The big news of the week so far is clearly the acquisition of GitHub by Microsoft, which was unsurprisingly met with the widest range of reactions. Personally, I think it is a great outcome for the company and industry, as well as a reminder of what it takes to sustain a software business.
Moving right along, you may recall from the past few newsletters that we’ve put out an open call for community participation amongst infrastructure and security practitioners working on Zero Trust within their own organizations. The health and growth of this community comes from everyone sharing their beliefs and their own progress, so that we are collectively learning and moving forward. Interestingly enough, this is historically not a common trait of the security industry. I have noticed through our events and interactions, however, that people are more willing to share their security practices with the public. What’s changed? I believe there are two key contributing factors:
As IT has transformed from a cost center to a business enabler, individual practitioners with forward thinking ideas have become industry influencers outside of their respective niche working groups. The past decade has minted a wealth of Cloud & DevOps influencers, and we’re now seeing the same with Security professionals. This draws folks out, who may have been hesitant to share in the past.
Promoting a positive security posture has become a badge of honor for many companies. Look at how Google has championed BeyondCorp as a key differentiator of their enterprise cloud business. For most companies, Zero Trust is still in the early days, but there is still a reason to showcasing good security posture outside of pure compliance certifications, especially with the extra focus on data protection these days.
This rise of individuals and organizations promoting better security practices is what we aim to elevate through our many community initiatives. You can always stay up-to-date with what’s happening through this newsletter, and I will continue to put the open call out for you to get involved.
On that note, we started a new podcast series called BeyondCast. We kicked it off in style last week with a leading advocate of Zero Trust, Dr. Chase Cunningham of Forrester Research. Make sure to follow us on SoundCloud to get notified of new episodes. To participate in a episode yourself, reply to this email directly, or send a note to firstname.lastname@example.org to schedule a time for a brief interview.
I gave a quick preview a couple weeks ago with a Twitter screenshot, and now the event has been formally published. Our friends at Square are hosting their recurring SqR00t event in San Francisco with the theme BeyondCorp and Zero Trust. The stellar lineup of speakers includes folks from Square, Lyft, Duo, and ScaleFT. These events are always top-notch, so be sure to RSVP by June 15th to get on the ever so exclusive guest list.
It’s also worth mentioning that Square is hiring for their InfoSec team, with a callout to BeyondCorp knowledge in the job req. Talk about a solid opportunity!
Here are a few other things that caught my eye this past week.
The Virtuous Circle between Security Culture and Security Behavior [InfoSecurity Magazine]
The success or failure of an organization so often comes down to its culture. In that vein, security teams who are only concerned with passing compliance are missing the meaning behind their work. Aligning top level goals with desired behaviors helps close the adherence gap, which only comes from a culture of open communication information and sharing.
Simplify Login with Application Load Balancer Built-in Authentication [AWS News Blog]
Here’s an interesting new feature from AWS with hints of BeyondCorp in it. I say hints because it is missing much of what makes beyondCorp unique – dynamic user and device trust attestation – but this ALB feature is a step in the right direction by fronting resources with a reverse proxy that performs authentication. This is similar to what Google Cloud offers with their Identity-Aware Proxy, but works across different Identity Providers.
Protect your management interfaces [NCSE]
This brief from the National Cyber Security Centre about a year ago was recently brought to my attention. When talking about the resources that a BeyondCorp-style system is intended for, these type of internal management interfaces are atop the list. Good advice here, however I’ll shamelessly plug the way ScaleFT does it via this example blog post – How to Deploy a BeyondCorp-Style Web App Behind the ScaleFT Access Fabric.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT