Presentation given at the Rocky Mountain InfoSec Conference - May 10, 2017.
Gives an overview of Google's BeyondCorp project, why Zero Trust is the right framework to follow, and how to get started at your own company.
Learn more about BeyondCorp at: www.beyondcorp.com
Learn more about ScaleFT at: www.scaleft.com
3. Operation Aurora
➔ In 2009, a highly sophisticated APT originating from China targeted a number of large
US-based Enterprises, including Google, with the goal of accessing source code repositories
➔ The typical fear-driven response by most companies affected was to beef up their network
perimeter security by adding more firewalls and VPNs
➔ Google recognized that these traditional methods were no longer effective on their own, and
began a new initiative to redesign their security architecture from the ground up
5. Problems with the Perimeter
➔ The modern organization is no longer confined to the walls of the office - more employees
are remote, systems are running in the cloud, and business apps are SaaS-based
➔ Common network segmentation tools such as the VPN don’t provide any visibility into traffic,
and don’t factor in context when authenticating and authorizing requests
➔ Privileged access is backed by static credentials that can be easily lost, stolen or misused -
effectively handing over the keys to the kingdom to anyone in possession
7. Core Principles
1 Connecting from a particular network must not determine which services you can access
2 Access to services is granted based on what we know about you and your device
3 All access to services must be authenticated, authorized, and encrypted
Mission: To have every Google employee work successfully
from untrusted networks without the use of a VPN
8. The BeyondCorp Papers
BeyondCorp: A New Approach to Enterprise Security
Dec 2014
BeyondCorp: Design to Deployment at Google
Spring 2016
BeyondCorp: The Access Proxy
Winter 2016
Download at www.beyondcorp.com
10. The Major Components
Device Inventory Service
A system that continuously collects and processes the
attributes and state of known devices.
Trust Inferer
A system that continuously analyzes device attributes
and state to determine its maximum trust tier.
Access Policies
A programmatic representation of the resources, trust
tiers, and other rules that must be satisfied.
Access Control Engine
A centralized policy enforcement service that makes
authorization decisions in real time.
Access Proxy
A reverse proxy service placed in front of every
resource that handles the requests.
Resources
The applications, services, and infrastructure that are
subject to access control by the system.
11. A Typical User Workflow
Access Proxy
IdP
User request to resource flows
through access proxy
User is authenticated against
the IdP via an SSO service
SSO
User and device are authorized
against the Access Policies
A one-time credential is issued for
the device to access the resource
1 2 3 4
12. The Decision Making Process
Device
Inventory
Attributes
State
Trust Tier
Access Control
Engine
Access Proxy
Access Policy
Trust Tier
Trust Inferer
13. The Access Policy Language
Global Rules Service-Specific Rules
Coarse-grained rules that affect all
services and resources
“Devices at a low tier are not allowed
to submit source code.”
Specific to each service or hostname;
usually involve assertions about the user.
“Vendors in group G are allowed access
to Web application A.”
14. The Outcome for Google
➔ Google eliminated any dependency on
network segmentation and VPNs
➔ Employees are able to seamlessly access
company resources from any location
➔ Google has better visibility into their
employee activity, and can better protect
their sensitive resources
15. Waymo vs Uber Case Example
➔ Google has accused a former employee of
stealing proprietary technology documents
➔ In a deposition, they claim to have evidence as
to all his activity on the company network
➔ The BeyondCorp architecture is a key reason
they were able to collect such strong evidence
17. Why Zero Trust Matters
1 Better definition of Corporate Identity that aligns with how employees operate today
2 Access decision making is done with the right contextual information
3 Access controls are centralized with better visibility into employee activity
4 The enforced security measures encourage better corporate security posture
5 The network no longer determines trust, eliminating common attack vectors
19. Corporate Identity Redefined
Is the user in good standing with the company?
Does the user belong to the Engineering org?
Is the user on Team A working on feature X?
...
Is the device in inventory?
Is the device’s disk encrypted?
Is the device’s OS up to date?
...
Corporate Identity = You + Your Device at a Point in Time
21. Revitalizing the AAA Framework +1
Authentication Authorization Auditing Alerting
The new definition of
Identity provides a better
view of the requestor
Access decisions are
made in real time based
on dynamic conditions
Activity and traffic are
inspected to identify
patterns & anomalies
Incorporate workflows to
ensure requests are
handled properly
Follow the Corporate Identity through the lifecycle of the request
23. Centralized Access Gateway
Access Gateway
Safe MitM Consistent Logging Inherent Trust
A reverse proxy in front of every
resource handles every request
A central point to log all traffic is
better to analyze behavior
Decouple access decision making
from the resources themselves
The Access Gateway should be globally distributed to avoid additional latency
27. Ephemeral Certificates
➔ A Certificate Authority issues single-use
certificates to initiate a secure session
➔ Information about the user and connecting
device can be injected into the certificate
➔ Each certificate is limited in scope and time,
making it near impossible to hijack
29. Where to Start
1 Take an inventory of all employee devices - workstations, laptops, tablets, and phones
2 Take an inventory of all company resources to protect - apps, databases, servers, etc.
3 Take an inventory of all static credentials - shared passwords, ssh keys, etc.
4 Diagram your system architecture and inspect traffic logs to understand behavior
5 Start to collect device state metrics - is the OS up to date? Is the disk encrypted?
30. Determining the Right Policy Framework
➔ User attributes
➔ Device attributes
➔ Location-based rules
➔ Time-based controls
➔ Groups and Roles
➔ Team federation
➔ Resource specific rules
31. Trust Policy Models
Trust Tiers Trust Scoring Trust Assertions
User and device metrics are
analyzed and placed in a tier which
must match the minimum tier
associated with the resource
User and device metrics are
compiled and granted a score
which must match the minimum
level associated with the resource
User and device attributes and
state are individually matched
against an Access Policy where all
assertions must be true
Regardless of the model, Trust follows the principle of Least Privilege
32. Example User Stories
Behavioral patterns should influence policy definitions
Alice, a release engineer, always uses ssh from her
desktop to login to the build server during a release.
What if a request from Alice to the build server comes
from a laptop during a non-release time?
Bob, who works in staffing, logs into the HR app from his
office desktop every morning at 9AM.
What if a request from Bob to a finance app comes from
outside the office during the evening?
33. Access Gateway Vendor Solutions
The Access Gateway is the central component that ties the system together
35. Some Questions to Ask
➔ How will all the components integrate with each other?
➔ How to balance coarse-grained policies with fine-grained policies?
➔ What’s the best way to incorporate additional workflows for specific resources?
➔ What role does Identity Governance play? Can the IdP exist in the cloud?
➔ How to support legacy protocols and specifications consistently? Should you?
➔ How to track and monitor all the devices the employees use?
➔ How does this impact compliance? Where will it help?
36. Potential Market Effects
➔ A new category of Cloud Native solution providers are emerging that are disrupting the
legacy security companies who focus primarily on strengthening perimeter security
➔ Defined market categories such as IAM and PAM will converge into a single Access
Management category that works across privileged and nonprivileged users
➔ The Identity Provider space is about to heat up as cloud-based alternatives to Active
Directory start to break through into the enterprise market
➔ The VPN market is going to be significantly impacted as more companies shift towards a Zero
Trust model that places less (or no) emphasis on network protection as a security measure
37. Where ScaleFT Fits
We help companies achieve their own Zero Trust security architecture
Architecture Reviews Platform Implementations Community Development
We work closely with companies to
design the right Zero Trust
architecture for the organization
Our Access Management platform
can be deployed in any cloud or
on-prem environment
We are leading the BeyondCorp
movement, further educating the
market about Zero Trust
38. THANKS!!
Get in touch: ivan.dwyer@scaleft.com | @fortyfivan
www.scaleft.com
www.beyondcorp.com