I was fortunate to attend last week’s Rocky Mountain InfoSec Conference in Denver. It was my first time attending, and I was pleased with the diversity of the audience and the depth of content across the attendees and speakers. A couple standout sessions to me were a DevOps Engineer from Distil Networks explaining in detail how he built their corporate PKI using a number of open source tools, and then a few local government folks covering their harrowing experience monitoring systems during election night. Sounded like a blast!
During a humorous opening day panel session, a call to the industry as a whole was made - let’s work towards solutions that actually eliminate threat vectors, not just those that further uncover vulnerabilities. We spend so much time blaming the user, but at the end of the day, we’re not delivering usable products that get the job done. The age old critique of the pharmaceutical industry comes to mind - there’s more money in the treatment than the cure. What will it take to shift the conversation towards actual prevention?
One of the reasons why I’m such an advocate of Zero Trust is that it’s not ‘yet another product’ to drop in, it’s a fresh architecture that both enables and encourages better security posture within a company. As it turns out, removing trust from the network means taking the proper steps to secure systems the right way. There are products associated with the model, of course, but the idea is to take a holistic view of how employees access sensitive resources, and build workflows accordingly. This impacts more than just the company network – it gets to the heart of how Identity is governed, how users and devices are authenticated, and how individual requests are authorized.
While Zero Trust is still a relatively new idea in the industry, we have Google’s BeyondCorp to look at as evidence that it’s achievable… and that it works. That’s what I came to Denver to talk about.
BeyondCorp: Google Security for Everyone Else
My afternoon session on BeyondCorp packed the room, which is always a good feeling as a speaker. Before diving into the content, I asked for a show of hands of anyone who had heard of BeyondCorp before. I’d say about 10-20% of the room raised their hands, and many came up to me afterwards saying that it was their first encounter with the topic. Awareness is growing, but there’s still plenty to go before it’s common knowledge.
My goal with the session was to go beyond retelling the history and fundamentals of BeyondCorp – I really wanted to take a closer look at Zero Trust as a whole to determine where and how companies other than Google can benefit. Again, BeyondCorp is Google’s implementation of Zero Trust, so my motivation in sharing about their experience is to show evidence that it’s achievable and that it works.
Why Zero Trust Matters
We’re lucky to be able to look at Zero Trust through the lens of Google’s BeyondCorp because we can catch a glimpse of the outcomes before making any strong commitments. This makes the decision to move in this direction an easier pill to swallow. The headline-worthy outcome of eliminating the VPN may be how Google presents BeyondCorp, but there’s more to it than that. At a very high level, I’d break it down to:
- A better definition of Corporate Identity that aligns with how employees operate today – Identity = You + Your Device at a Point in Time
- Access decision making is done with the right contextual information, factoring in the dynamic nature of employees and their devices
- Centralized access controls provide better visibility into employee activity
- A company’s security posture naturally improves as a by-product of enforcing access controls
- You can eliminate one of the most common attack vectors in static credentials
How to Get Started
On the flipside, the challenge of looking at Zero Trust through the lens of Google is that it may appear to be too daunting a task. The good news is that the things to do to move in this direction are likely things you’re already doing – or at least thinking about doing.
- Take an inventory of employee devices to check if the software is up-to-date
- Take an inventory of your systems and applications to understand how they are being accessed
- Take an inventory of all the credentials being used to access company resources (shared passwords, API keys, SSH keys, etc.)
- Create a diagram of your entire system architecture to understand traffic flows
- Implement monitoring and logging across your system to understand user behavior
With a better understanding of your system, your employees, and the devices they’re using, you are immediately in a better place to implement stronger authentication procedures and dynamic authorization models in line with the principles of Zero Trust.
There are a number of solutions on the marketplace to help you get to this state – Fleet management services, endpoint protection services, logging/monitoring tools, etc. These aren’t necessarily specific to Zero Trust, however, but they help get you on the right path.
It’s really the central Access Gateway that ties the architecture together, and is what makes a system Zero Trust. This is where ScaleFT fits, with our Zero Trust Access Management platform.
All in all, it was a great conference to attend, and I expect to be back next year. After such an action packed event, it’s too bad we couldn’t take a quick break over the weekend – the news about WannaCry hit before anyone had a chance to decompress. No rest for the wicked, I guess :)