BeyondCorp Weekly 36
Ivan Dwyer - September 26, 2017
a·nach·ro·nis·tic
/əˌnakrəˈnistik/
Adjective
belonging to a period other than that being portrayed.
”‘Titus’ benefits from the effective use of anachronistic elements like cars and loudspeakers”
belonging or appropriate to an earlier period, especially so as to seem conspicuously old-fashioned.
“she is rebelling against the anachronistic morality of her parents”
If you’re wondering why I am starting this week’s newsletter with the dictionary definition of an obscure word, it’s because said obscure word was spoken onstage at TechCrunch Disrupt by Google’s Information Security Manager, Heather Adkins. You may recall her from the excellent RSA presentation about Google’s BeyondCorp implementation.
“The idea of a VPN is anachronistic because you’re routing your traffic through a corporate VPN and then to the cloud,” she said. “The purpose of VPN originally was to create private networks, to create confidentiality between the endpoints and the server. And we can create this today with SSL. We use SSL to protect that, find that confidentiality capability.” - Heather Adkins
I was so excited to see this quote from her on TechCrunch, but I admit that I had to immediately look up the word anachronistic to get it – which I’m not embarrassed about because I scored way better in math than verbal on my SATs. But I digress – let’s break down her statement a bit as it relates to BeyondCorp. Google’s ability to eliminate the need for VPNs boiled down to 3 key points:
- Connecting from a particular network must not determine which services you can access
- Access to services is granted based on what we know about you and your device
- All access to services must be authenticated, authorized, and encrypted
While the purpose of a private network is to create confidentiality between the endpoints and the server, it goes beyond that because the VPN represents a perimeter, where there is a clear definition of inside and outside. From points 1 and 2, the network is no longer a determination of trust, it’s about you and your device at a point-in-time. While SSL represents confidentiality, it again goes beyond that because from point 3, the encrypted connection must also be fully authenticated and authorized to be granted access. These 3 principles come together to form a cohesive access management environment in which the VPN is, dare I say, anachronistic - the word of the day.
Now if you’re as excited as I am to hear the No VPN message make the headlines of TechCrunch (and you’re in the bay area), join us this Thursday as we host the BeyondCorpSF Meetup at 111 Minna. Judging by the RSVP list already, we’re sure to have a lively event. We’ll be there starting at 5:00 PM - food and drinks on ScaleFT!
Here are a few additional things that caught my eye this past week.
Busting myths behind authentication and authorization [CSO Online]
Speaking of the No VPN message, here’s an article that busts the myth that reverse proxies are bad by pointing out the failed perimeter model that the VPN represents. The author even goes as far to call the VPN a massive Trojan horse. I couldn’t agree more!
Time to Embrace a Security Management Plane in the Cloud [CSO Online]
As more enterprises migrate to the cloud, with statistics pointing to a multi-cloud environment as the norm, unity will be critical to providing the right visibility. Here, Jon Olstik speaks to a security management plane that sits atop all environments to do just that.
Nearly 50% of organizations willing to pay extra for security guarantee from cloud vendors [TechRepublic]
A recent study by 451 Research showed that nearly half of the respondents moving to the cloud would pay a premium for extra security guarantees. Those guarantees don’t necessarily have to come directly from the cloud providers, managed service providers and software solutions can pick up where they leave off, further extending the shared responsibility model.
Secrets Management: New Series [Securosis]
I’m always excited when the folks at Securosis start a new blog series, this time digging into Secrets Management. In just the last week, Adrian Lane has written 3 posts on the subject – introducing the topic, covering the use cases, and the components & features. Essential reading as always.
Deloitte hit by cyber-attack revealing clients’ secret emails [The Guardian]
This week’s high profile breach points out a common, yet less obvious challenge companies face – ensuring access policies are enforced properly by access controls. At a company like Deloitte, 2FA is likely a company policy, but wasn’t enforced in this case. This is another area that Google got right with BeyondCorp – consistent policy enforcement through the access gateway. Take note of this when going down this path at your own organization.
Upcoming Events
BeyondCorpSF Drink Up
Thursday, Sep 28
5PM - 8PM
111 Minna Gallery (map)
Gartner IAM Summit
Nov 28 - Nov 30th
Las Vegas
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT
Ivan Dwyer
Ivan Dwyer is the VP of Product Marketing at ScaleFT, working with the community to raise awareness around BeyondCorp and Zero Trust for organizations of all kinds looking to modernize their security architecture.
