We’ve just wrapped up a 5-city Meetup tour to learn more about how people perceive BeyondCorp, where they are in their own security initiatives, and what the blockers are to move towards a zero trust model. Those 5 cities led to 500 personal conversations, of which I’d like to share a few reflections.
We’re past the awareness phase
When we first started advocating for BeyondCorp at ScaleFT just over a year ago, people often thought we were referring to Mr. Robot, or something totally obscure. When we run these Meetups now, the majority of attendees walk in well informed of Google’s own work and the BeyondCorp architecture, and are ready to dig in to the nitty gritty details. Often times, that means fielding the tough questions, which I’m all for.
This is a positive sign, as it signals movement across the industry. The conversation has evolved from, “that’s great for Google” to “what does this mean for me?” As I intro’d my presentation on BeyondCorp Myths, which can be viewed on Slideshare, moving from the awareness phase to the discovery phase means we’re going to see a wide range of perspectives (and hot takes).
To me, the discovery phase means picking out some select use cases to work with. While BeyondCorp was a multi-year transformative project within Google, it doesn’t have to be that way for everyone else. Spend some cycles inspecting your environments to gain visibility into your existing security measures, then find the low hanging fruit. That could be eliminating SSH Keys in favor of client certificates, as Quid did with ScaleFT, or placing an internal web app behind an auth proxy, as you can do with our Access Fabric.
We agree on the positive outcomes
It’s important for all of us to remain outcome oriented, which is thankfully very easy with BeyondCorp. “Hey look at Google. It works!” I must say that there’s nothing quite like witnessing a well choreographed room full of heads nodding when speaking about the positive security AND productivity outcomes of BeyondCorp. Now if only that were the case with my DJing, my career path might look a bit different. But I digress.
Here’s the thing about outcomes in this context, though. When looking at BeyondCorp purely through the lens of Google, it can easily appear out of reach. Again, we’re back to, “great for Google, but what does that mean for me?” Should we reach for the outcomes, or do we need to back into it?
I’d say it’s a combination of the two. Keep the outcomes in mind as you work through what your migration path looks like, but don’t lose sight of your priorities and use cases you need to solve for. The good news is that there’s a ton of overlap, which means the work being done is driving towards the positive outcomes. As it always should, of course, but it’s worth calling out the distinction.
There are some gaps to close
Another presentation I gave on the tour was about The Adherence Gap, which can also be found on Slideshare. The overall thesis here is that BeyondCorp helps close the gap between a written policy and an enforcement in practice. That’s not the gap I’m referring to here. In this context, I mean there are some areas of improvement and clarification to reach the point where’s a true BeyondCorp solution.
A comprehensive BeyondCorp implementation will impact a number of areas across an organization, including device management, identity governance, access controls, and inspection to name a few. How it all fits together may involve some integration work, but that’s not an insurmountable task for your savvy architect. Where we received the most amount of pushback over the course of the road show had to do with device attestation in a BYOD environment, and specifications/standards around access policies. No easy answer for either.
There’s certainly some work to be done, and the architecture will continue to evolve, but where there’s gaps today there won’t be tomorrow, and they shouldn’t necessarily be blockers to get started. The common analogy we use in this regard is not to try to summit Mt. Everest right away; get to base camp first. I’ll make reference to the low hanging fruit use cases mentioned earlier as the right place to start. An ecosystem is forming to deliver a cohesive solution, and there’s plenty to work with today to gain incremental improvements in security and productivity – which are the outcomes we’re really after.
The demand for community is real
Communities have formed around Google projects before, which in turn have formed ecosystems (Kubernetes), and even industries (Big Data). Are we on the verge of another mega movement spurred by Google? The quick answer is, “yes, of course!”, however there are characteristics of this project that make the community aspect unique.
At its core, BeyondCorp is a reference architecture with a number of moving parts that are pieced together to form a security framework for all to follow. What often drives a ground swell is software and/or specifications to contribute to, which are still forming. I’m hopeful that gap gets closed through collaborative ecosystem efforts, but what we have today may lack the engagement factor that makes a hockey stick Google Trend graph.
What I was most excited to find on this tour is how eager folks are to participate in “something” were it to exist. The collective “we” of this community are in the discovery phase of this movement, actively working to close gaps that get us towards mutually agreeable positive outcomes. So what comes after discovery? In my view, that’s engagement, which will result in that “something” being meaningful.
At ScaleFT, we are working towards creating more open specifications and standards, forming working groups, and mapping the ecosystem to help companies on the BeyondCorp path. We’re incredibly excited for the role we will play in the evolution of this community. We’re just as excited for the role you will play, so get involved!
The best way to keep up with all the community happenings is to subscribe to our weekly newsletter where we cover all things BeyondCorp.