I've got bad news for you: You're one hack away from an Equifax-esque breach. If it's any consolation, so are your competitors, partners, and customers. In fact, pretty much every company besides Google sits in this same leaky boat, having invested years in perimeter-based security that doesn't work—cannot work—especially in a software world built on clouds.
That same Google, however, offers some good news.
Years ago, Google dumped the perimeter approach with an internal initiative dubbed BeyondCorp. BeyondCorp's "no trust" approach to security offers important clues to protecting enterprise data assets, and it's not just for Google, I learned from Paul Querna, CTO and co-founder of ScaleFT, a software startup helping companies achieve their own BeyondCorp-inspired security architecture. BeyondCorp won't give you Google-like scale, but it can deliver Google-like security.
The center cannot hold
BeyondCorp's foundational insight is to ground access in identity; to make security application-centric, not network-centric. It started at Google as a response to Operation Aurora, a 2009 China-spawned attack that targeted a number of large US enterprises. One of those targets was Rackspace, where Querna was a member of the infrastructure team.
"Our response to Aurora was very much reactive and fear driven—buy more firewalls, buy more VPNs," Querna said. "That didn't result in any better security outcome, and in fact, it made things even worse because the added security measures just made it harder for employees to do their jobs. People were either too frustrated to work, or they did what they could to circumvent the security controls."
SEE: Information security incident reporting policy (Tech Pro Research)
It should, because odds are very good that your company operates much the same. Sadly, the (all too common) approach of bolstering the perimeter by piling VPNs on firewalls never really works. Indeed, every other company targeted by the Aurora attack—Yahoo, Symantec, Morgan Stanley, among others—went about defense in much the same way, failing to achieve a better security outcome.
Only Google had the foresight at the time to recognize that the perimeter was fundamentally broken. "As we were still putting out fires, we saw what Google was doing across the way and believed they had the right model," said Querna. "We started ScaleFT around the same time as the first BeyondCorp research paper was released, and it lined up almost exactly with our thinking. We set out to build the capabilities of BeyondCorp for companies that aren't Google."
A new hope
Google got a lot of things right with BeyondCorp, and it starts with rethinking security architecture from the ground up. Where traditional perimeter-based security methods are focused on protecting the network, BeyondCorp treats every network as untrusted, shifting the access controls to the application layer. Here, identity is redefined as a user on their device, and trust is only granted once a request has been fully authenticated and authorized.
Making smarter trust decisions means understanding the context surrounding a request. It's no longer about some desktop being plugged into the office network, it's about a policy that states I can access a specific application from a known device that is up-to-date, or that I can't access another application from an unknown device that hasn't been patched in years.
That may sound obvious at first glance, but it takes a fresh approach to system design to shift access controls away from the network like this. "Anyone can write security policies that sound right, but adhering to them with the proper access controls is a challenge," Querna asserted. How do you know the state of the user and their device at the time of the request to make a decision? Once that decision is made, how do you maintain a secure session between the device and the resource?
SEE: Insider secrets of a white hat hacker on security that actually works (TechRepublic)
Before BeyondCorp, these were impossible questions to answer, but now Google's insight offers a new architecture and fresh definition of identity to follow.
"Zero Trust is the model, and BeyondCorp is evidence that it works," said Querna. No company represents web scale more than Google, and they're a company that cares about speed and productivity. "BeyondCorp isn't security that gets in the way, it's security that helps people do their jobs," he added.
When a company gets this right, not only does it liberate employees from the tyranny of obnoxious access control measures, but it also makes administering that security more straightforward. Sam Srinivas, product management director in Google's Cloud Security and Privacy team, made this clear in a separate interview: "Access management is about making sure the right person accesses the right information in the right context. Ideally, you should be able to define access policies at a high level of abstraction—e.g., 'Allow the off-site contractors I hired to access project 21 in my bug system, but only if they are taking reasonable precautions.'"
You turn me right round
BeyondCorp unlocks the ability to make smarter trust decisions away from the network. Taking things even further, the underlying architecture changes the software delivery model. It's about abstracting the complexities of the underlying operations, and exposing the desired outcomes as a consumable API. "What Twilio has done for telecom and what Stripe has done for financial services, can now be done for security," said Querna.
That hasn't been possible before now, because security products have been so tied to the network or deployed as an appliance. Even so-called software-defined solutions miss the mark because they're still based on the network. Application layer software solutions are a different ballgame. "All security products will become SaaS solutions, because that's how all software should be delivered," said Querna. "Security is a laggard in adoption, but look at companies like Okta and Duo. It's happening."
Ironically, security may be the final domino to fall in the digital transformation era, despite its primary importance. Software is eating the world, goes the saying, and hackers are eating this world built on software. Or were. The more companies embrace BeyondCorp principles, the more likely they'll be able to actually secure the software upon which they depend.
- BeyondCorp: Borderless security for today's mobile workforce (TechRepublic)
- CIOs still don't care about Hadoop data security (TechRepublic)
- How public cloud providers are making security a non-issue for app developers (TechRepublic)
- MongoDB ransacked: Now 27,000 databases hit in mass ransom attacks (ZDNet)
- How the FBI defends against insider threats (ZDNet)
- Guidelines for building security policies (Tech Pro Research)
Matt is currently head of the developer ecosystem at Adobe. The views expressed are his own, not those of his employer.
Matt Asay is a veteran technology columnist who has written for CNET, ReadWrite, and other tech media. Asay has also held a variety of executive roles with leading mobile and big data software companies.