Well, 2018 sure started out with a bang in the security world! While Meltdown and Spectre are vulnerabilities out of scope with an enterprise security framework like BeyondCorp, there is something to be said for how quickly and effectively the major cloud providers and OS vendors responded. As it turns out, automated environments are not only key for speed, but also security. We often see those forces oppose each other, but in the modern cloud era, they can be fully aligned. There may be long-term implications to these vulnerabilities at the hardware level, but the near-term impact for cloud deployments can be mitigated as long as one fully understands the shared responsibility with their providers.
On another note, I’m excited to be kicking off the BeyondCorp road show this week, with the first event in San Francisco on Wednesday at 5 PM. If you’re in the area tomorrow, be sure to RSVP to reserve your spot. Following shortly will be Seattle, Boston, New York, and Austin. So far we have speakers lined up from Duo, Akamai, F5, ForgeRock, and ScaleFT, with more to be announced shortly. If you’re interested in speaking at any one of these events, let me know, and we can work on the right topic.
Also, I wanted to remind everyone to submit their nominations for the BeyondCorp Pioneers awards. This is a great opportunity to get recognized by your peers, and to be an influencer in the community. It only takes a few minutes to fill out the form, so grab a quick cup of coffee and share your thoughts on BeyondCorp. Don’t be shy!
Here are a few additional things that caught my eye this past week.
Google is back out on the promotional trail, speaking about BeyondCorp for TheNewStack. Here, they recap the presentation given at last year’s O’Reilly Security Conference. Readers of this newsletter should be quite familiar with the content, as it covers some highlights from the Google whitepapers. The question remains - how can other companies achieve a similar outcome?
In conversation with Quentin Hardy about the future of the cloud, Urs Holze makes a few statements relevant to BeyondCorp without actually saying the name. First off, he mentions removing trust from the network, and second, he mentions device state as an auth mechanism. All very much in line with the core principles of BeyondCorp.
Microsoft could soon be “password free” [Naked Security]
Here’s an interesting peek into some internal initiatives within Microsoft that appear, at least on the surface, to have similar motivations as Google did with BeyondCorp – albeit a much different approach. This only speaks to the authentication process, with biometrics replacing the password, but it does point to a trend within the major cloud providers dogfooding their own security services.
The Evolution of Corporate Authentication [InfoSecurity Magazine]
Also on the topic of corporate identity, this article reinforces keeping authentication and authorization as independent processes, with granular access controls based on role, device posture, and the sensitivity of the resources. Whether you refer to the architecture as SDP or Zero Trust, the principles remain the same.
‘Zero Trust’ Security Will Make A Comeback in 2018 [InfoSecurity Magazine]
Comeback? I already used my one LL Cool J joke on Twitter, so I’ll spare you that, but it’s curious to hear Zero Trust in this context because it’s still such a relatively new practice. This article gets a few things wrong IMHO, most notably that Zero Trust means prohibiting people from using non-corporate issued devices.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT