Presentation given at the BeyondCorp SF Meetup organized by ScaleFT on Mar 9th 2017.
Learn more about BeyondCorp at: www.beyondcorp.com.
Learn more about ScaleFT at: www.scaleft.com
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
How Zero Trust Changes Identity & Access
1. HOW ZERO TRUST CHANGES IDENTITY & ACCESS
BeyondCorpSF Meetup - Mar 9th 2017
Ivan Dwyer - ivan.dwyer@scaleft.com | @fortyfivan
2. 90%
of organizations
vulnerable to insider
threats in 2015
80%
of security breaches
involve privileged
credentials
23
Authentication
events per person
every day
Source: ForresterSource: Technavio Source: NIST
Mitigating insider risk is a top priority for every organization
3. Mission: To have every Google employee work successfully from untrusted networks without use of a VPN
1. Connecting from a particular network must not determine which services you can access
2. Access to services is granted based on what we know about you and your device
3. All access to services must be authenticated, authorized, and encrypted
Google really got it right with BeyondCorp
6. * Insert gross overgeneralization disclaimer here
Employees have traditionally been placed into two buckets*
Privileged User Non-privileged User
IT Function Business
Infrastructure Resources Applications
Terminal Workflow Web
Admin Role Group-based
Key or Cert Credential Password
Rotation policy Added Layers MFA
PAM Product Category IAM
7. Building a dynamic user and device profile
Is the user in good standing with the company?
Does the user belong to the Engineering org?
Is the user on Team A working on feature X?
...
Is the device in inventory?
Is the device’s disk encrypted?
Is the device’s OS up to date?
...
10. What do we really want from Access Management?
➔ A unified solution for authentication, authorization, and auditing
➔ A common access policy definition for ABAC & RBAC
➔ The ability to make intelligent access decisions in real-time
➔ A consistent, streamlined workflow for both privileged and non-privileged users
➔ Identity governance decoupled from the system of record
➔ To eliminate the need for network segmentation and static credentials
11. Revitalizing the AAA Framework
Authenticate Authorize Audit
Verify Identity is who they say
they are
Verify Identity is allowed to
access the resource
Verify Identity is doing no harm
(intentional or not)
12. The basis for
a common
Access Policy
definition
➔ User attributes
➔ Device attributes
➔ Location-based rules
➔ Time-based controls
➔ Groups and roles
➔ Federation capabilities
➔ Resource-specific rules
13. Access Gateway
IdP
Why was I denied access?
Yes
No
SSH
RDP
HTTPS
Access Policies
MFA
Grant?
All requests flow through a centralized access gateway
Request resource
CA
Policy Engine
14. Some questions to ponder
➔ How will all the components integrate with each other?
➔ How to balance coarse-grained policies with fine-grained policies?
➔ Where do the access policies line-up with the shared responsibility principles of IaaS?
➔ What’s the best way to incorporate approval workflows to specific resources?
➔ Can the Identity system of record exist in the cloud?
➔ How to support legacy protocols and specifications consistently? (Should you?)
➔ How to track and monitor all the devices (managed and BYOD) their employees use?
17. Zero Trust security measures encourage better overall practices
➔ Keep devices up-to-date with the latest software
➔ Maintain an inventory of employee devices
➔ Monitor all endpoints & log all traffic
➔ Only communicate over fully encrypted channels
➔ Incorporate multi-factor auth
➔ Eliminate static credentials
18. We will start to see significant market effects
➔ A new category of Cloud Native solution providers are emerging that are disrupting the
legacy security companies who focus primarily on strengthening perimeter security
➔ Defined market categories such as IAM and PAM will converge into a single Access
Management category that works across privileged and nonprivileged users
➔ The Identity Provider space is about to heat up as cloud-based alternatives to Active
Directory start to break through into the enterprise market
➔ The VPN market is going to be significantly impacted as more companies shift towards a Zero
Trust model that places less (or no) emphasis on network protection as a security measure
19. Where does ScaleFT fit in the picture?
ScaleFT is the leading Zero Trust Access Management provider
Architecture Reviews Platform Implementations Community Efforts
We work closely with you to design the
right Zero Trust architecture for your
organization
The ScaleFT platform can be operated as a
SaaS or as a dedicated deployment in any
cloud environment
We are leading the BeyondCorp
movement, further educating the market
about Zero Trust
20. THANKS!!
Get in touch: ivan.dwyer@scaleft.com | @fortyfivan
www.scaleft.com
www.beyondcorp.com