Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BeyondCorp Seattle Meetup: Closing the Adherence Gap


Published on

Presentation given at a BeyondCorpSeattle Meetup on Jan 24th, 2018.

Published in: Technology
  • Be the first to comment

BeyondCorp Seattle Meetup: Closing the Adherence Gap

  1. 1. BeyondCorp: Closing the Adherence Gap BeyondCorpSEATTLE Meetup - Jan 24th 2018 Ivan Dwyer | @fortyfivan
  2. 2. The Adherence Gap: A Written Policy That Isn’t Enforceable In Practice
  3. 3. All Too Common Behaviors ● Sharing/committing passwords and keys ● Not revoking credentials when employees leave ● Giving contractors too much privileged access ● Connecting to resources using unpatched devices ● Not logging and/or monitoring user activity ● Not assigning role based access controls
  4. 4. Google Got it Right With BeyondCorp 1 Connecting from a particular network must not determine which services you can access 2 Access to services is granted based on what we know about you and your device 3 All access to services must be authenticated, authorized, and encrypted Mission: To have every Google employee work successfully from untrusted networks without the use of a VPN
  5. 5. A Zero Trust State of Mind
  6. 6. Redefine Corporate Identity Is the user in good standing with the company? Does the user belong to the Engineering org? Is the user on Team A working on feature X? Is the device in inventory? Is the device’s disk encrypted? Is the device’s OS up to date? Identity = You + Your Device at a Point-in-Time
  7. 7. Make Smarter Decisions in Context “You can’t submit source code from an unpatched device” “You can only reach the company wiki from a managed device” “Your disk must be encrypted to access the confidential file repository” “You can view the corporate phone directory from any device” Real-time trust attestation based on dynamic conditions
  8. 8. Remove Trust From the Network Access Controls Why the request was denied request context NO YES Access Policies AuthN AuthZ Centralize access controls at Layer 7 where policy can be enforced
  9. 9. Eliminate Static Credentials ➔ Issue short-lived client certificates or web tokens to initiate secure sessions ➔ Inject metadata about the user and connecting device into the credential ➔ Limit each credential in scope and time, making it near impossible to hijack Dynamic attestation needs a dynamic credential to match
  10. 10. Getting Started With BeyondCorp
  11. 11. The Discovery Phase 1 Take an inventory of all employee devices - workstations, laptops, tablets, and phones 2 Take an inventory of all company resources to protect - apps, databases, servers, etc. 3 Take an inventory of all static credentials - shared passwords, ssh keys, etc. 4 Diagram your system architecture and inspect traffic logs to understand behavior 5 Monitor device state - is the software up to date? Is the disk encrypted?
  12. 12. Write Job Stories for Your Use Cases Alice - Build Engineer When a release is ready, I want to login to the build server over ssh, so I can inspect the build logs. Bob - Recruiter When I arrive at the office in the morning, I want to login to the ATS, so I can review the day’s applicants. Behavioral patterns should influence how policies are framed
  13. 13. Determine Your Policy Framework ➔ Role based access controls ➔ User attributes ➔ Device state ➔ Location-based rules ➔ Time-based controls ➔ Team federation ➔ Resource specific rules Trust Tiers User and device metrics are analyzed and placed in a tier which must match the minimum tier associated with the resource Scoring System User and device metrics are compiled and granted a score which must match the minimum level associated with the resource Assertions User and device attributes and state are individually matched against an Access Policy where all assertions must be true
  14. 14. Implement the Access Controls
  15. 15. THANKS!! Get in touch: | @fortyfivan