BeyondCorp Seattle Meetup: Closing the Adherence Gap
BeyondCorp: Closing the Adherence Gap
BeyondCorpSEATTLE Meetup - Jan 24th 2018
Ivan Dwyer | @fortyfivan
The Adherence Gap: A Written Policy That Isn’t Enforceable In Practice
All Too Common Behaviors
● Sharing/committing passwords and keys
● Not revoking credentials when employees leave
● Giving contractors too much privileged access
● Connecting to resources using unpatched devices
● Not logging and/or monitoring user activity
● Not assigning role based access controls
Google Got it Right With BeyondCorp
1 Connecting from a particular network must not determine which services you can access
2 Access to services is granted based on what we know about you and your device
3 All access to services must be authenticated, authorized, and encrypted
Mission: To have every Google employee work successfully
from untrusted networks without the use of a VPN
Redefine Corporate Identity
Is the user in good standing with the company?
Does the user belong to the Engineering org?
Is the user on Team A working on feature X?
Is the device in inventory?
Is the device’s disk encrypted?
Is the device’s OS up to date?
Identity = You + Your Device at a Point-in-Time
Make Smarter Decisions in Context
“You can’t submit source code from an
“You can only reach the company wiki
from a managed device”
“Your disk must be encrypted to access
the confidential file repository”
“You can view the corporate phone
directory from any device”
Real-time trust attestation based on dynamic conditions
Remove Trust From the Network
Why the request was denied
Centralize access controls at Layer 7 where policy can be enforced
Eliminate Static Credentials
➔ Issue short-lived client certificates or web
tokens to initiate secure sessions
➔ Inject metadata about the user and connecting
device into the credential
➔ Limit each credential in scope and time,
making it near impossible to hijack
Dynamic attestation needs a dynamic credential to match
The Discovery Phase
1 Take an inventory of all employee devices - workstations, laptops, tablets, and phones
2 Take an inventory of all company resources to protect - apps, databases, servers, etc.
3 Take an inventory of all static credentials - shared passwords, ssh keys, etc.
4 Diagram your system architecture and inspect traffic logs to understand behavior
5 Monitor device state - is the software up to date? Is the disk encrypted?
Write Job Stories for Your Use Cases
Alice - Build Engineer
When a release is ready, I want to login to the build
server over ssh, so I can inspect the build logs.
Bob - Recruiter
When I arrive at the office in the morning, I want to login
to the ATS, so I can review the day’s applicants.
Behavioral patterns should influence how policies are framed
Determine Your Policy Framework
➔ Role based access controls
➔ User attributes
➔ Device state
➔ Location-based rules
➔ Time-based controls
➔ Team federation
➔ Resource specific rules
User and device metrics are analyzed and placed in a tier
which must match the minimum tier associated with the
User and device metrics are compiled and granted a
score which must match the minimum level associated
with the resource
User and device attributes and state are individually
matched against an Access Policy where all assertions
must be true