As the leading advocate for BeyondCorp outside of Google, people come to us all time asking how to get there without having to embark on a long, transformative journey. When looking at BeyondCorp purely through the lens of Google, it can appear daunting and out of reach. The good news is that you don’t have to be Google, or operate at Google scale, to get there. We’ve made it our core mission at ScaleFT to deliver the same outcomes to companies without having to go through the pains of building and operating such a complex distributed system themselves.
The most feasible path to BeyondCorp is to start small and focused with select use cases and protocols, and then expand further as the architecture and workflows are proven. A company that has started down this road with ScaleFT is Quid, a platform that searches, analyzes and visualizes the world’s collective intelligence to help answer strategic questions. To accomplish this, they have built many diverse internal tools and services, which employees need to access securely to get their jobs done. I spoke with Ryan Seekely, Director of Infrastructure and Security at Quid to learn how ScaleFT helps pave the way for their own BeyondCorp-inspired security architecture.
Developer Empowerment Means Clearing a Path
The core mandate for the infrastructure team at Quid is to help developers do their jobs more effectively by managing the operations, and implementing automated tooling. “We do everything in our power to make their development experience to get things from their laptops to production in the safest, quickest, fastest way possible, as easy as possible,” said Seekely. Traditional security controls can often be counterproductive to this mission, so the team has been looking for more modern cloud-native ways to enable secure productivity.
One of the most glaring blockers to that mandate is the traditional corporate VPN. Imagine that your engineering team builds out a suite of really powerful tools for everyone in the company to use, but they don’t because it requires a VPN to get in. That’s a situation many companies face, sometimes without even realizing it, but one that Quid looked to solve. “We’re looking for ways to escape that and be able to have everyone use our tools without having to be on a VPN,” said Seekely. “We saw Google’s BeyondCorp and it looked very appealing to us.”
Least Privilege Access with ScaleFT
Getting rid of the VPN doesn’t mean getting rid of the access controls, it just shifts where to place the smarts. As part of their recent cloud migration, tighter environment isolation was a top priority. “We’re trying to make sure that nothing can talk to anything else unless we explicitly give it permission to do so,” said Seekely. “That means, all the way down to server level, we can’t allow somebody to have access to a server unless we know why they’re there, we have access logs that they were there, and we know what they were doing.”
Seekely and team designed a resilient AWS environment with multiple accounts, multiple VPCs, and multiple security groups. In true defense-in-depth, they even have firewalls on top of the security groups. The tight isolation of infrastructure resources is complemented with an access management layer backed by ScaleFT. This cloud native architecture speaks well to their maturity as an infrastructure team, recognizing where to place the access controls, and what role the network plays. According to Seekely, “We’re a little bit older as a company now, we can make some slightly wiser decisions as far as security and safety – ScaleFT being one of those.”
Using ScaleFT Server Access, developers and data scientists at Quid are able to login to specific servers over SSH only when needed, through a streamlined environment that completely eliminates the need for credential management. “ScaleFT is very handy in that we can just go into a group in the backend and grant SSH access. They do what they need to do and then we remove them from the group. Everything is audited, and it’s pretty straightforward to manage,” said Seekely.
The infrastructure team deploys a number of hardened bastion hosts in front of each AWS account, which controls SSH access. “We’re able to distribute permissions in a very fine grained way in that the developer only needs access to the actual development stack their working on, and not necessarily the whole keys to the kingdom,” Seekely said. As the security properties are built into the workflows, it’s seamless to the user, providing a secure environment without blocking work. “ScaleFT definitely came from a developer’s perspective, and you immediately solved a problem that presumably most companies have with access controls.”
“ScaleFT checks so many boxes for us. Least access is a very important thing for us going forward. ScaleFT makes that infinitely easier than what we were doing before.”
The Road to BeyondCorp
When your company has just gone through a cloud migration process, the notion of starting a whole new transformative process from scratch isn’t particularly attractive. Quid took the pragmatic approach, and started with a specific use case - privileged access to servers. ScaleFT was a natural choice for being the only privileged access management product on the marketplace built around the concepts of BeyondCorp. “It was very opportunistic for us”, said Seekely. “ScaleFT is at the right stage for us. We don’t need quite as much as Google, but we do need some of the basics, which ScaleFT has.”
ScaleFT is also maturing as a platform, with the recent introduction of ScaleFT Web Access, which delivers a BeyondCorp-inspired environment for managing access to internal web applications. ScaleFT Web Access is backed by a globally distributed Access Fabric – a real-time authorization engine that backs the streamlined HTTPS workflows. Access is granted based on configurable policies that factor in dynamic user and device conditions. The combination of Server Access and Web Access is the full realization of a BeyondCorp architecture, which can be consumed as a service only from ScaleFT.
We’re excited to be a partner to Quid in helping them achieve their own BeyondCorp-inspired architecture, helping increase productivity in a safe and secure manner. According to Seekely, “If a company like ScaleFT can help get us there, we’re 100% on the BeyondCorp model. We won’t be able to do it ourselves and I was very grateful to be able to see a company like ScaleFT come along and solve a lot of the hard parts. It’s not very often you get to read something that Google’s doing and say, ‘Hey, we can do that too now!’”
“ScaleFT put us in a position to play around and hang with the Google crowd. We’re pretty excited about that.”
After dabbling in the games industry and a couple ventures of his own, Ryan Seekely has found his home at Quid helping build out the infrastructure and keeping both the company and customer secure.
Quid builds software that augments human intelligence and enables organizations to make decisions that matter. Quid algorithms reveal patterns in large, unstructured datasets and then generate beautiful, actionable visualizations. Learn more at https://quid.com.