Overheard at RSAC 2018: The disappearing perimeter. The data perimeter. The shifting perimeter. A dynamic perimeter. The death of the concept of a trusted network. Software-defined perimeters. Zero-trust security model.
Whatever you choose to call it, it was a major strategic theme echoed among leaders in the infosec space at this year's annual RSA Conference in San Francisco.
Director Product Management Security and Privacy, Google Cloud, Jennifer Lin discussed their internal implementation to secure the new dynamic perimeter and assume a zero-trust security model, in Google on BeyondCorp: Empowering Employees With Security for the Cloud Era.
Traditionally, there was a hard perimeter around the corporate environment, with hardware-centric infrastructure. But mobile, cloud and the availability of high-speed data become pervasive in the enterprise, requiring the Google cloud security team to rethink the controls they had in place.
With over 800 engineers at Google, they're constantly sharing their work and research on issues like Meltdown and Spectre within the open-source community, with fixes pushed out globally within hours.
In this more distributed and rapidly changing environment, it's difficult to deploy hard controls across this model. This implies a more dynamic perimeter that requires more real-time conditions and controls; not set-it-and-forget-it hardware device controls. The Google cloud security team needed real-time data and context on the company's users and devices.
Developments in the consumer space has set the expectations for real-time collaboration, particularly for software developers that also expect to be able to mix and match open-source tools as they work. This has prompted Google to optimize for the user experience and allow developers to innovate as quickly as possible.
Dynamic applications can now be accessed from any device, browser, location and network over a web browser. The question is, how can you apply different access policy goals to certain applications?
For example, you might want a certain application to be accessed only by financial employees located in their home country, from managed client devices, using strong user authentication and proper transport encryption.
In order to do that, you'll need to implement access controls based on your users and services, by first provisioning and authenticating your users and devices. Then, apply context-aware policies that check what kind of device they're using, their location, and what time they're requesting access.
With the BeyondCorp model, there's no need for a virtual private network (VPN), while single sign-on (SSO) does all of the work behind the scenes for users, and decisions for policy enforcement are made by an access control engine.
User authentication has evolved beyond easily-phished usernames and passwords, with new authentication standards developed with the FIDO (Fast IDentity Online) Alliance.
Security keys (such as U2F) have been designed to defeat phishing and are readily accessible to the public, allowing for a simple user experience that gives them access to multiple websites and accounts by inserting it into their device and tapping the button. After implementing the security keys across their company, Google has not been phished at all.
The shifting of access controls from the network perimeter to user identities and attributes has enabled for organizational agility and innovation for their developers, while improving the user experience for consumers.
For more detail on the theory and implementation of a BeyondCorp security model, plus how you can secure your organization without as many engineers, check out:
- Moving Beyond the Perimeter: The Theory Behind Google’s BeyondCorp Security Model
- Moving Beyond the Perimeter: How to Implement the BeyondCorp Security Model
Stay tuned for continuing coverage this week of the major themes and takeaways from this year’s RSA Conference.