BeyondCorp Weekly 29
Ivan Dwyer - August 1, 2017
Last week I descended on the city of Las Vegas like so many of my peers for the Black Hat conference. It was my first time attending, and I’d love to tell you I experienced all it had to offer and more, but I was strictly relegated to our 6’ x 6’ booth in the upstairs Innovation City. I only managed to catch the main expo hall roughly 15 minutes before closing time on a last minute swag run.
I never left our space because I always had someone to talk to – which was the point of being there! I must say that the interest level around BeyondCorp and Zero Trust was at an all time high – from end users to vendors to consultants to analysts. More people had read the BeyondCorp papers than ever before, and the consensus is that Zero Trust is the right model and the logical future of security architectures.
The most common question that continues to arise in conversation is how companies other than Google can achieve something even remotely similar. I often point out that looking at Zero Trust purely through the lens of Google makes it seem way too daunting, so it’s best to break it down into more digestible chunks that can be taken in stride. As a seismic shift on par with that of the cloud, it’s going to take an initiative to get there – and the more organizational support, the better.
This is primarily why I’ve been writing the ongoing blog series about How to Go Zero Trust. Yesterday, I published Part 4: Implementing Access Controls. This is really where the architecture starts to take shape, applying the learnings from the exercises in the previous posts. There’s one more in the series that covers how to deploy resources behind the new controls, so stay tuned for that final chapter.
Here are a few additional things that caught my eye this past week.
Facebook CSO: It’s Time to Focus on Real Problems [OnTheWire]
The keynote from Black Hat came courtesy of Facebook CSO, Alex Stamos. The main theme was that industry professionals can easily get too caught up in the elaborate hacks, and don’t spend enough time fixing real problems facing people today. To sweeten the pot, Facebook put up $1M in reward money for those working to solve certain issues. I’m sure there’s some self serving motives behind the effort, but a worthy enough cause.
Everyone is working on their own ways to secure IoT [CyberScoop]
Another common topic of conversation at Black Hat was security for IoT devices - most specifically around identity. It’s an interesting challenge given the wide range of devices with varying hardware footprints and accessibility. The TDI solution mentioned here has potential, but too early to say. Something to watch for sure.
DevOps Security & the Culture of ‘Yes’ [DarkReading]
Newsletter readers know that I often compare Zero Trust to DevOps in terms of its impact across the people, process, and technology within an organization. This post focuses on team collaboration, and how security teams should take a more positive and proactive approach in order to be effective.
Virgin America Breach Hits Staff and Contractors [InfoSecurity Magazine]
Another high profile breach, but a story that carries a different tone that most. While certainly damaging, it does seem as though the incident was well handled by the company. Security teams that understand their environments and the associated risks are in a better position to respond quickly and effectively. Kudos team.
An insider sifts through 108,000 client files. What can go wrong? [CSO Online]
Yet another case of a malicious insider, this time attacking the health insurance company Bupa Global. From the report, it appears as though they have strong evidence of the employee’s activity - in many ways mirroring that of the famous Waymo/Uber case. The advice given here is fairly standard - trust but verify with least privilege given – basic principles of Zero Trust.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT
Ivan Dwyer
Ivan Dwyer is the VP of Product Marketing at ScaleFT, working with the community to raise awareness around BeyondCorp and Zero Trust for organizations of all kinds looking to modernize their security architecture.
