For many years, the RSA Conference has been the security event that best represented the whole of the vendor ecosystem – good and bad. Those who dare enter the expo hall are met with an onslaught of swag and pitches, where the former justifies the latter. This year was no exception, with hundreds of vendors, sessions, and parties spread out over the week. The agenda was so deep that OneLogin built a dedicated website just for all the parties.
To avoid getting lost in the shuffle, Google held a satellite event just down the street at their Developer Launchpad, where they delivered two days of presentations and panels related to security. As a partner of Google, and the leading voice promoting BeyondCorp, we set up shop there instead of the main RSA Conference. Along with leaders within Google, they invited folks from companies including CoreOS, Docker, Duo, Fastly, Foxpass, Okta, Ping, and ScaleFT.
As a company who promotes other organizations to “Run Security Like Google”, gaining deeper insight into their internal security efforts further enforces our mission. As mentioned in a prior post of mine, Google is keen to share their own practices as a business driver and competitive advantage for both Google Cloud and G Suite. During the kickoff presentation, Robin Mestre presented an overview of security at Google, which covered four key points:
- Trust through transparency - your data remains yours
- Defense in depth, by default at scale - integrated end-to-end security stack
- Leverage the power of identity - Multiple checks for every action
- Run security like Google - Use the best to stay safe and go fast!
Taking a closer look at the ‘power of identity’, recent IAM-related product announcements point to Google moving deeper in the Identity space. Identity is a valuable thing to own – just look at Facebook and LinkedIn who own your personal and professional identity respectively. Enterprise identity has largely been dominated by Microsoft with Active Directory, but the cloud has changed the game significantly, opening up the opportunity for a new leader. Google certainly has the resources to go head-to-head for the enterprise identity, with G Suite and Google Cloud Platform covering the full spectrum of enterprise resources. As they say in VC land, watch this space.
Identity & Access Panel Discussion
Bringing additional viewpoints to the topic, Chris Law of Google moderated a panel discussion around Identity & Access that included ScaleFT CTO and Co-Founder, Paul Querna, Ash Devata of Duo Security, Karl McGuinness of Okta, and Patrick Harding of Ping Identity. It was a lively discussion with a few points that stood out.
The multi-factor experience
One point that everyone agrees with is that multi-factor auth is a must – effectively table stakes for any organization serious about their security practices. Patrick Harding from Ping declared that, “A password has no value… I honestly assume it’s going to be compromised at some point.”
The challenge with MFA to date has always been the poor user experience that can break or disrupt a workflow. TOTP apps and security keys certainly help, but there’s some catch up to be done with the implementation if we are to cross the chasm.
Auth policy standards
As the topic often can, speaking about industry standards brought forth a range of opinions. In this context specifically, we’re talking about policies for accessing protected resources. Paul Querna pointed out that both GCP and AWS have prescriptive languages for IAM, but are not interchangeable, further contributing to cloud lock-in. Is it possible for the industry to standardize? Adoption is obviously key – for example, SAML has been successful because Google and Salesforce adopted it, so others caught on.
While we may be able to agree on a standard format for specifying coarse-grained policies, such as a group’s write privileges to a cloud storage directory, it becomes near infinitely complex when dealing with fine-grained policies specific to a resource, such as database field-level permissions for a specific user. There is a balance to be found, but one that will vary from company to company based on the depth of their complete landscape.
Intelligent decision making
You can’t hold a conversation in 2017 without machine learning and/or artificial intelligence coming up. The question posed on this panel was whether or not ML/AI will have an impact on the products we build, and the user experiences we present. The initial reaction was that there may be improvements to our backend systems, but no noticeable difference in the user experience.
After hashing it out a bit, however, the tone shifted in favor of improved UX. Given that a key part of access management has to do with making intelligent accept or deny decisions, the better a system is at recognizing patterns, the more streamlined the workflows will be. Where we have to continue to be careful is not letting the system be gamed by bad actors, as the same technologies used to build better intelligence are also being used to build better attacks.
All in all, Google put on a solid event that was more focused and personal than what could be found at the main RSA Conference. Many thanks to the Google Cloud team for inviting ScaleFT as a sponsor, and for including us in the sessions.