As I get closer to 40 (or 10 if you count by my actual birthday), my Monday mornings are usually fueled by lots of coffee, taking an hour or two to get into work mode. I did not have that luxury yesterday, as I awoke to a lively Hacker News thread discussing BeyondCorp. Not surprising, much of the conversation focused on the real world viability outside of Google. Readers of this newsletter know that is a topic near and dear to my heart; an essential milestone to making BeyondCorp a real movement. The good news is that I see more evidence every day that BeyondCorp is not only feasible, but being actively worked on at companies of all kinds.
Where I see a lot of people get hung up is with supporting BYOD. Google speaks to their own device management as a key component of the overall system, but that doesn’t necessarily mean you have to follow suit. The challenge then lies with enforcing access policies that factor in device state, when the devices may not be known. A couple things to remember in this regard – first, device attestation is a policy decision you make, so you can determine how strict you want to be. Second, you only need to query device state to make a trust decision, which doesn’t mean you have to run a full blown endpoint protection/MDM suite across your entire organization. There are lightweight options, and some potential open source solutions such as osquery that can get the job done.
I was glad to see the thread have such lively (and civil) debate. The enthusiasm points to a growing trend of adoption as opposed to just pure curiosity. This community coming together to share ideas and experiences is what will make BeyondCorp a real movement.
On that note, make sure to come out to any BeyondCorp Meetups in your area. We’ll be in Seattle tomorrow, back in San Francisco, out east for Boston and New York, then off to Austin. I’ll be at each one, so I hope to meet some new folks and hear what you’re working on.
Here are a few additional things that caught my eye this past week.
Welcome CloudFlare to the BeyondCorp ecosystem. Their messaging is spot on - “It’s like BeyondCorp, but you don’t have to be a Google employee to use it.” A BeyondCorp-style proxy service is a natural extension of a CDN, and I look forward to watching the product progress.
How HTTP security headers can defend enterprise systems [SearchSecurity]
In a BeyondCorp-like system, a secure connection between the proxy and the origin is paramount. It’s not enough to just authenticate and authorize requests from the client to the proxy. One method is to inject metadata into HTTP headers that the origin can validate. I walk through the way we do this at ScaleFT is a blog post about our Web Access product.
Which CISO ‘Tribe’ Do You Belong To? [DarkReading]
Synopsys released an interesting report outlining 4 distinct personas of CISOs, based on how they perceive security. CISO is a unique role to begin with, and this study sheds light on the varying motivations - CISOs who see security as an enabler, as technology, as compliance, or as a cost center. Who do you think most identifies with BeyondCorp? (My vote is #1)
Secure Contexts Everywhere [Mozilla Security Blog]
Grateful for the continued work Mozilla does to make the web more secure. Without coming out and saying it, secure contexts follows similar principles as BeyondCorp by starting with zero trust by default, only making a trust attestation based on, as the name suggests, context.
This article covers the basics of BeyondCorp and Zero Trust, but one curious point caught my attention. The author claims that security may come at the cost of productivity, and uses the example of an employee being locked out of a system. Oh, on the contrary! Existing security measures like the VPN negatively impact productivity by getting in the way of the user’s job, while a well crafted BeyondCorp system boosts productivity by automating security within the workflows people are used to.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT