BeyondCorp Meetup: Google Security for Everyone Else

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] I'm Ivan from scale of T we are a software company based here in San Francisco and really our mission is to help organizations achieve zero trust security architecture much like Google did with beyond Corp I wear many hats here one of them leading the community efforts so that's why I organize some of these meetups we've got San Francisco and Austin so far and we're going to be kicking off a lot more so I'm going to talk a little bit about how zero trust changes the way that we think about identity and access and kind of what that means from the broader ecosystem now to quickly set the stage and we've heard from Evan and dug a little bit about what a promotion network means but I think we can all agree that we're moving towards this perimeter list future but I think there's more to it than then it's kind of just breaking down the network I mean eliminating the VPN is a really nice kind of end result and it's really the end result of building a better architecture to manage access to protected resources but the real goal here is mitigating insider risk in which this continues to challenge organizations of all kinds I mean you can't even go a week without reading about another breach it seems like everyone is more damaging than the last and I think the fact that we we've never read about Google and this light is actually evidence that Beyond Corp works and the more that I've researched and spoken with folks like folks at Google more I can really confidently say that they really got it right and it was their mission to eliminate to eliminate the VPN entirely and they were able to kind of achieve that with these like three really core principles number one connecting to a particular network does not determine which services you can access this is what really perimeter lists means the network is untrusted public internet private Internet doesn't matter the network doesn't matter number two is important and we're going to talk about this is really the access to the services is granted based on what we know about you and your device and then number three all access to services must be fully authenticated authorized and encrypted and again for a deeper dive I definitely recommend reading to be on court papers you can find them on beyond Corp comm which is a site that we maintain but we're not all Google so is like beyond Corp really a thing that we can kind of think about outside of Google and of course I would say yes I mean they've heard some folks at core OS refer to kubernetes as Google infrastructure for everyone else so I think in that spirit I like to see zero trust as Google security for everyone else although it is a framework and not like a product per se so we kind of have to look at it and like a slightly different light but it definitely sounds nice so I'm going to stick with Google security for everyone else until I can someone tells me otherwise so if you really boil it down zero trusts changes the notion of identity and specifically what I'll referred to as Enterprise identity and that's like a really valuable thing I mean if you look at the way like our online identities I mean Facebook owns our personal identity which is kind of how they've lasted all of their sceptics LinkedIn still owns our professional identity which I have to think is the only reason they even still exist Twitter still has a chance to own a brand identity but for some reason that keeps squandering it I can't explain that one I will also say that having no identity is why I don't really see a bright future for snap but it's an entirely separate conversation willing to have afterwards the problem is is that we've like traditionally place all of our employees into these two distinct buckets privileged and non privileged users and if you kind of look at this it makes sense at like first glance the personas are completely different their workflows are completely different and they need access to completely different resources and so because of this our industry has created two very distinct product categories should be I am and Pam and then products in these categories perform very different functions and they have very different feature sets but essentially they deliver the same outcome and that's managing access to resources so in my mind what Google really got right more so than anything else was that they took this holistic view of their end goals without making any assumptions and they didn't really stick to any like tradition for the sake of it they really just scrapped everything and they looked at it built it from the inside out and so instead of keeping their employees in these separate buckets that were used to they kind of took this fresh look at what it really means to build an identity profile where every request can be like consistently indicated and authorized regardless of the user and regardless of the resource type and so they don't ask if the user is in the network they ask things like is the user in good standing with the company are they part of the engineering team are they on Team X working on feature Y or like is the device in inventory is the OS up to date as a disk encrypted and it's like these are the questions that they ask that you like changes the conversation and really gets to the heart of like the information they need to make actually intelligent access decisions and so Google uses all of this informations they collect from the devices and the users in the network and they sign to a trust here so I've request every user gets assigned to a trust here and some resources will have very different sensitivity to others than others so like granting sudo privileges on an application server obviously requires being in a higher trust here and like viewing a metrics dashboard and so with Google and with anyone else I mean the conditions are always changing and so they have to kind of have a system that is always adapting so I think with these attributes if we can like make an actual definition of what Enterprise identity is I would say it's you plus your device at a point in time and the point time is really important and part of the decision-making process just because of the kind of dynamic nature of the people in systems if you're going to make an actual correct activation of trust you have to think about the actual time and this is why static credentials like SSH keys and just being in the network no longer really effective because they don't factor in the time and they also don't really take into account you and your device at that time and I just really think this is much better way to think about identity than either privileged or non privileged so we had this new architecture for identity and in zero trust identity is still king but I would say access is the throne and that's and you know don't take that too literally I think what this really means is that the the new enterprise identity needs to be complemented with the right access management for it to actually be truly effective and so taking a kind of a play from Google's playbook I mean I like to just flat-out ask ourselves what we want out of an access management solution and I'm really a firm believer and just kind of putting forth all the goals as stretch as they may be and then just figure what it's going to take to get there and you might have a different view of this but my wish list would be you know a unified authentication authorization and audit solution or at least a tightly integrated suite of solutions I mean a common access policy definition that includes both attribute and role based controls I'll talk a little more about policies in a second of course just like making intelligent decisions in real-time and to always be learning and then always adapting so you can like learn if Bob logs into his finance system every day at 9 a.m. you know you kind of can predict that but if then five minutes later you see Bob trying to access a HR system from China from his phone you know you can kind of pick up on things like that and so if you're you're kind of always making these intelligent decisions you can collect that data and over time you can kind of identify some patterns and potentially identify some threats which is what a lot of companies are trying to accomplish and then a tough one here is I think you know how do we make a consistent streamline workflow for both privileged and non privileged users across both web and infrastructure resources we've treated these two things very differently until now I mean is there actually a way that we can do that and then finally another one or one more actually identity governance decoupled from the system of record and I think this is actually a pretty tricky one because the system of record tends to be kind of stuck in these back office environments but I like the idea of decoupling that and being able to make decisions more in a I'd say cloudy environment but less tied to the actual identity database so you can have like this system record which is just just that don't make any groups and rolls in there that one I think is going to take some time but we're going to throw it out there anyway and of course we're just going to eliminate the need for network segmentation and static credentials entirely that's my wish list I mean there's probably more you might have some more so with with all this interesting enough there's been this this kind of old not that old but this old security framework that it's kind of becoming relevant again in this picture and I think it came out of Cisco or at least Cisco has been the main champion of it for the past few years and it's like the Triple A framework which stands for authentication authorization they call it accounting and prefer to just call it audit so I can get my a use in a line and I really like simplified view of this framework is for every requests we want to just verify the identities is who they say they are but again we're talking about identity is you and your device and then you know verify that that identity is allowed to access the resource and that's making the decision but making that decision intelligently in real time and of course verify that the identity is doing no harm intentionally or unintentionally a good example of that would be recently you might have seen the news from Wei mo you know suing the guy who stole 14,000 or allegedly stole 14,000 confidential documents this might be the the first time we we see beyond court brought up in a lawsuit because they probably have a pretty good idea of what that person was doing on the network because it was inside Google so having all of those kind of things between off-off nrz and audit is kind of a single cohesive unit I think it's pretty important and I mean obviously it's more complex than this but I kind of like de stealing all of access management down to this view so we can just kind of focus on them the outcomes first and foremost so one way to kind of make that turn that simple view into reality and I think Evan and Doug talked to touched on this a little bit is it's kind of coming up with a common access policy definition and I'm not going to say specification because that'd be getting way ahead of myself I think we have a lot of work to do as an ecosystem before we can really have a kind of common access policy that covers everything because right now at least for the foreseeable future every company going down the zero trust path it's going to have a very different view of how these policies are formed I mean it's going to depend on their identity provider kind of the structure of the organization which cloud providers are working with and their applications themselves but I mean at a high level you know some of these policies might include I mean the user and device attributes that we mentioned earlier location-based rules and tie based controls so an example might be you have a contractor in Brazil who you want to give a one hour window to go to go fix something you can do that through an access policy and you can build in the appropriate workflows groups and roles with Federation I think we're pretty used to that we're kind of do a lot of that today so there's nothing new there and it's like potentially resource specific rules but it would be very careful not to get too fine-grained at the policy level because like applications specific types of rules probably shouldn't be in a common access policy because that's really how things get out of scope really fast so like if you think about building policies if you're if you're going down this path definitely try to balance the the coarse grained and fine grain policy rules you come up with so now we have kind of our definition of enterprise identity and we're kind of thinking about things from a policy perspective this guy puts us in a better place to to make these more intelligent access decisions and I think that's really the primary goal we're trying to achieve with zero trust so what does that look like and how do we kind of liver this is this consistent workflow across privileged and non privileged users infrastructure and web resources really comes down to having like the central gateway that's going to handle all requests and the beyond cord way to do that is to place a reverse proxy in front of every resource so you in this kind of diagram your identity provider is still going to handle authentication you'll have hopefully MFA in place and then every request is going to be authorized against the access policies by some sort of policy engine built into that system and then a successful authorization you know will issue a hopefully a single use certificate and that will initiate a secure session and the protocol will depend on the resource so you have you know SSH and RDP for Linux and Windows servers and then HTTP for web apps and I will say that if you want a deeper dive into into that I would definitely recommend asking some of the scale of T engineering team how they deal with the different protocols and deliver the same consistent user experience it's like really cool stuff that is way over my head but I definitely find some of them to learn more there also note in this picture that there is no additional off layer between the Gateway and the resources themselves so you'd asked a little bit about or someone had asked about some of that the hops like taking too many hops so there's kind of mutual trust between the Gateway and the resources so once you kind of pass through that that gateway you don't have to take another bunch of different hops and that can kind of place maybe maybe a lighter load on something hands because the office handle the proxy and it being a proxy means you can do other things like potentially low balancing and then another interesting case to this diagram is kind of providing visibility and insight into the decisions being made so if a request is blocked you kind of want to know why and this is like a major pain point with VPNs and so now we're at a point where we can solve that entirely so one example would be Netflix recently open source to service they use internally called a stethoscope and it does something very similar essentially their goal well as a company was to kind of encourage better security practice internally and so they were like informing employees if their devices were out of date or if like the disk wasn't encrypted and it was it was they have this really nice dashboard and so they're you know instead of just being blocked for no reason and not having any idea why you get this little nice little notification saying hey your your OS is out of date we can't let you into the system and then they say okay well then I got to update my software and so because these things impact the decision-making it's it's good practice and it's just like important to kind of understand what's actually happening and over time that's going to help improve security practices with it within an organization and then of course throughout this entire workflow all the traffic is monitored and logged so I mean if you look at this picture from from n to n we really have this full authentication authorization and audit framework that covers users and resources and I think at a very high level that I think this is how we should be looking at access management in in this zero trust environment but of course with any new architecture and new workflow there's going to be a number of things that come up and so if you're going down this path these are just a handful is more questions to kind of ask yourself I mean there's a lot of pieces to this so how do they all kind of work together what are the integration points who the vendors again what's the right balance between coarse grain and fine grain policies be really careful with the the resource specific policies and then you know bias providers you know Google Cloud and AWS have their own I am and shared responsibility principles how do those line up with what you're building for for internal use an interesting thing is you might want to incorporate approval workflow so you know you've got this in this hole off where floo maybe you want to have a manager jump in and be like okay I want to make sure that that person I manually approve that that person's request I mean how do you incorporate that into into what's usually done in an automated fashion can your identity provider which uses your system of record exists in the cloud I mean this is an often a no for large enterprises who have back office ad that they can't move I mean what does that mean then you got a we're going to wrap some layers around that so what is that what does that look like in this kind of new zero trust world similarly what do you do about legacy protocols or specs I mean maybe the answer is you just don't support him Google flat-out said no to Windows Server when they were designing beyond Corp when they were talking on stage today they said they said no to a lot of protocols I mean they're in a unique position to to kind of make mandates from the top down but you know maybe you can kind of look at something and say you know what I'm going to do that anymore we're going to move towards open ID Connect for all the things it's you know things to think about in a big one and this has become up already today talking to some folks I mean how do you track and monitor all these devices I mean can you support a B by D BYOD environment do you need a fleet management solution I mean what is the endpoints you know monitoring and what are the agents look like I mean how do you track and capture all the data from the devices that's that's a really big one so all these are kind of important questions to ask but none of them like blockers for moving down this path and so I will you know disclaimer definitely tired of hearing the term digital transformation but I will refer to zero trust right now is security transformation because it actually is a shift in thinking that does impact people process and technology within an organization the best part is and we're all lucky here is we get to look at Google as evidence that it works it's also a really nice reference point for our own efforts so we have three papers from Google we have all the things that they talk about that's a really nice thing to have as we start to kind of move in this direction it's not just this you know journey that we don't really have an end to we can kind of see that and that's what kind of exciting for for companies like us and and for me so what's the big picture of all this I mean we're going to see these major shifts or is this kind of only something that affects like google sized companies or Google themselves again I'll say it again first things first just being aware of zero trust already encourages better security practices for man to end I mean this is just a byproduct of the architecture and the guiding principles automatically you start having better practices for keeping your devices up to date potentially you have them in an inventory I'm just better to monitoring and logging throughout the network and at the endpoints of course encrypt all the things MFA all the things always and then getting rid of those pesky static credentials like SSH keys so companies are really struggling with enforcing better security and just just by embedding some of these practices into the workflows and hopefully without impacting any of the user experience will just naturally lead to improvements and then just become second nature for all the employees to just know that they have to keep their devices up-to-date and for a lot of companies and a lot of people like security and risk people that's very very important and they're struggling with that so this helps but I'd say the main thesis that I would like everyone to walk away with here is that I do expect to see some really significant market effects first we have like this new wave of cloud native security providers emerging and I hate to use that word disrupt but anyone who actually stepped on the RSA floor a couple weeks ago would have agree that this needs to happen I mean there was like 700 vendors they're all telling you that you're going to get hacked if you don't drop in there ten thousand dollar appliance and it's like the really old model and it's getting tired and it's showing also I am and Pam are currently separate categories not just with Gartner but with with people's minds so I really do see these two converging into a single access management category but in the near term it's going to be integration partnerships with different vendors and then you know vendor is also expanding their feature set but I will go out on a limb and say that Pam products are better suited to match the iam features than vice-versa just because of the already built in advanced security measures that to dealing with privileged accounts but you know we'll see also we know that Active Directory has kind of dominated the IDP space for a long time but we're actually starting to see some viable cloud-based alternative break through I mean just today this is gonna be really interesting to watch I mean Microsoft is making them push the cloud they've got Azure and they've got office 365 but Google is right there with G suite and Google cloud and they're you know the what their identity service are they launched today I mean that's really trying to directly compete with Active Directory because again we talked about identity is incredibly valuable and the big players are going to go for it I mean just wait so like Amazon makes their Play that's when things are going to get like really crazy and of course number one we're going to say we're the VPN market is going to take a major hit as more companies move to zero trust and so how are the incumbents going to actually respond that's going to be the fun one for us to watch and and make sure everyone grabs their no VPN t-shirt on the way out from scale ft so the good news is that if you're in this room that means you're already on the right side of all of this and so even where you know I think some of us vendors are probably going to overlap across some of our feature sets and in our products I think you know a rising tide does lifts all ships and it's really important for us to kind of continue to spread the word of zero trust and beyond Corp and help other companies achieve this kind of architecture and it's going to make us all kind of successful and improve the market and prove that the model is effective so real quick you know before I wrap up just quickly tell you a little bit about what we do at scale of T again it is it really is our mission to help organizations achieve their own zero trust architecture through our software and our services we do provide an access management platform similar to the diagram that I walk through there but again we understand this is a journey and this is transformation so we actually do work closely very closely with our customers to to kind of design the right architecture and plan plan your rollout and as you know we've kind of taken the lead on building up the beyond Corp community and the ecosystem and really I'm just really happy to see that continue to to kind of grow so I move fast through slides as you notice that will do it for me thanks again for for being here you can kind of reach me by email or at Twitter to learn more about scale of T visit us at scale of T calm and to learn more about beyond Corp is it beyond Corp com pulling out your VPNs too soon I think that's the last thing you do really you want to make sure so the way Google did it is they kind of they had the luxury of doing this they were able to kind of deploy side by side so go application by application resource by resource they were they did a lot of inspecting of the traffic before they ripped out that kind of last mile protector which was you know their kind of network segmentation so the risk is definitely like zero trust no VPNs sweet throw those out and then okay now everything's on the public Internet but we didn't actually implement the proper off controls and encryption and things like that I would say that would be number one number two internal education is always a big one when things like this you're changing workflows for a lot of people I mean employees as much as they hate it or kind of used to there may be VPNs and their RSA tokens you start telling them that they have to go through this into kind of new workflow I mean it's the same with any I think you know I bet the the octa folks will agree the first kind of education of like okay now your multi-factor you got to go through the single sign-on you got up you log in here and then you're going to you're going to pop up the octave window and then you log into your your application the first time that happens like weirds you out but then you get so used to it so I think just getting people used to the workflows you know early on is is important anytime you're kind of starting a new community from scratch you kind of have this like vision of the future we're like some you know couple years from now it's going to be so big you're going to be at an event and you're going to see someone who you know from early on and you're going to give a head nod of like respects like yeah remember when we were there early on well I hope everyone just like really quick looks around this room because hopefully in a year or two those are the people that you can give that head not to when it comes to beyond Corp so we have a lot more coming stay tuned with all of our community stuff scale of T comm beyond Corp comm I run a weekly newsletter for Beyond Corp what else we do those are the main things that we do so thank you for all for coming you
Info
Channel: Heavybit
Views: 2,910
Rating: 4.8666668 out of 5
Keywords: BeyondCorp, Security, ScaleFT, Heavybit, Startups, Developer Tools
Id: bp_Obub-Lz0
Channel Id: undefined
Length: 24min 24sec (1464 seconds)
Published: Tue Mar 21 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.