Blog

Articles and stories about BeyondCorp from the ScaleFT team

BeyondCorp Weekly 19

Ivan Dwyer - May 9, 2017



Wheels up… I am in the air on my way to Denver for the Rocky Mountain InfoSec Conference. I’m giving a talk tomorrow from 2-3 PM titled BeyondCorp - Google Security For Everyone Else. I’ll share my presentation materials after the fact, but I first wanted to mention something that I thought of while preparing my slides - which I still have 27 hours to finish before going on stage… every minute counts!

A common question I get when talking about BeyondCorp is what should an Access Policy look like? There is no common specification, nor will there be any time soon, so how should companies approach this critical step towards their own Zero Trust architecture? Google went with a Trust Tier model based on a domain specific language they created. Others may opt for a scoring system, or an assertion model. Every company will have a different approach here, so my thought is to treat this process like you might building a product, and imagine a number of user stories. I’m a huge proponent of the Jobs To Be Done model of product development, and see a strong case to apply towards creating your Access Policy definition. For example:

  • When someone attempts to ssh into a build server, I want to check if their OS is up to date, so I can ensure no malware is present.

  • When someone attempts to download confidential documents from a file server, I want to ask a manager for approval first, so I can ensure the user is authorized to access the files.

  • When someone attempts to log into the HR application from an unknown device, I want to direct the user to a device enrollment step, so I can keep unwanted devices from accessing sensitive resources.

With a few stories under your belt, you get a better understanding of the user and device state and attributes that matter to you, and what course of action you want to take when something doesn’t line up properly. Be careful with a default deny posture, however, as that could impact the user experience significantly. A better approach in my mind is allow self remediation and/or introduce additional auth factors. As you collect more data, you can start to identify patterns, and tune the policies accordingly.

Stay tuned for more on this after my talk. Here are a few things that caught my eye this past week.


Why OAuth Phishing Poses A New Threat to Users [DarkReading]

The recent Google Docs phishing scam uncovered what could be considered a design flaw within the OAuth protocol itself. While the intention is to provide a consistent single sign-on experience, one can get just a bit too comfortable and blindly allow without the right amount of consideration. It’s important for companies to have an understanding of how their employees login to various services.

Password reuse, credential stuffing and another billion records in Have I been pwned [Troy Hunt]

Troy Hunt continues to uncover large data sets of exposed user accounts through his service Have I Been Pwned. Here he shares the dangers of reusing passwords, which sounds obvious, but worth thinking about what could happen if you (or your employees) had one password stolen. Would it work elsewhere?

Third parties leave your network open to attacks [CSO Online]

The Target hack from a couple years back is already old news, but the danger of allowing 3rd party access remains a challenge for many organizations, especially as more cloud-based SaaS services are being consumed. However you handle IAM and PAM, be sure to include any 3rd party contractors and external services.

Sabre Corp. Investigating Breach of Reservation System [ThreatStack]

Another high profile breach in the hospitality industry has been made public, this time with a SaaS product. The details of the breach itself are unclear, but the incident underscores the need for companies, large and small, to not overlook security posture when deploying apps on the cloud.

Acceptance of Norms Positively Contributes to Security Culture, Finds Report [TripWire]

Here’s an interesting one… a study in Norway and Sweden across 38 companies in 5 sectors attempted to learn more about security culture. A key takeaway was that the acceptance of norms reduced risky behavior. This clearly points to education as being important to encourage better security posture.


That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,

Ivan at ScaleFT

@fortyfivan


Ivan Dwyer

Ivan Dwyer is the VP of Product Marketing at ScaleFT, working with the community to raise awareness around BeyondCorp and Zero Trust for organizations of all kinds looking to modernize their security architecture.

ScaleFT Zero Trust Access Management
Subscribe to the Newsletter

Subscribe to the BeyondCorp newsletter to get notifications about new posts by email.