The RSA Conference has come and gone, leaving a wake of shenanigans as it swept through the streets of San Francisco. As a small company in the vast security industry landscape, one of our challenges is standing out amidst the noise (and million dollar budgets). While we certainly could have posted up a booth at the conference, we decided to do something a bit different and host our own event.
In the spirit of community, we held a one-day event dubbed the BeyondCorp Community Lounge, where we invited a number of security practitioners to participate in a series of Q&As about what they’re working on, what they’re facing, and what their beliefs are. We were fortunate to reserve space at the fabulous 111 Minna Gallery for the day, which brought in quite the engaging crowd.
It was my role to facilitate the Q&As, and I was pleased to walk away with a wealth of knowledge and perspective on all things infrastructure and security related. BeyondCorp is the community theme that brings us together, but there’s so much more to it than just regurgitating the points from Google’s research papers. It’s about getting together to share ideas and pose questions, so that we are collectively moving towards better security practices at our own organiztions.
We assembled quite the all-star lineup of infrastructure and security professionals for an action-packed day of content. For those who couldn’t attend, we recorded each session for you to watch on your own. Enjoy!
Evan Gilman - Engineer at Scytale - Service identity for a containerized world
We kicked things off with long time friend of the community, and the author of the O’Reilly book, Zero Trust Networks - Evan Gilman. Evan is in a new role at Scytale.io, working to bring the SPIFFE standard for workload identity to market.
Evan and I spent some time discussing how Zero Trust has evolved from a fresh topic to a hot industry topic in no time at all. I remember when he and Doug Barth (co-author) were writing the book, wondering if there would be an audience. Here we are a year later, and Zero Trust is a dominant message across the industry. That’s a positive signal, but it does mean we have to be careful what we’re looking at.
I wanted to make sure Evan got to talk about his new work, so we quickly moved on to the challenges developers face dealing with identity across distributed workloads. We talk so much about identity in a Zero Trust system as a user plus a device at a point-in-time, but what about the services that make up a distributed application? This is how SPIFFE came to be – an open standard for workload identity. The project was recently accepted into the Cloud Native Computing Foundation. I’m incredibly excited about the work Evan is doing, and encourage everyone to follow the progress of the SPIFFE project.
“Even the acknowledgement that this is something that we should generally be doing is awesome” - Evan Gilman
Evan Johnson - Security at Segment - AWS security best practices
Next up was someone new to the BeyondCorp community – Evan Johnson from Segment. I reached out to Evan because I’m a huge fan of Segment, and I enjoyed a recent article of his about managing multiple AWS accounts. Segment has always been transparent about their engineering practices, and I’m glad we were able to get Evan to our event to learn more.
We talked about some of the implementation details and challenges with regards to least privilege access on AWS - setting IAM policies, managing secrets, etc. A key takeaway from our conversation is how important it is to fully grok the shared responsibility of the cloud. It’s real easy to fall victim to any one of the attack vectors by exposing something to the public that you weren’t supposed to. I appreciate how Evan and his team approach cloud security – they focus on implementing the right environment that is secure, first and foremost, but also friendly to the end user.
I had to ask Evan about BeyondCorp, and he brought up the most common point of feedback – how to manage all of the devices across an organization? This is something we come across in conversation all the time because enforcing managed devices is such a key component to Google’s success with BeyondCorp. Where does that leave companies who don’t have a device inventory system, or want to support BYOD? There is work to be done in this regard, and I’m hopeful for projects like osquery that lower the bar to device inspection, but in the meantime I always point out that it’s a policy decision on your part how far you wish to take device posture. BeyondCorp is an architecture that enables a near infinite number of factors into the authorization decision making process, but it doesn’t necessarily require as such. You might be best off starting with basic RBAC as you design the system because that gets you used to the architecture. As you get more comfortable with the workflows, you can introduce more attributed to evaluate, which could include more advanced device policies.
“We’ve been slowly tightening screws on developers while we build tools to help them replace their previous bad workflow with something that they like” - Evan Johnson
Marc Rogers - Chief Security Officer at ScaleFT - Security as a business enabler
I was especially excited about this session because just days earlier, ScaleFT announced that Marc Rogers was joining the company as our Chief Security Officer. Marc had been an advisor for some time, and a strong community advocate, participating in a number of our local BeyondCorp Meetups.
Now Marc is as good as anyone I’ve ever seen at breaking down complex topics into crystal clear soundbites, and this session was as chock full of goodies as ever. What I really appreciate about Marc, aside from his white hat hacking stories, is the way he promotes security as a business enabler. In our conversation, he spoke to the principles of DevOps as a guide for security, where proper automation can clear paths for secure productivity, while effectively blocking bad behaviors.
One point of Marc’s that I really liked was that Zero Trust is like “Take 2 of security”. Defense in depth has been an industry mantra for some time, but has unfortunately been poorly handled due to the ties to the perimeter. Only now do we have the right architecture to implement security controls with actual intelligence. That’s why we focus so much on the underlying architecture of BeyondCorp - without it, we wouldn’t be able to gain the observability needed to make smart decisions. Marc is always looking at what’s next, so we’re all fortunate to have him as a member of this community.
“Good security is something that enables people to do what they need to do in a frictionless way, but with intelligence” - Marc Rogers
Ryan Seekely - Infrastructure and Security (formerly at Quid) - The path to BeyondCorp
Showcasing examples of companies outside of Google who have successfully gone down the BeyondCorp path is a big part of this community. While in transition to another company, we were fortunate to bring back Ryan Seekely to share more about his work to adopt BeyondCorp at Quid – which is a marquee case study for ScaleFT as well.
Ryan does a fantastic job of demystifying BeyondCorp. It’s a model that made sense to him for solving specific use cases like SSH access, so he just went ahead and did what he needed to do, plain and simple. The timing was spot on, as Quid was in the process of a cloud migration, allowing him to adopt new ideas in stride. An interesting tidbit that Ryan shared is that nobody in the company even noticed when he cut off the VPN. That’s because they rolled out BeyondCorp in stages, selecting specific use cases and teams one at a time. By migrating users to the new workflows in a clear manner, by the time they switched off the VPN, it was completely transparent.
Ryan’s work at Quid is validation that BeyondCorp is achievable for smaller companies, which is something we advocate for across the community. It wouldn’t be a viable movement if you had to be like Google to do it, so the more we hear stories like Quid’s, the better. We wish Ryan the best of luck in his new endeavor, and hope to see him back with more stories to share.
“The most times I was successful at my job was because it became easier in a way, not because I just dumped something on the developers” - Ryan Seekely
David Guo - Software Engineer at Coursera - Moving Beyond SSH Keys
Another prime example of a smaller company moving towards BeyondCorp is Coursera, and we were fortunate to have David Guo join us to discuss his role across Infrastructure and Security. As is the case with Quid, Coursera is a marquee case study for ScaleFT.
Similar to Ryan, David does a great job demystifying BeyondCorp. Coursera followed a similar path as Quid – solving for SSH access first and foremost, then moving towards additional use cases. When you think about how Coursera operates, with instructors across the globe essentially working as contractors, you can quickly see how VPNs become a real pain point. Access controls aren’t just about your employees, they’re about everyone (and everything) that needs to get to your apps and systems. Following the least privilege principle backed by ephemeral credentials is a solid way to protect from insider threats.
David also brought up a great point about making sure he and his team kept their focus on things that were good for the business. All too often we see infrastructure and security engineers place too much effort in building tools that are not core to the business. It’s easy to get caught up in the DIY mentality, but one after-effect that doesn’t get mentioned enough is the amount of resources it takes to maintain those tools. What happens when your best engineers are stuck maintaining internal tools?
“When we did the entire exercise with what we would look like with a VPN, what kind of guardrails we would have to have, it was insane” - David Guo
Kuba Sendor - Software Engineer at Yelp - Journey to BeyondCorp one step at a time
After hearing a couple success stories, we got to hear from someone who is looking to get started down the road – and with a much more complex environment. I first met Kuba Sendor from Yelp when we were both speakers at a Bay Area Cyber Security Meetup, and it was great to have him join our event to share what he’s working on.
What I especially appreciated about speaking with Kuba is how fearlessly he accepts ownership of the challenges he is facing in the hopes of improving the lives of the entire Yelp workforce. I’d say that Yelp represents both ends of the spectrum in terms of the company profiles who are most attracted to BeyondCorp. On one end, there’s a fast moving tech company with the need to keep pushing, and on the other end, there’s a large enterprise with a long history of process and compliance to preserve. Kuba and his team have to balance the speed of being a cloud native startup with the safety of a regulated enterprise.
The journey to BeyondCorp may be different for Yelp than it was for Quid and Coursera, but there is consistency in the desired outcomes of eliminating VPNs as the core access mechanism. Kuba and his team are starting where they should – closely inspecting the current environments to gain a solid understanding of the use cases they need to support. With that level of observability, they will be able to confidently migrate select use cases and users towards a new model. I do hope that talking through some of the challenges he’s facing, and hearing from a few of the other folks, help Kuba in his work, and I’m sure we’ll hear more about Yelp’s path to BeyondCorp in future community events.
“The problem that we have right now when it comes to VPNs is that it’s really the wild, wild west” - Kuba Sendor
Robert Chiniquy - Co-Founder & Engineer at ScaleFT - Why authorization is a Layer 7 decision
Closing things out was a fantastically off the cuff chat with one of the ScaleFT Co-Founders, Robert Chiniquy. I always appreciate speaking with Robert, because of all the ‘wow!’ moments I experience. I’m fortunate to get to do that on a daily basis, so this was a great opportunity to extend that privilege to the community.
My original thought was to have Robert explain the technical reasons for making authorization a Layer 7 decision, but we blew right through that as a given, and dug into the root of trust (pun intended). I don’t believe I can do this conversation justice by commentary alone, so I suggest you watch and take away what you will. By design, we left our conversation open ended, so the discussion could continue into the afternoon portion of the event.
“We can build software to facilitate it, but at the end of the day someone has to lead change in the organization to make it real” - Robert Chiniquy
Getting Started with ScaleFT
At ScaleFT, we aim to make BeyondCorp achievable through our community efforts, and consumable through our software solutions. Our Zero Trust Access products provide BeyondCorp-like controls for privileged accounts and web apps. To see ScaleFT in action, sign up for a free 30-day trial or request a demo.