3. Problems With the Perimeter
➔ The modern organization is no longer confined to the walls of the office - more employees
are remote, systems are running in the cloud, and business apps are SaaS-based
➔ Network-based security products such as the VPN don’t factor in context, don’t provide much
visibility into traffic, and put forth a poor end user experience
➔ Access controls are backed by static credentials that can be easily lost, stolen or misused -
effectively handing over the keys to the kingdom to anyone in possession
4. Google Got it Right With BeyondCorp
1 Connecting from a particular network must not determine which services you can access
2 Access to services is granted based on what we know about you and your device
3 All access to services must be authenticated, authorized, and encrypted
Mission: To have every Google employee work successfully
from untrusted networks without the use of a VPN
6. Key Outcomes for Google
➔ Eliminated the use of perimeter-based
network security controls – VPNs
➔ Streamlined end user experience for all
Google employees across the globe
➔ More visibility into employee activity to
identify behavioral patterns
➔ A 30% reduction in IT Support tickets
through a better user experience
8. Redefines Corporate Identity
Is the user in good standing with the company?
Does the user belong to the Engineering org?
Is the user on Team A working on feature X?
Is the device in inventory?
Is the device’s disk encrypted?
Is the device’s OS up to date?
Identity = You + Your Device at a Point-in-Time
9. Makes Smarter Trust Decisions
“You can’t submit source code from an
unpatched device”
“You can only reach the company wiki
from a managed device”
“Your disk must be encrypted to access
the confidential file repository”
“You can view the corporate phone
directory from any device”
Real-time trust attestation based on dynamic conditions
10. Centralizes Access Controls at Layer 7
Close the adherence gap by mapping enforcement to policy
Access
Controls
Why the request was denied
request context
NO
YES
Access
Policies
AuthN AuthZ
11. System is Backed by Ephemeral Credentials
➔ Issue short-lived client certificates or web
tokens to initiate secure sessions
➔ Metadata about the user and connecting
device can be injected into the credential
➔ Each credential is limited in scope and time,
making it near impossible to hijack
Dynamic attestation needs a dynamic credential to match
12. Improves Overall Security Posture
➔ Keep devices up-to-date with the latest software
➔ Maintain an inventory of employee devices
➔ Monitor all endpoints & log all traffic
➔ Only communicate over fully encrypted channels
➔ Incorporate multi-factor auth
➔ Eliminate the use of static credentials
When security is usable, it becomes a business enabler
13. How to Achieve Your Own BeyondCorp-inspired Architecture
14. Collect Your Relevant Data
1 Take an inventory of all employee devices - workstations, laptops, tablets, and phones
2 Take an inventory of all company resources to protect - apps, databases, servers, etc.
3 Take an inventory of all static credentials - shared passwords, ssh keys, etc.
4 Diagram your system architecture and inspect traffic logs to understand behavior
5 Monitor device state - is the software up to date? Is the disk encrypted?
15. Determine the Right Policy Framework
➔ User attributes
➔ Device attributes
➔ Location-based rules
➔ Time-based controls
➔ Groups and Roles
➔ Team federation
➔ Resource specific rules
Trust Tiers
User and device metrics are analyzed and placed in a tier
which must match the minimum tier associated with the
resource
Scoring System
User and device metrics are compiled and granted a
score which must match the minimum level associated
with the resource
Assertions
User and device attributes and state are individually
matched against an Access Policy where all assertions
must be true
16. Write Job Stories to Understand Your Users
Alice - Build Engineer
When a release is ready, I want to login to the build
server over ssh, so I can inspect the build logs.
What if a request from Alice to the build server comes
from a laptop during a non-release time?
Bob - Recruiter
When I arrive at the office in the morning, I want to login
to the ATS, so I can review the day’s applicants
What if a request from Bob to a finance app comes from
outside the office during the evening?
18. Recommendations
1 You don’t have to build the whole system yourself - leverage solutions for the hard parts
2 Be selective with the environments you support - operating systems, protocols, etc.
3 Start with simple global coarse-grained access policies before getting too fine-grained
4 Start migrating cloud native applications to the new environment first
5 Keep your network controls in place until the new access controls are fully implemented
19. A Few Predictions
➔ A new category of Cloud Native solution providers are emerging that are disrupting the
legacy security companies who focus primarily on strengthening perimeter security
➔ Defined market categories such as IAM and PAM will converge into a single Access
Management category that works across privileged and nonprivileged users
➔ The VPN market is going to be significantly impacted as more companies shift towards a Zero
Trust model that places less (or no) emphasis on network protection as a security measure
20. THANKS!!
Get in touch: ivan.dwyer@scaleft.com | @fortyfivan
www.scaleft.com
www.beyondcorp.com