As the community leaders around BeyondCorp, running a number of local Meetups among many other activities, we’ve heard first hand from professionals of all kinds what BeyondCorp means to them, the challenges they are facing, and what they’re doing about it.
When we first starting hosting Meetups last year, the primary goal was to raise awareness – educating the community about what BeyondCorp was, and how Google went about transforming their corporate security architecture. A year later, and I can confidently say that we’re past that – it’s time to get down to brass tacks.
For BeyondCorp to be successful as a movement, we have to extract value from Google’s internal implementation, and make each other successful within our own organizations. The question now becomes, “great for Google, but what does this mean for me?” If last year was the awareness phase, meet this year’s focus - discovery.
In that spirit, we held a panel discussion during a BeyondCorpSF Meetup, hosted at the fabulous Heavybit Industries. We assembled an all-star panel of expert practitioners eager to talk about the real world implications of BeyondCorp, and how to get started down the path. Joining me on stage was:
- Marc Rogers: Head of Information Security at CloudFlare (@marcwrogers)
- Patrick Albert: Security Engineering at AppDynamics (@xphreckx)
- Ryan Seekely: Director of Infrastructure and Security at Quid (@seekely)
BeyondCorp is true defense-in-depth
The headline is clear – nobody likes VPNs. Aside from the poor user experience and painful configuration, they force an egg shell approach to security. With BeyondCorp, security is no longer a binary decision based on network presence alone, we can incorporate granular access controls from the perspective of the endpoints and assets themselves. This allows us to enforce true defense-in-depth beyond simply bolstering the perimeter.
The architecture lets security (finally) become an enabler
Security and speed have traditional been in conflict, where security is often perceived as a blocker to productivity. The desire for security to be a business enabler has been there for some time, but only now is the architecture catching up to where it’s possible. For newer, cloud native companies like Quid, BeyondCorp is second nature, but what about larger companies? Thankfully the past decade of cloud evolution and migrations has done much of the leg work for enterprises to adopt BeyondCorp as their core security architecture.
Get to base camp first (but BeyondCorp isn’t necessarily the summit)
I often refer to the first step on the BeyondCorp path as “base camp”. That could mean different things to different people based on priorities and desired outcomes. For some, like Ryan at Quid, it starts with a use case like SSH access. For others, like Patrick at AppDynamics, it starts with a learning exercise like gaining visibility into endpoints and networks. Where things get interesting is looking beyond BeyondCorp (no pun intended). The ability to identify behavioral patterns enables for more proactive security controls, as opposed to purely reactive. BeyondCorp does provide the foundation to do so, but there’s more to build.
Security as a SaaS is inevitable (and welcome)
Traditional security is painful and expensive because we end up having to buy a bunch of appliances that will be out-of-date soon after being installed (if they even make it that far). The BeyondCorp architecture allows companies of all kinds to build robust security without breaking the bank. The key is the delivery model, and SaaS makes security easy to consume and adopt. For smaller companies like Quid, SaaS is really the only option. Larger companies will need to get past the stigma of using services for security, but it’s only a matter of time if we look at how cloud adoption has grown. One thing to mention for the vendors – don’t just make it easy to consume the product, make it easy to buy. Things like charging extra for features like 2FA are really a security anti-pattern, and don’t lead to a friendly buying experience.
BeyondCorp makes compliance easier to audit (but the checklist needs a refresh)
Here’s your regular reminder that compliance does not equate to security. My past few presentations at BeyondCorp Meetups have been about what I refer to as the Adherence Gap – a written policy that isn’t enforceable in practice. Again, what makes BeyondCorp stand out in this regard, is how the architecture itself enables better security by design, built into the underlying workflows themselves. It will take some time, however, for the auditors to catch up, as most compliance controls follow traditional models (that don’t always work). The good news is that the security benefits that follows with BeyondCorp – up-to-date devices, eliminating static credentials, audited access logs, etc. – are met, which is what true practitioners care about most.
The panel uncovered a ton of gold, and I hope to continue the conversation throughout the community. As always, if you’d like to participate in any of our events, want to share your own experiences, or have questions about BeyondCorp in practice, don’t hesitate to reach out to me directly (@fortyfivan).