Last night I went to the local ISACA event where Google was talking about their 6-year journey towards their BeyondCorp / ZeroTrust model for security. As we move away from the traditional walled castle of security design to support the federated SaaS and cloud provider models I genuinely believe BeyondCorp is the best solution to keep our organizations safe. Their model is very similar to what we have implemented at multiple government organizations in extremely sensitive operating environments.
For those that haven’t dug into BeyondCorp, here is a link to the current papers Google has released about the concept and their deployment journey. The gist is by turning your network inside out you take a user identity and device-centric approach to security. By continually validating devices, assigning them trust levels, and tying that to trusted user identities you can more easily spot and stop bad actors from using compromised credentials and devices against your corporate resources.
Some of the key takeaways from Google’s talk that I took were:
- Google has spent six years migrating towards this model and is only halfway complete migrating all the users and devices over. Admittedly they spent the first 2+ years just deciding on what the new solution would look like and building prototypes. However, this speaks to the impact and long-term commitment to the project.
- Executive buy-in was key. Much of this work was started after the hack they saw in 2010 with compromised accounts and devices being used to horizontally move across their network. The team was challenged to prevent this from ever happening again. However, the not only did technology change but significant business processes. They created new job titles to reclassify all their employees into roles. Imagine your IAM implementation having the power to reclassify every employee title in the company.
- The more of your applications that are already web-based, the more seamless a transition is going to be. With much of the model utilizing SAML, OIDC, and HTTPS proxies it’s evident that these HTTP based apps are ideal candidates. Specifically, they mentioned non-HTTP applications like Oracle Financials as pain points. Boy, do I know that pain well.
Many of these lessons learned sounds like traditional identity and access management project problems to me. When you look into the BeyondCorp solution, it is the blueprint for one of the worlds largest organizations identity and access management program.
My most significant takeaway, however, is something that every organization we’ve worked with continues to struggle with today. The importance of marrying user identity, device inventory and physical access controls together to build a reliable network of trust. The fundamentals of identity and access management.
Per the Verizon Data Breach Investigation Report, 81% of breaches utilize compromised credentials, and 82% used compromised devices. 95% of these incidents involved harvesting credentials stolen from customer devices. We have a hard enough time protecting our networks from attackers looking at irregular traffic patterns and failed logins. Imagine the difficulty of trying to find a bad actor among known users with valid credentials from a trusted device. We are truly asking our SOC teams to find needles in a haystack.
To be successful with the next wave of security solutions, organizations are going to have to buckle down and get user identity management, device inventories, and physical access control systems talking to each other. Only by utilizing the data held in these ordinarily disparate systems we can develop robust access control policies and authorization policies and engines to protect ourselves.
Companies are going to have to maintain inventories of the devices they issue employees, the software they’ve put on those devices, plug-ins in the browsers and the hardware contained within. When any of those things change, they need to validate and approve the changes within their trust platform. Either having the user who was issued the device confirm the changes or by an IT administrator before the device is allowed to connect to corporate resources. Ultimately establishing a trusted platform for all the devices connecting to the company’s applications and a standard interface to get to this information in real time for authorization decisions.
Similarly, on the user identity side, organizations are going to have to take employee joiner, mover and leaver processes more seriously. Regularly certifying user access and trust with data owners based on the user’s role within the organization. Especially, as an employee stays with the company and changes roles throughout their career gaining additional access at each step without anything being revoked. Additionally, too many times we see employees separating from an organization but still have physical access to buildings, logical access to VPNs and remote desktop utilities, or existing open sessions to Office 365 on their home machines. Yes, this happens all the time in very large organizations. I believe that last number I saw had over 50% of organizations taking more than 30 days to complete the employee de-provisioning process.
Once device trust is established and user identities are effectively governed, we will need to tie them together and create a tight relationship to enforce access. When either device or user trust is broken or start to show abnormal behaviors we have to raise flags to implement additional authentication factors to re-establish trust or prevent access. Adding in physical access controls understanding when a person has badged in and out of buildings adds a significant level of confidence to the networks and protecting an organization’s data. Only when these things come together can we truly start finding the bad actors hiding among the good ones in our organizations.
We have a long history of building identity-centric trusted security platforms across the government space with device level certificates, trusted platform modules, user PKI/PIV certificates, and PACS integrations. Over the next couple months, you’ll see us start sharing some more of the work we’ve done and ideas we have around the BeyondCorp and the shifting identity and access management space. Exciting times to be an identity and access management professional.