We closed out the first round of our BeyondCorp road show last week with a great event in Austin, Texas. Joining me to present was Wendy Nather from Duo Security, who has been a strong advocate in the community for BeyondCorp. Many thanks to her for giving a stellar presentation, and another thanks to Lee Slaughter from F5 Networks, and Jason Garbis from Cyxtera for presenting in Seattle and Boston respectively.
I’ve had time to digest from the road show, and wanted to share some personal reflections on what I learned from meeting and conversing with the community. I’m extremely excited about the enthusiasm, and look forward to building this community even further!
Here are a few additional things that caught my eye this past week.
Telemetry and Modern Workspaces: A Three-Headed Hound [The Security Diary]
Here’s an incredibly well written piece that speaks to the importance of visibility into the network and the endpoints through telemetry. What I really like about this article is the reference to BeyondCorp reflects how humans interact with computers, which is a key reason the architecture is better from a security and productivity perspective.
Over half of remote workers spend up to one day a week connected to unsecured networks [Fresh Business Thinking]
This study conducted by OneLogin highlights a few of the key reasons VPNs are breaking down in the modern cloud era. The VPN experience leaves users either attempting to work around the controls, or giving up entirely. Neither are good outcomes. As the article clearly states, “In short, a VPN doesn’t support productivity, it compromises it.”
Is Identity the New Perimeter? In a Zero-Trust World, More CISOs Think So [GovTechWorks]
Here’s more promising evidence that security executives are adopting a Zero Trust mindset. In the context of government, the model is usually presented as an insider risk mitigation tool. This is certainly true, however I do hope the productivity angle is considered. If the notion of Zero Trust means having to login to systems every 10 seconds with many factors, that could lead to some unhappier government employees. Something to watch, for sure.
Zero trust approach to application security and critical infrastructure protection [SC Magazine]
Speaking of government, here’s a recent document from Homeland Security that covers the problems with network security architectures. Naturally, this is very much in the context of risk mitigation, but it is encouraging that even at this level, there is consensus that the perimeter approach is no longer effective on its own. Many of the recommendations put forth here are still very centered on protecting the network itself, but it does set the tone for a new architecture.
USENIX Enigma 2018 - LISA: A Practical Zero Trust Architecture [YouTube]
I had to miss the Usenix Conference this year, but am glad to be able to catch some of the talks on YouTube. It was great to see Bryan Zimmer, formerly of Netflix, walk through their internal implementation of a Zero Trust architecture. As you can see, there are some similarities with BeyondCorp, and some differences, but the motivations and outcomes line up well. Further proof that you can look to BeyondCorp as a guide, but don’t have to do it exactly the same way Google did.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT