BeyondCorp Weekly 37
Ivan Dwyer - October 3, 2017
A couple weeks ago, I shared a podcast interview with ScaleFT co-founder and CTO, Paul Querna, where he discussed the importance of putting forth a good user experience when implementing security controls across an organization. In a strikingly similar spirit, Google released their fifth BeyondCorp paper last week, this time focusing on the user experience of the employees using the system. Readers of this newsletter know how much I focus on the human element of any enterprise security framework, and I’m pleased to see Google continue their series with a dedicated paper on the subject.
I’ll let you dig into the paper yourself (it’s brief), but I wanted to cover a few specific areas that we have been giving considerable thought to at ScaleFT from a product perspective:
Policy simulation: I’ve said it before and I’ll say it again – getting policies right is the hardest part of a BeyondCorp-like implementation. It needs to be human understandable while providing the right controls. Finding that sweet spot is challenging enough, but what actually happens when a policy is enacted or changed? For critical patches, you would want to force an update on all your employees, but others that may seem like a simple tweak could negatively impact the entire company. A policy change that unjustly frustrates all the users goes against the UX goal of the system. A way to test the waters is to simulate a policy change by running the rules against what is known about all the users and devices at that time. Visualizing the impact will give you more confidence in the outcome.
Self-remediation: To reduce the burden on support staff, a well designed system should include an independent service that can translate policy decisions into human understandable messages. Encouraging self-remediation with clear information and action steps will no doubt improve the overall security posture of your company. The challenge here lies primarily in the abstraction layer of the policies and the results. A policy that states “employees must have their disk encrypted to access the file store” should deliver a message to a user whose device doesn’t pass along the lines of, “you must have your disk encrypted to access the file store. Here is an article about how to do that with your operating system.”” Sounds easy with one example, but coming up with an abstraction that knows all the policies, inputs, and remediation steps will certainly take some time.
Machine learning: Buzzword aside, the ability to recognize anomalies or predict policy outcomes will further improve the effectiveness of the system. There’s an evolution to this type of feature – it could start with something as simple as running the policy simulator on a regular basis and notifying users who may be impacted. At first, you have to be explicit about the rules – “employees can only access app A is their device meets Y standards”. In a future state, the system can be context-aware enough that the policies manage themselves, continually adjusting based on the sensitivity of the resource and the potential attack surface of connecting devices. It should go without saying there’s a danger in leaning on the system’s intelligence too much, as one could certainly game the system with practice. Where machine learning really helps is with validation and optimization, supporting the IT managers dealing with the policies and the security teams inspecting the traffic.
These are all roadmap items for the ScaleFT platform, which I’d be happy to share more about. If you have any questions/comments/requests, let me know by replying to this email.
Here are a few additional things that caught my eye this past week.
How BeyondCorp can help businesses be more productive [Google Blog]
Google’s own take on the release of the fifth paper shows their commitment to security with regards to their employees, and with their own products. They offer BeyondCorp-like functionality through the Cloud Identity-Aware Proxy, which acts as the central gateway for all traffic.
Google launching Gmail security tool to protect executives from high-profile attacks [Tech Republic]
On a not related, but also totally related note, Google is launching an Advanced Protection Program for Gmail, forcing a two-key authentication process. This speaks to their beliefs in policy-driven security, as well as their beliefs around defense in depth.
There’s no such thing as a ‘remote’ employee [Computer World]
When you break down the walls of the perimeter, you also blur the lines of what it means to be a remote employee. In a BeyondCorp world, you could be chained to your desk and still be considered ‘remote’ in the eyes of the system. That’s because no matter what, all traffic flows through the central access gateway to perform the authentication and authorization regardless of location.
Recent NSA leaks show challenge of a software ‘solution’ for insider threats [CyberScoop]
The number of NSA contractors who have been able to walk out of the building with sensitive information is obviously worrisome to the agency. But looking for a silver bullet solution to stop all insider breaches is a futile effort. Based on this article, they are becoming aware of a new approach, however the impulse seems to be to buy more and more products checking off ‘all the boxes’.
Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy ‘login details leaked’ [The Register]
Now I’m not one to point fingers, but this is pretty poor security posture for a consulting agency. Wide open systems - bad. Backed by unmanaged static credentials - worse. Pushed to a public GitHub repository - yikes. This case may have been avoided with proper training at the user level, but the lack of controls in place were bound to surface.
Recent Events
We had a fantastic showing at last week’s BeyondCorpSF Meetup. Some familiar faces, some new ones, all engaged in the community. I’m excited to watch the interest in BeyondCorp continue to grow at such a rapid pace!
For those local to the Bay Area and Austin, be sure to join the BeyondCorpSF and BeyondCorpATX groups respectively, as we’ll be hosting more events. If you’re in a different city and know any good local Meetups to bring up the topic, I’d be happy to come give a talk. Let me know!
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT
Ivan Dwyer
Ivan Dwyer is the VP of Product Marketing at ScaleFT, working with the community to raise awareness around BeyondCorp and Zero Trust for organizations of all kinds looking to modernize their security architecture.
