BeyondCorp Weekly 38
Ivan Dwyer - October 17, 2017
I had hoped to write about something that’s been on my mind lately, but then KRACK happened. Thankfully, my take on the matter was boiled down nicely into a single Tweet from everyone’s favorite InfoSec parody account, which means I can write about what’s on my mind. Thanks Tay!
Now if you follow this newsletter, then you know that I often talk about the importance of access policies. It’s my belief that getting policies right is the hardest part of any security framework, with no real standards or specifications to follow. Google spent years getting it right just for them, but it’s hardly reusable for anyone else.
Policies are critical for two key reasons – they dictate the security posture and they impact the user experience. If that sounds familiar, it’s because those two key points map directly to the two executive mandates for the BeyondCorp initiative – it had to work and the users had to love it.
The core challenge of such a mandate is the common lack of adherence between policy and practice, which creates a noticeable gap between security and UX. These have always been opposing forces, with security acting as a blocking function, getting in the way of the end user.
The way to achieve adherence is to map the policies to the controls in place. That’s easier said than done, however, as there is rarely a direct relation between the two across an entire organization. This is another area that Google got right with BeyondCorp, but it took them creating their own policy DSL to complement the Zero Trust system. How can other companies going down this path achieve a similar outcome?
My view is to start small instead of attempting to boil the ocean. Pick an app or two to start with, and make up some basic access policies to determine who should and should not be granted access. When incorporating the associated controls, watch what happens with the traffic. Did the practice match the policies? Did the controls get in the way of the experience? Once you’re comfortable with the results, try with more company resources, and try different policies. Before you know it, you’ll have a BeyondCorp-like system in place, greatly improving your security posture.
If you’re ready to give it a try, I’d be happy to get you up and running with ScaleFT. We offer a 30-day free trial, and can show you an easy way to get started down the BeyondCorp path. Reach out any time!
Here are a few additional things that caught my eye this past week.
Here’s Google’s biggest secret to not failing at security [Tech Republic]
Google continues to promote BeyondCorp externally, this time as an interview between Matt Asay and Sam Srinivas, product management director in Google’s Cloud Security and Privacy team. He shares a few tidbits about the implementation details, and how companies can achieve something similar.
Cybersecurity technology: Everything is transforming and in play [CSO Online]
There’s little doubt we’re in the midst of a security transformation, which means the market is changing as well. Here Jon Olstik from ESG walks through a few product categories that are changing, with a few notable vendors. Nice to see a ScaleFT mention!
How to reinvent security: Tap the “The 3 ways of IT” for your DevOps practices [TechBeacon]
Further commentary on bringing DevOps principles and practices into the security realm, here interpreting the “Three Ways of IT” from the Phoenix Project by Gene Kim. Whether you like the term DevSecOps, one can reimagine security in a way that actually enables the business.
Secure development and deployment [National Cyber Security Centre]
The rise of automation in the software development lifecycle does force further thought to best practices. The National Cyber Security Centre released a draft of their secure development and deployment guidance. A fairly comprehensive guide with regards to CI/CD that’s worth a read.
In Post Password Era, Passwords are the Problem [SecurityLedger]
Here’s an interesting take that speaks to the hesitancy of companies to make a change with regards to security. While this article is specific to passwords, the general theme applies across all modern security practices. What will it take for companies to move in the right direction?
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT
Ivan Dwyer
Ivan Dwyer is the VP of Product Marketing at ScaleFT, working with the community to raise awareness around BeyondCorp and Zero Trust for organizations of all kinds looking to modernize their security architecture.
