We brought our BeyondCorp road show to Seattle last week, and I have to say, it was our best one yet! That’s not meant to diminish any other Meetups we’ve held, but rather to reinforce that people all over really care about this, and are curious about the community developments. It was our first event in a new city – a city I haven’t visited in nearly 10 years – yet we managed to pack the room with security practitioners eager to share their thoughts, and discuss what they were working on at their own companies. It was refreshing that when I asked the audience who had heard of BeyondCorp before, and who had read any of the papers, everyone raised their hand – although, one person did admit to me later that he had only skimmed one of the papers. Fine, I’ll allow it :)
To kick things off, we had another off-the-record story from the trenches, this time from ScaleFT Co-Founder and VP of Engineering, Russell Haering. As the title suggest, you really had to be there, but as with our previous Meetup, the story resonated with the crowd, catching a few laughs (and cringes). Following that was a great talk by Lee Slaughter from F5 Networks, who covered why the perimeter is breaking down, and how centralized access controls help solve the many challenges security teams face today. His presentation can be found here. After that, I gave a talk about closing the Adherence Gap; building automation that encourages the enforcement of smarter policy decisions. My presentation can be found here.
The central theme for our road show is to help organizations achieve the same positive security and productivity outcomes as Google, without having to be Google and build it yourself. This means sharing the right use cases to start with, tips & tricks for the implementation, and technology choices. In that spirit, we’re hosting another Meetup next Wednesday in San Francisco at Heavybit Industries. For this special event, we’ve assembled a panel of respected industry practitioners who know a thing or two about what it takes run security at an organization. We have Marc Rogers from CloudFlare, Patrick Albert from AppDynamics, and a couple more to be announced shortly. I’ll moderate (and quickly get out of the way). I encourage those in the area to come out for this one. It will no doubt be a lively discussion, and a great opportunity to meet other folks who share similar beliefs about the future of security. RSVP here and mark your calendar!
Here are a few additional things that caught my eye this past week.
What ZTX means for vendors and users [Forrester]
Forrester, who originally coined the term Zero Trust, is back with more, this time getting into real world implementations with what they refer to as Zero Trust Extended (ZTX). This is further evidence that the industry is picking up the model and now looking to making it a reality. In this post, Chase Cunningham maps the technologies and solutions to the framework’s pillars.
In Praise of Swarming [Dan North]
Here’s a long form post that covers organizational transformation, and the dangers of being religiously tied to a specific framework. That may sound counter to BeyondCorp, but remember that we look to Google as evidence that the model works, but not necessarily that you have to copy their every move. Look at the outcomes you want, and pick the right use cases and technologies to get you there.
Wrangling Backoffice Security in the Cloud Age [Securosis]
Over a year ago, the good folks at Securosis wrote about a number of Tidal Forces; technology trends with a lasting impact on security. They are back with more analysis of those trends, further reinforcing their beliefs. Most notable in my opinion is SaaS as the new backoffice. They focus on the security implications, so I’ll pose the question: why not deliver security as a service too?
CISOs face mounting technology and organizational challenges [SecurityInfoWatch]
While the title reads a bit obvious, this article does speak to Zero Trust as the right approach to tackling the numerous challenges a CISO faces. This shows that the conversation is moving further up the chain, which is a positive sign for future enterprise adoption. It’s our job as champions and influencers to make the right case to the business owners.
Selling Cloud-Based Cybersecurity to a Skeptic [DarkReading]
On the flipside, there are still plenty of naysayers with regards to cloud security. This article speaks to a study conducted by MIT Sloan, which showed that business are hesitant to move to the cloud despite believing the transformation is critical. The problem is looking at it like an all or nothing thing. The best cloud migrations over the past decade were taken in stride, setting up the right environment for the right workloads. It makes sense to treat security in a similar fashion, however one thing you can’t do in any shift is leave gaps.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT