BeyondCorp Weekly 23
Ivan Dwyer - June 13, 2017
Last week’s newsletter took a look at the 2017 Internet Trends report from Mary Meeker, and this week I’d like to share some thoughts on the 2017 State of DevOps report from the good folks at Puppet. Always insightful, the report dives into equal amounts of the technical automation and organizational behaviors needed to deliver software more effectively. Now in their sixth annual edition, this one leaned more towards the organizational requirements, indicating that the movement is becoming further engrained into a company’s culture.
Particularly interesting in this edition was their take on Transformational Leadership. One could say that much of the characteristics in building and fostering a modern DevOps culture similarly apply to the Zero Trust model. As we know from the BeyondCorp papers, Google’s own transformation covered the whole gamut of people, process, and technology – which wouldn’t have been possible without strong executive support and direction.
Looking through the lens of DevOps, strategic alignment across organizational silos will be one of the most important factors to a successful security transformation. Naturally, any architectural shift such as that put forth by the Zero Trust model will be met with skeptics and distractors, regardless of how clear the benefits are. This means that leaders need to set the tone early on, building the right team structure and incentive model to support a culture of innovation. To achieve high performance, these teams should be highly collaborative and communicative while striving towards common goals.
Now if you’re reading this newsletter, chances are you are involved in some form of security transformation – either as part of your own organization or working with one. While full of challenges, the good news is that we can look to how the DevOps movement has successfully fostered a culture of innovation within many organizations as a guide.
Here are a few additional things that caught my eye this past week.
Bridging the Gap Between IT Security and IT Operations [InfoSecurity Magazine]
On the topic of silos, there is often misalignment between Security and Operations within IT organizations. Ops teams are generally motivated to enable faster delivery of software, while Security teams are generally motivated to ensure compliance requirements are met. Those motivations can often clash in practice, but instead of the typical back and forth, it’s better to show some empathy and form a mutual understanding of responsibilities and goals.
Behind Breaches: Lots of Outdated Software [Digital Guardian]
A common theme in this newsletter is the revelation that basic upkeep of software updates is more impactful to corporate security than whichever 0day is making headlines that week. This is one of the many reasons why the Zero Trust model is so attractive – factoring in device state when making trust decisions encourages users to keep their software up-to-date, naturally improving their security posture.
Your Information Isn’t Being Hacked, It’s Being Neglected [DarkReading]
In a similar vein, improper configurations are more common in breaches than vulnerabilities. In fact, Gartner states that through 2020, 99% of firewall breaches will be due to misconfigurations. Clearly a strong case for a new architecture that places less emphasis on the perimeter – exactly what Zero Trust is all about.
When are self-signed certificates acceptable for businesses? [TechRepublic]
A key component to Google’s BeyondCorp, and any company’s own Zero Trust architecture, is the PKI to support single-use credentials scoped to each request. Here, Jack Wallen covers some of the basic considerations for self-signed certificates. His recommendations are to limit their use to testing and internal LAN-only services, which is in line with BeyondCorp because the architecture is meant to protect internal company resources.
Cash for Medical Device Clunkers? Task Force calls for Healthcare Security Overhaul [The Security Ledger]
A Congressional Task Force just released a comprehensive report on the state of security within the healthcare industry. The report was rather scathing, finding severe weakness across the board. One major challenge is the large volume of outdated medical devices that are prime targets due to their known weaknesses.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT
Ivan Dwyer
Ivan Dwyer is the VP of Product Marketing at ScaleFT, working with the community to raise awareness around BeyondCorp and Zero Trust for organizations of all kinds looking to modernize their security architecture.
