Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
BeyondCorp: Beyond fortress securityBA.net Private Cloud Office
Open Source SoftwareFreedom, flexibility, low cost, no vendor lock-in, nojumping through monopoly license hoops, byod, localsoftware, hybrid cloud, retire old firewalls, new securitymodel zero trust, corporate access proxy.
New hybrid cloud model:risks and threats
How some enterprisesthink of security
But there are issues with this approach...
Four issues that are wrecking the castle approach
Mobileworkforce
Breaches Plethora ofdevices
Cloud services
5
ERP
SERVER
Access yesterday:On-premises walled gardens
VPN
On Prem
IdentityCRM
SERVER» What about contractors?
6
Employee
On-prem
ERP
SERVER
Evolution:Not just employees with corporate devices
VPN IdentityCRM
SERVERContractor
Unintended CRM accessfor contractor
Employee
» What about the cloud?7
On-prem
Evolution:Infrastructure goeshybrid-cloud
VPN Identity
CRM
VM
ERP
VM
» What about single sign on?8
Contractor
Employee
Evolution:Identity goeshybrid-cloud
IdentityCRM
VM
ERP
VM
Now everything is either local softwareor cloud replicated
» What threats are there in this new cloud world?9
Contractor
Employee
Problems
IdentityCRM
VM
ERP
VM
Phishing? Malware?
Man in theMiddle?
No chokepoint to enforceaccess control?
» What should I do?
XSS/SQL injection?
10
Contractor
Employee
WALLS DON’T WORK
BeyondCorp’s realization
Solutions
IdentityCRM
VM
ERP
VMSecurity
keysDevice
management
TLS
Proxy for accesscontrol, TLS
termination, basedon BeyondCorp
visionAc
cess
prox
y
» So what’s the ideal?
App securityscans
12
Contractor
Employee
I want my Office application service to be:
● Accessed only by employees● From well-managed client devices● In home country● Using strong user authentication● And proper transport encryption and● Hardened against application attacks
13
Implementing BeyondCorp
3Authenticated
AuthorizedEncrypted
Core principles of BeyondCorp:
Any network Context-basedaccess
2v1
15
High level
Access proxy
Single sign on
Accesscontrolengine
Userinventory
Device inventory
Trust repository
Security policy
16
Know your people
User inventoryJob functionchanges
17
Know your devices
Procurement End oflife
Provisioning
Asset tracking Certificates
Device inventory
18
Dynamic trust repository
Policies Deviceinventory
PeopleLevel of trust
Certificates
Trust repository
19
Access policy
Service request
Accesscontrolengine
Userinventory
Device inventory
Trust repository
Security policy
20
Access from anywhere
Access proxy
Single sign on
Accesscontrolengine
21
Migrating to BeyondCorp
New unprivileged network
New VLAN Add devices Deploy
+ +
23
Traffic analysis
24
Safely migrate devices
25
Better loaners
● An overview: A New Approach to Enterprise Security● Front-end infrastructure: The Access Proxy● Migrating to BeyondCorp: Maintaining Productivity
While Improving Security● The Human Element: The User Experience
BeyondCorp Papers
27
Lessons learned:What 7 years taught us aboutmigrating services to the cloud
Lessons learned migrating to hybridcloud
Get, and retain, executive supportEnable painless migrationRun highly reliable systems
29
Lessons learned migrating to hybridcloud
Get, and retain, executive supportEnable painless migrationRun highly reliable systems
30
31
Migrate carefullyso as not to breakexisting users
3Base all access
decisions on what youknow about the user
and their device
2Have zero trustin your network
v1
Remember:
Thank you