If you want real security, you have to learn not to trust anyone, says ex-PagerDuty expert.
Cybersecurity may well be the only $100 billion industry that fails spectacularly on a regular basis. Thus far, each attempt to respin cybersecurity has followed the same trajectory: promise and then crash and burn. Google, however, may finally have cracked the code.
In 2009 Google, along with other large enterprises, was the target of a highly sophisticated attack, dubbed Operation Aurora, purported to originate from the Chinese government. Most companies responded by following the failed playbook of boosting their perimeter security with more VPNs and firewalls.
Google was smarter, developing a whole new security architecture where trust is removed from the network, running on the assumption that anyone inside the firewall is just as suspicious as anyone outside requesting access to your network. It's called Zero Trust (or in Google parlance, the BeyondCorp framework), and may hold the key to how Google was able to capture such a detailed evidence trail on Anthony Levandowski's alleged downloading of autonomous automobile technical documentation, which he allegedly then used to found a competing company in collusion with Uber.
BeyondCorp has a nascent commercial market, and two companies have offered different solutions: ScaleFT and Duo Security. Expect many more. I recently caught up with perhaps the leading Zero Trust expert outside of Google, Evan Gilman, a former networking and security engineer at PagerDuty. He is writing a book for O'Reilly called Zero Trust Networks with his co-author Doug Barth to explain how this concept works. I asked him for a preview.
Client or data center?
TechRepublic: What are the key trends driving this movement around perimeter-less architectures, or Zero Trust?
Gilman: To answer that question, let me first clarify Zero Trust and two different manifestations of the model in the real world. The first mode is for thinking about client-facing systems--things like laptops, desktops, users accessing network resources and front-end enterprise services. The second mode is how does this operate in the data center, the backend? How do you provide trust in service-to-service and server-to-server communications?
SEE: The downside to the developer revolution: Big data (in)security (TechRepublic)
We see the most momentum in client-facing systems, with startups like ScaleFT. They protect Rackspace and some other large customers today. Here the big driver is basically the rise of the mobile workforce. It's really, really difficult to manage remote workers with the typical VPN solution. Everyone hates it. For users it sucks. It's a pain, and it hobbles performance.
For operators, it's a pain to set up, run, scale, and be redundant. VPNs are a big pain in the real world, especially with more and more mobile and VPN clients. So the pain is spreading quickly. Until recently, no one knew how to solve it. The BeyondCorp framework solves this using the Zero Trust model. You can eliminate VPNs.
For data centers, there are two major considerations. You want homogenous security controls cross-cloud and hybrid cloud. You don't want to run separate policies and rules on AWS and Azure and ensure compliance across the board with all this different overhead. Zero Trust puts practically all the security into software. It commodifies compute resources at the IaaS level. You can move workloads to any cloud or data center and security just works--it is not dependent on underlying network topology or position.
The other major consideration is microservices. You probably won't be surprised to discover that there is typically very little security policy attached to microservices. If your network gets popped, free lateral movement is a massive problem--most microservices networks are largely flat.
Zero Trust for the average company
TechRepublic: Not every company is Google. When does it make sense to adopt BeyondCorp and Zero Trust, and when is an organization better off waiting?
Gilman: That depends on the scope of your security problem, [what] the nature of your threat model is, and your level of exposure. You may have a VPN that works, but no one likes it. What happens if VPN credentials are stolen? Is this a risk you are willing to take? What if a server is compromised? What else will the attacker gain access to?
SEE: Why big data leaders must worry about IoT security (TechRepublic)
The brutal fact is that when it comes time to making this decision it's usually after you have a lot of value behind perimeter defenses you have already built. By the time you think about a different approach, Zero Trust, the task looks pretty daunting.
Consider starting with front-end migration if your greatest exposure is in mobile clients or the corporate network--it's much easier than the data center migration, mostly due to a handful of commercially available options.
On the data center side, just try to start as soon as possible. You have a lot of work ahead of you. But one of the key things about this new architecture is the payoff beyond improved security. It also aligns human behavior with security best practices. If you have a small deployment today, just start now!
- BeyondCorp: Borderless security for today's mobile workforce (TechRepublic)
- CIOs still don't care about Hadoop data security (TechRepublic)
- How public cloud providers are making security a non-issue for app developers (TechRepublic)
- MongoDB ransacked: Now 27,000 databases hit in mass ransom attacks (ZDNet)
- How the FBI defends against insider threats (ZDNet)
- Guidelines for building security policies (Tech Pro Research)