BeyondCorp Weekly 31
Ivan Dwyer - August 16, 2017
For those who have been following my blog series on How to Go Zero Trust, I’m pleased to announce that I’ve published the fifth and final piece - Migrating Resources Behind an Access Fabric. As you know from prior newsletters, we recently introduced the term Access Fabric at ScaleFT to represent the globally distributed processing engine that backs our Zero Trust platform. With access controls in place that are capable of performing real-time authentication, authorization, and encryption, the logical next step is to start migrating resources over to this new environment.
As is often the case with a blog series like this, there are probably just as many questions left as there are answers. That’s great, in fact, considering that we’re talking about a fairly new concept here that flips a lot of things on its side. All for the better, of course, but not without careful consideration. The BeyondCorp research papers provide a lot of insight into how Google went through their own security transformation, and it’s been my goal with this series to break it down into more digestible chunks that companies who aren’t Google can follow.
With that, my hope is that the conclusion of this series helps begin your Zero Trust journey. I’d love to hear more about your own initiatives, so feel free to share what you’re working on. Hopefully I can help!
Here are a few things that caught my eye this past week.
$10k host header [testsiteshacking]
Now it wouldn’t be fair to exclude any weaknesses in the BeyondCorp system while promoting all its goodness. Here, someone was fairly easily able to bypass Google’s proxy service to gain access to an internal application. This speaks to the importance of verifying that traffic to the application originates from the proxy, and that the request has been fully authenticated and authorized.
DevOps and Security: Fighting factions or fabulous friends? [ComputerBusinessReview]
I often speak to the way a Zero Trust implementation mirrors that of a DevOps implementation in terms of its impact on the people, process, and technology of a company. This piece covers the importance of cross functional collaboration, where security teams and DevOps teams work together to deliver software quickly and safely. At the end of the day, that goal is more common than it may first appear.
Fear of missing out is driving cloud investments [BetaNews]
Here’s an interesting study performed by Commvault and CITO Research that points to executives being concerned about missing out on the technical advancements of the cloud. As Google talks more about BeyondCorp, and as more companies implement their own Zero Trust systems, I could see a similar thing happening here with regards to corporate security.
Lax Online Security Can Destroy Your Brand Overnight [InfoSecurity Magazine]
Fear of missing out pales in comparison to the fear of brand damage. Nothing shakes customer confidence more than a security breach, yet many executives still see tighter security posture as secondary or responsive. The only way to change this is to make the right case, which is still mostly driven by fear. While I tend to focus on the positive outcomes a company will gain with a security transformation, there’s no denying the power of saving face in a hostile world.
20 Tactical Questions SMB Security Teams Should Ask Themselves [DarkReading]
I usually gloss over lists like this, however this one is spot on in terms of what you should ask yourself when planning a Zero Trust implementation. It covers the right prerequisites, outcome alignment, and technical considerations. If you’re early in your planning phase, I highly recommend going through this checklist.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT
Ivan Dwyer
Ivan Dwyer is the VP of Product Marketing at ScaleFT, working with the community to raise awareness around BeyondCorp and Zero Trust for organizations of all kinds looking to modernize their security architecture.
