Blog

Articles and stories about BeyondCorp from the ScaleFT team

BeyondCorp Weekly 27

Ivan Dwyer - July 18, 2017



For those who have been following my blog series of how to go Zero Trust, I published part 3, which gets into creating the right access policy framework for your company. If you missed the prior posts, here is part 1 that covers the primary benefits, and part 2 that talks about the data you should be collecting ahead of time.

Now if you’ve read any of the BeyondCorp research papers from Google, you’ll know that one of the biggest challenges they faced was formulating the right access policy framework that covered their range of employees, company resources and communication protocols. When removing trust from the network, it’s critical that every request be fully authenticated, authorized, and encrypted, but to avoid impacting the user experience, this means careful consideration for the end-to-end workflows. The associated decision making process is heavily dependent on the policies themselves, therefore it’s important to create a framework that is comprehensive and easily understandable.

To do this effectively, I advocate for explicitly writing down a number of Job Stories that state how employees should and should not access company resources. For example, Alice is a build engineer who needs access to the Jenkins instance. During a build, she is known to be logged in to the dashboard from her company issued laptop, as well as logged into the server over ssh to watch the logs. Following the Job Story format, this would read as:

  • When a release is ready, I want to open the Jenkins dashboard, so I can prepare and execute the build.

  • When a release is ready, I want to login to the build server over ssh, so I can inspect the build log in real-time.

Getting a few of these stories under your belt only further enhances your ability to make smarter policy decisions based on context. Try a few out for yourself and see what you get!

Here are a few things that caught my eye this past week.


Why your company needs clear security policies: A cautionary tale [TechRepublic]

Speaking of access policies, here is a story of an employee being reprimanded for saving files to Dropbox. It was against the company’s policy, but he had no idea. This stresses the importance of a policy framework that is understood by both the managers specifying the rules and the end users who are affected.

Protecting Your Company’s Assets: How People and Machine Both Play Vital Roles [InfoSecurity Magazine]

A Zero Trust architecture is meant to provide better visibility into traffic by centralizing all traffic through a proxy where authentication and authorization decisions can be consistently made based on dynamic user and device data. A logical evolution of this architecture is to incorporate machine learning (buzzword alert) into the decision making process because you are in a better place to identify behavioral commonalities and anomalies. How you respond to that information will map to your policy framework.

50% of Ex-Employees Still Have Access to Corporate Applications [DarkReading]

A study performed by OneLogin found that half of the ex-employees at the companies surveyed still had active accounts that could access corporate applications. The study highlights the importance of the deprovisioning process, and ensuring credentials are revoked along with the system of record. A proper Zero Trust implementation is backed by PKI that only issues ephemeral credentials meant for single use, ensuring that there are no lingering effects of a former employee or contractor.

How to Make a Strategic, Value-Driven Business Case for Your DevOps Initiative [Contino Blog]

A thorough post on how to make an actual business case for a DevOps initiative that places less emphasis on the technologies and more on the outcomes. I would say that much of the thinking here applies to making the case for a migration towards Zero Trust. Security can be challenging to calculate an ROI unless you are clear on the understanding of the cost of a breach, so it might make more sense in this regard to focus on the improved employee productivity and lower IT support costs one gains from a more streamlined access control model.

Life Is About to Get a Whole Lot Harder for Websites Without HTTPS [Troy Hunt]

Last week, Let’s Encrypt announced the upcoming availability for wildcard certificates, significantly lowering the barrier towards HTTPS. It’s critically important that any roadblocks along the way are cleared because Google has made it clear that they are going to start penalizing sites that don’t adapt by displaying warnings across sites served over HTTP. It’s been interesting to follow the debate here as there are still people who aren’t fully convinced, primarily due to the burden it places on site owners. I’ll take ‘secure by default’ any day.


Upcoming Events

Reminder that the ScaleFT team will be on hand at Black Hat next week, ready to demo the latest and greatest from our Zero Trust Platform. Come by the booth on Wednesday or Thursday, or shoot me a note to schedule a time to meet. Hope to see you there!


That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,

Ivan at ScaleFT

@fortyfivan


Ivan Dwyer

Ivan Dwyer is the VP of Product Marketing at ScaleFT, working with the community to raise awareness around BeyondCorp and Zero Trust for organizations of all kinds looking to modernize their security architecture.

ScaleFT Zero Trust Access Management
Subscribe to the Newsletter

Subscribe to the BeyondCorp newsletter to get notifications about new posts by email.