BeyondCorp: Beyond fortress security BA.net Private Cloud Office
Open Source Software Freedom, flexibility, low cost, no vendor lock-in, no jumping through monopoly license hoops, byod, local software, hybrid cloud, retire old firewalls, new security model zero trust, corporate access proxy.
New hybrid cloud model: risks and threats
How some enterprises think of security But there are issues with this approach...
Four issues that are wrecking the castle approach Cloud services Mobile workforce Plethora of Breaches devices 5
Access yesterday: On-premises walled gardens ERP Employee SERVER VPN Identity CRM SERVER On Prem » What about contractors? 6
Evolution: Not just employees with corporate devices Unintended CRM access for contractor ERP Employee SERVER VPN Identity CRM Contractor SERVER On-prem » What about the cloud? 7
Evolution: ERP Infrastructure goes VM hybrid-cloud CRM VM Employee Identity VPN Contractor On-prem » What about single sign on? 8
Evolution: ERP Identity goes VM hybrid-cloud CRM Identity VM Employee Now everything is either local software or cloud replicated Contractor » What threats are there in this new cloud world? 9
XSS/SQL injection? Problems ERP Man in the Middle? VM Phishing? Malware? CRM Identity VM Employee No chokepoint to enforce access control? Contractor » What should I do? 10
BeyondCorp’s realization WORK WALLS DON’T
App security Solutions scans ERP TLS VM Access proxy Security Device keys management CRM Identity VM Proxy for access Employee control, TLS termination, based on BeyondCorp vision Contractor » So what’s the ideal? 12
I want my Office application service to be: ● Accessed only by employees ● From well-managed client devices ● In home country ● Using strong user authentication ● And proper transport encryption and ● Hardened against application attacks 13
Implementing BeyondCorp
Core principles of BeyondCorp: v 1 2 3 Any network Context-based Authenticated access Authorized Encrypted 15
High level User inventory Access proxy Access Device inventory control engine Security policy Single sign on Trust repository 16
Know your people Job function changes User inventory 17
Know your devices Asset tracking Certificates Device inventory End of Procurement life Provisioning 18
Dynamic trust repository Trust repository Device Policies inventory People Certificates Level of trust 19
Access policy User inventory Access Device inventory control engine Service request Security policy Trust repository 20
Access from anywhere Access proxy Access control engine Single sign on 21
Migrating to BeyondCorp
New unprivileged network + + New VLAN Add devices Deploy 23
Traffic analysis 24
Safely migrate devices 25
Better loaners
BeyondCorp Papers ● An overview: A New Approach to Enterprise Security ● Front-end infrastructure: The Access Proxy ● Migrating to BeyondCorp: Maintaining Productivity While Improving Security ● The Human Element: The User Experience 27
Lessons learned: What 7 years taught us about migrating services to the cloud
Lessons learned migrating to hybrid cloud Get, and retain, executive support Enable painless migration Run highly reliable systems 29
Lessons learned migrating to hybrid cloud Get, and retain, executive support Enable painless migration Run highly reliable systems 30
Remember: v 1 2 3 Have zero trust Base all access Migrate carefully in your network decisions on what you so as not to break know about the user existing users and their device 31
Thank you
Recommend
More recommend
