDKs Published for Java, Ruby Apps [ThreatPost]
Back in January, I caught a preview of Facebook’s Delegated Account Recovery at the Usenix Enigma conference. A few months later now, they published developer SDKs during their annual F8 conference. There’s more to this than a simple dev tool, it speaks to Facebook’s aim to own Personal Identity. As such, it’s been met with skepticism online due to privacy concerns, but the concept and backing technology are worth a look.
Upcoming Events
I’ll be speaking at the Rocky Mountain InfoSec Conference next month, with a session titled BeyondCorp: Google Security for Everyone Else. It looks like it’ll be a fun conference so I encourage anyone able to come hang out. I’m not sure if it’ll be recorded, but I’ll share the slides at a minimum.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT
Ivan Dwyer
Ivan Dwyer is the VP of Product Marketing at ScaleFT, working with the community to raise awareness around BeyondCorp and Zero Trust for organizations of all kinds looking to modernize their security architecture.
