Ivan Dwyer, profile picture
Uploaded byIvan Dwyer
345 views

BeyondCorp: Closing the Adherence Gap

BeyondCorp is Google's zero trust architecture that allows employees to work from untrusted networks without using a VPN. It automates good security practices by making access decisions based on who the user is, what device they're on, and other dynamic factors. This eliminates issues like shared credentials and unpatched devices accessing resources. The key aspects of BeyondCorp are removing network trust, using short-lived credentials, and centralizing authentication and authorization based on real-time trust evaluations of users and their devices. The presentation provides recommendations for organizations to implement their own zero trust architecture, such as taking an inventory, understanding use cases, defining policy frameworks, and starting with simple access controls before getting more granular.

Technology
Related topics:
IT Security

Embed presentation

Downloaded 14 times
BeyondCorp: Closing the Adherence Gap CloudAustin Meetup - Dec 7th 2017 Ivan Dwyer | @fortyfivan
The Adherence Gap: A Written Policy That Isn’t Enforceable In Practice
All Too Common Behaviors ● Sharing/committing passwords and keys ● Not revoking credentials when employees leave ● Giving contractors too much privileged access ● Connecting to resources using unpatched devices ● Not logging and/or monitoring user activity ● Not assigning role based access controls
What if instead of always blaming the user… We engineer a solution that automates the encouragement of making good choices?
Google Got it Right With BeyondCorp 1 Connecting from a particular network must not determine which services you can access 2 Access to services is granted based on what we know about you and your device 3 All access to services must be authenticated, authorized, and encrypted Mission: To have every Google employee work successfully from untrusted networks without the use of a VPN
A Zero Trust State of Mind
Redefine Corporate Identity Is the user in good standing with the company? Does the user belong to the Engineering org? Is the user on Team A working on feature X? Is the device in inventory? Is the device’s disk encrypted? Is the device’s OS up to date? Identity = You + Your Device at a Point-in-Time
Make Smarter Decisions in Context “You can’t submit source code from an unpatched device” “You can only reach the company wiki from a managed device” “Your disk must be encrypted to access the confidential file repository” “You can view the corporate phone directory from any device” Real-time trust attestation based on dynamic conditions
Remove Trust From the Network Access Controls Why the request was denied request context NO YES Access Policies AuthN AuthZ Centralize Layer 7 Authentication and Authorization
Eliminate Static Credentials ➔ Issue short-lived client certificates or web tokens to initiate secure sessions ➔ Inject metadata about the user and connecting device into the credential ➔ Limit each credential in scope and time, making it near impossible to hijack Dynamic attestation needs a dynamic credential to match
How To Get Started With Your Own Zero Trust Architecture
Collect Your Relevant Data 1 Take an inventory of all employee devices - workstations, laptops, tablets, and phones 2 Take an inventory of all company resources to protect - apps, databases, servers, etc. 3 Take an inventory of all static credentials - shared passwords, ssh keys, etc. 4 Diagram your system architecture and inspect traffic logs to understand behavior 5 Monitor device state - is the software up to date? Is the disk encrypted?
Write Job Stories to Understand Your Use Cases Alice - Build Engineer When a release is ready, I want to login to the build server over ssh, so I can inspect the build logs. Bob - Recruiter When I arrive at the office in the morning, I want to login to the ATS, so I can review the day’s applicants. Behavioral patterns should influence how access is managed
Determine Your Policy Framework ➔ User attributes ➔ Device attributes ➔ Location-based rules ➔ Time-based controls ➔ Groups and Roles ➔ Team federation ➔ Resource specific rules Trust Tiers User and device metrics are analyzed and placed in a tier which must match the minimum tier associated with the resource Scoring System User and device metrics are compiled and granted a score which must match the minimum level associated with the resource Assertions User and device attributes and state are individually matched against an Access Policy where all assertions must be true
Implement the Access Controls
Recommendations 1 You don’t have to build the whole system yourself - leverage solutions for the hard parts 2 Be selective with the environments you support - operating systems, protocols, etc. 3 Start with simple global coarse-grained access policies before getting too fine-grained 4 Start migrating cloud native applications to the new environment first 5 Keep your network controls in place until the Layer 7 controls are fully implemented
The ScaleFT Access Fabric a globally distributed real-time authorization CDN capable of making intelligent trust decisions at the edge Learn more at: www.scaleft.com/access-fabric
THANKS!! Get in touch: ivan.dwyer@scaleft.com | @fortyfivan www.scaleft.com www.beyondcorp.com

More Related Content

PDF
BeyondCorp and Zero Trust
byIvan Dwyer
 
PDF
BeyondCorp and Zero Trust
byIvan Dwyer
 
PDF
BeyondCorp - Google Security for Everyone Else
byIvan Dwyer
 
PDF
BeyondCorp New York Meetup: Closing the Adherence Gap
byIvan Dwyer
 
PDF
BeyondCorp Seattle Meetup: Closing the Adherence Gap
byIvan Dwyer
 
PDF
How Zero Trust Changes Identity & Access
byIvan Dwyer
 
PDF
BeyondCorp Austin Meetup: BeyondCorp Myths Busted
byIvan Dwyer
 
PDF
BeyondCorp Myths: Busted
byIvan Dwyer
 
BeyondCorp and Zero Trust
byIvan Dwyer
 
BeyondCorp and Zero Trust
byIvan Dwyer
 
BeyondCorp - Google Security for Everyone Else
byIvan Dwyer
 
BeyondCorp New York Meetup: Closing the Adherence Gap
byIvan Dwyer
 
BeyondCorp Seattle Meetup: Closing the Adherence Gap
byIvan Dwyer
 
How Zero Trust Changes Identity & Access
byIvan Dwyer
 
BeyondCorp Austin Meetup: BeyondCorp Myths Busted
byIvan Dwyer
 
BeyondCorp Myths: Busted
byIvan Dwyer
 

What's hot

PPTX
How to Overcome Network Access Control Limitations for Better Network Security
byCryptzone
 
PPTX
COSAC 2021 presentation - AWS Zero Trust
byFrans Sauermann
 
PPTX
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
bycentralohioissa
 
PPTX
Jack Nichelson - Information Security Metrics - Practical Security Metrics
bycentralohioissa
 
PDF
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
byGovernment Technology & Services Coalition
 
PDF
CSA SV Threat detection and prediction
byVishwas Manral
 
PPTX
Zscaler ThreatLabz dissects the latest SSL security attacks
byZscaler
 
PDF
Zero trust in a hybrid architecture
byHybrid IT Europe
 
PDF
Extending Amazon GuardDuty with Cloud Insight Essentials
byAlert Logic
 
PPTX
Bil Harmer - Myths of Cloud Security Debunked!
bycentralohioissa
 
PPTX
Simplifying Security Management in the Virtual Data Center
byAlgoSec
 
PPTX
How sdp delivers_zero_trust
byZscaler
 
PPTX
Jason Kent - AppSec Without Additional Tools
bycentralohioissa
 
PPTX
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
bycentralohioissa
 
PDF
How VPNs and Firewalls Put Your Organization at Risk
byCyxtera Technologies
 
PDF
Gavin Hill - Lessons From the Human Immune System
bycentralohioissa
 
PDF
How Google Protects Its Corporate Security Perimeter without Firewalls
byPriyanka Aash
 
PPTX
Lisa Guess - Embracing the Cloud
bycentralohioissa
 
PDF
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
bycentralohioissa
 
PDF
Robert Hurlbut - Threat Modeling for Secure Software Design
bycentralohioissa
 
How to Overcome Network Access Control Limitations for Better Network Security
byCryptzone
 
COSAC 2021 presentation - AWS Zero Trust
byFrans Sauermann
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
bycentralohioissa
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
bycentralohioissa
 
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
byGovernment Technology & Services Coalition
 
CSA SV Threat detection and prediction
byVishwas Manral
 
Zscaler ThreatLabz dissects the latest SSL security attacks
byZscaler
 
Zero trust in a hybrid architecture
byHybrid IT Europe
 
Extending Amazon GuardDuty with Cloud Insight Essentials
byAlert Logic
 
Bil Harmer - Myths of Cloud Security Debunked!
bycentralohioissa
 
Simplifying Security Management in the Virtual Data Center
byAlgoSec
 
How sdp delivers_zero_trust
byZscaler
 
Jason Kent - AppSec Without Additional Tools
bycentralohioissa
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
bycentralohioissa
 
How VPNs and Firewalls Put Your Organization at Risk
byCyxtera Technologies
 
Gavin Hill - Lessons From the Human Immune System
bycentralohioissa
 
How Google Protects Its Corporate Security Perimeter without Firewalls
byPriyanka Aash
 
Lisa Guess - Embracing the Cloud
bycentralohioissa
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
bycentralohioissa
 
Robert Hurlbut - Threat Modeling for Secure Software Design
bycentralohioissa
 

Similar to BeyondCorp: Closing the Adherence Gap

PPSX
Zero-Trust SASE DevSecOps
byAraf Karsh Hamid
 
PDF
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
byCristian Garcia G.
 
PDF
Practical Enterprise Security Architecture
byPriyanka Aash
 
PPTX
Authenticate 2024: We know who you are, now… What can you do?
byDavid Brossard
 
PPTX
Overview of Google’s BeyondCorp Approach to Security
byPriyanka Aash
 
PPTX
Adopting A Zero-Trust Model. Google Did It, Can You?
byZscaler
 
PDF
Identity Management for the 21st Century IT Mission
byCA API Management
 
PDF
BeyondCorp SF Meetup: Closing the Adherence Gap
byIvan Dwyer
 
PDF
BeyondCorp Boston Meetup: Closing the Adherence Gap
byIvan Dwyer
 
PPTX
Embracing secure, scalable BYOD with Sencha and Centrify
bySumana Mehta
 
PDF
Manage risk by protecting apps, data and usage
byCitrix
 
PDF
User_Access_IIA-LA_3-9-2016
byKarla Sasser, CPA CITP, CIA, CGMA
 
PDF
Hitachi ID Access Certifier
byHitachi ID Systems, Inc.
 
PDF
Hitachi ID Access Certifier
byHitachi ID Systems, Inc.
 
PDF
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
byHitachi ID Systems, Inc.
 
PDF
Moving Beyond Zero Trust
byscoopnewsgroup
 
PDF
Making Security Approachable for Developers and Operators
byArmonDadgar
 
PPTX
The New Venn of Access Control in the API-Mobile-IOT Era
byForgeRock
 
PDF
Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...
byDana Gardner
 
PPTX
Leveraging Identity to Manage Change and Complexity
byNetIQ
 
Zero-Trust SASE DevSecOps
byAraf Karsh Hamid
 
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
byCristian Garcia G.
 
Practical Enterprise Security Architecture
byPriyanka Aash
 
Authenticate 2024: We know who you are, now… What can you do?
byDavid Brossard
 
Overview of Google’s BeyondCorp Approach to Security
byPriyanka Aash
 
Adopting A Zero-Trust Model. Google Did It, Can You?
byZscaler
 
Identity Management for the 21st Century IT Mission
byCA API Management
 
BeyondCorp SF Meetup: Closing the Adherence Gap
byIvan Dwyer
 
BeyondCorp Boston Meetup: Closing the Adherence Gap
byIvan Dwyer
 
Embracing secure, scalable BYOD with Sencha and Centrify
bySumana Mehta
 
Manage risk by protecting apps, data and usage
byCitrix
 
User_Access_IIA-LA_3-9-2016
byKarla Sasser, CPA CITP, CIA, CGMA
 
Hitachi ID Access Certifier
byHitachi ID Systems, Inc.
 
Hitachi ID Access Certifier
byHitachi ID Systems, Inc.
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
byHitachi ID Systems, Inc.
 
Moving Beyond Zero Trust
byscoopnewsgroup
 
Making Security Approachable for Developers and Operators
byArmonDadgar
 
The New Venn of Access Control in the API-Mobile-IOT Era
byForgeRock
 
Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...
byDana Gardner
 
Leveraging Identity to Manage Change and Complexity
byNetIQ
 

Recently uploaded

PPTX
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PPTX
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
PDF
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PDF
Français Patch Tuesday - Janvier
byIvanti
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PPTX
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
PDF
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
PDF
Why Enterprises Are Moving to Dedicated Servers in the Netherlands
byAtal Networks
 
PDF
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
PDF
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
PPTX
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PDF
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
PPT
Telecommunication system introduction to wireless communication
by143irha
 
PDF
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
Français Patch Tuesday - Janvier
byIvanti
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
Why Enterprises Are Moving to Dedicated Servers in the Netherlands
byAtal Networks
 
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
Telecommunication system introduction to wireless communication
by143irha
 
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 

BeyondCorp: Closing the Adherence Gap

  • 1.
    BeyondCorp: Closing theAdherence Gap CloudAustin Meetup - Dec 7th 2017 Ivan Dwyer | @fortyfivan
  • 2.
    The Adherence Gap:A Written Policy That Isn’t Enforceable In Practice
  • 3.
    All Too CommonBehaviors ● Sharing/committing passwords and keys ● Not revoking credentials when employees leave ● Giving contractors too much privileged access ● Connecting to resources using unpatched devices ● Not logging and/or monitoring user activity ● Not assigning role based access controls
  • 4.
    What if insteadof always blaming the user… We engineer a solution that automates the encouragement of making good choices?
  • 5.
    Google Got itRight With BeyondCorp 1 Connecting from a particular network must not determine which services you can access 2 Access to services is granted based on what we know about you and your device 3 All access to services must be authenticated, authorized, and encrypted Mission: To have every Google employee work successfully from untrusted networks without the use of a VPN
  • 6.
    A Zero TrustState of Mind
  • 7.
    Redefine Corporate Identity Isthe user in good standing with the company? Does the user belong to the Engineering org? Is the user on Team A working on feature X? Is the device in inventory? Is the device’s disk encrypted? Is the device’s OS up to date? Identity = You + Your Device at a Point-in-Time
  • 8.
    Make Smarter Decisionsin Context “You can’t submit source code from an unpatched device” “You can only reach the company wiki from a managed device” “Your disk must be encrypted to access the confidential file repository” “You can view the corporate phone directory from any device” Real-time trust attestation based on dynamic conditions
  • 9.
    Remove Trust Fromthe Network Access Controls Why the request was denied request context NO YES Access Policies AuthN AuthZ Centralize Layer 7 Authentication and Authorization
  • 10.
    Eliminate Static Credentials ➔Issue short-lived client certificates or web tokens to initiate secure sessions ➔ Inject metadata about the user and connecting device into the credential ➔ Limit each credential in scope and time, making it near impossible to hijack Dynamic attestation needs a dynamic credential to match
  • 11.
    How To GetStarted With Your Own Zero Trust Architecture
  • 12.
    Collect Your RelevantData 1 Take an inventory of all employee devices - workstations, laptops, tablets, and phones 2 Take an inventory of all company resources to protect - apps, databases, servers, etc. 3 Take an inventory of all static credentials - shared passwords, ssh keys, etc. 4 Diagram your system architecture and inspect traffic logs to understand behavior 5 Monitor device state - is the software up to date? Is the disk encrypted?
  • 13.
    Write Job Storiesto Understand Your Use Cases Alice - Build Engineer When a release is ready, I want to login to the build server over ssh, so I can inspect the build logs. Bob - Recruiter When I arrive at the office in the morning, I want to login to the ATS, so I can review the day’s applicants. Behavioral patterns should influence how access is managed
  • 14.
    Determine Your PolicyFramework ➔ User attributes ➔ Device attributes ➔ Location-based rules ➔ Time-based controls ➔ Groups and Roles ➔ Team federation ➔ Resource specific rules Trust Tiers User and device metrics are analyzed and placed in a tier which must match the minimum tier associated with the resource Scoring System User and device metrics are compiled and granted a score which must match the minimum level associated with the resource Assertions User and device attributes and state are individually matched against an Access Policy where all assertions must be true
  • 15.
  • 16.
    Recommendations 1 You don’thave to build the whole system yourself - leverage solutions for the hard parts 2 Be selective with the environments you support - operating systems, protocols, etc. 3 Start with simple global coarse-grained access policies before getting too fine-grained 4 Start migrating cloud native applications to the new environment first 5 Keep your network controls in place until the Layer 7 controls are fully implemented
  • 17.
    The ScaleFT AccessFabric a globally distributed real-time authorization CDN capable of making intelligent trust decisions at the edge Learn more at: www.scaleft.com/access-fabric
  • 18.
    THANKS!! Get in touch:ivan.dwyer@scaleft.com | @fortyfivan www.scaleft.com www.beyondcorp.com