BeyondCorp Weekly 30
Ivan Dwyer - August 8, 2017
If you happened to see me or any other ScaleFT folks at Black Hat, you may have noticed our clever “No VPN” t-shirts. Partially an homage to the outcome of Google’s BeyondCorp, and partially meant to spark a reaction in a slightly controversial manner - which it did. I had some funny encounters, but the most common reaction to our t-shirts was, “hey, I thought VPNs were good?!”” This is where I would enter clarification mode and reply, “we’re talking about corporate VPNs. Yes, keep your personal VPNs”.
Well, not so fast! News broke yesterday that a popular personal VPN service has been accused of snooping on VPN users and selling data to advertisers. While corporate and personal VPNs are two very different products that are intended for very different outcomes, they are based upon a fundamentally similar architecture. Should I be campaigning against one and for the other, or argue that it’s the wrong architecture regardless of use case?
That’s an open ended question, however my gut reaction is to focus on the intended outcome first and foremost. If your personal goal is pure anonymity online, should you trust a third party VPN service? Probably not. If your company’s goal is to make better trust decisions, should you rely solely on your VPN? Definitely not!
That said, I wouldn’t argue against operating your own OpenVPN server, nor recommend companies rip out their VPNs tomorrow. What we’re really saying with Zero Trust is no trust by default, moving the decision making from the network layer to the application layer to account for dynamic environments. Is eliminating the need for a VPN a possible outcome of such a model? Absolutely, but not to be taken lightly. “No VPN” can be our rallying cry as we continue to build BeyondCorp-inspired solutions across the ecosystem.
Here are a few additional things that caught my eye this past week.
DigiCert to Acquire Symantec’s Website Security Business and Related PKI Solutions [DigiCert]
Speaking of trust, the much beleaguered CA business unit of Symantec has been acquired by DigiCert. This is a significant move that could greatly impact web security as a whole. Can they salvage the now toxic asset or are they just in it for the customer list? Time will tell, but it’s honestly tough to root for a commercial CA service when there are things out there like Let’s Encrypt :)
Deploying an Internal CA - looking for advice [cron.weekly]
On a similar note, here’s an interesting thread discussing how to build your own internal PKI. Don’t kid yourself that this is an easy task, which is how the big CA players have managed to make so much money. Luckily we have a number of new projects and frameworks including ACME which Let’s Encrypt is built on. Note that a proper Zero Trust implementation requires its own PKI supporting the workflows.
Secrets and LIE-abilities: The State of Modern Secret Management (2017) [Medium]
Related to internal PKI is managing secrets properly. Here is an excellent breakdown of a number of the popular options out there today, including KeyWhiz, Vault, Docker SwarmKit, DC/OS, Rancher Cattle, and Kubernetes. Some of these are standalone and others are integrated within the respective container orchestration platforms. This article puts forth some best practices along with enough detail to make your own educated decision. Personally, I’d say if you’re already bought into one of these platforms, go with the integrated approach.
How to get users on board with two-factor authentication [TechRepublic]
This may appear to be a tired argument on the surface, but this article poses the question as how to convince non-technical folks in a way they’d truly understand. Think about this in terms of BeyondCorp - Google took extra care to properly train all of their employees on the new system, and made sure IT was there to support. In the end, they found a significant drop in support tickets because the employees were better equipped to self-remediate. Imagine that!
The SRE model [Medium]
While not directly related to BeyondCorp, Google’s SRE model carries some similar characteristics in terms of operations. As you plan your own Zero Trust rollout, it will likely be your SREs supporting the system. What’s important is that this team is on board with the architecture, and fully understands how to deploy and manage resources within the environment. I’d say get this team involved early on in the planning process as champions because they (or you) carry a ton of weight.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT
Ivan Dwyer
Ivan Dwyer is the VP of Product Marketing at ScaleFT, working with the community to raise awareness around BeyondCorp and Zero Trust for organizations of all kinds looking to modernize their security architecture.
