BeyondCorp: Beyond fortress securityBA.net Private Cloud Office

Open Source SoftwareFreedom, flexibility, low cost, no vendor lock-in, nojumping through monopoly license hoops, byod, localsoftware, hybrid cloud, retire old firewalls, new securitymodel zero trust, corporate access proxy.

New hybrid cloud model:risks and threats

How some enterprisesthink of security

But there are issues with this approach...

Four issues that are wrecking the castle approach

Mobileworkforce

Breaches Plethora ofdevices

Cloud services

5

ERP

SERVER

Access yesterday:On-premises walled gardens

VPN

On Prem

IdentityCRM

SERVER» What about contractors?

6

Employee

On-prem

ERP

SERVER

Evolution:Not just employees with corporate devices

VPN IdentityCRM

SERVERContractor

Unintended CRM accessfor contractor

Employee

» What about the cloud?7

On-prem

Evolution:Infrastructure goeshybrid-cloud

VPN Identity

CRM

VM

ERP

VM

» What about single sign on?8

Contractor

Employee

Evolution:Identity goeshybrid-cloud

IdentityCRM

VM

ERP

VM

Now everything is either local softwareor cloud replicated

» What threats are there in this new cloud world?9

Contractor

Employee

Problems

IdentityCRM

VM

ERP

VM

Phishing? Malware?

Man in theMiddle?

No chokepoint to enforceaccess control?

» What should I do?

XSS/SQL injection?

10

Contractor

Employee

WALLS DON’T WORK

BeyondCorp’s realization

Solutions

IdentityCRM

VM

ERP

VMSecurity

keysDevice

management

TLS

Proxy for accesscontrol, TLS

termination, basedon BeyondCorp

visionAc

cess

prox

y

» So what’s the ideal?

App securityscans

12

Contractor

Employee

I want my Office application service to be:

● Accessed only by employees● From well-managed client devices● In home country● Using strong user authentication● And proper transport encryption and● Hardened against application attacks

13

Implementing BeyondCorp

3Authenticated

AuthorizedEncrypted

Core principles of BeyondCorp:

Any network Context-basedaccess

2v1

15

High level

Access proxy

Single sign on

Accesscontrolengine

Userinventory

Device inventory

Trust repository

Security policy

16

Know your people

User inventoryJob functionchanges

17

Know your devices

Procurement End oflife

Provisioning

Asset tracking Certificates

Device inventory

18

Dynamic trust repository

Policies Deviceinventory

PeopleLevel of trust

Certificates

Trust repository

19

Access policy

Service request

Accesscontrolengine

Userinventory

Device inventory

Trust repository

Security policy

20

Access from anywhere

Access proxy

Single sign on

Accesscontrolengine

21

Migrating to BeyondCorp

New unprivileged network

New VLAN Add devices Deploy

+ +

23

Traffic analysis

24

Safely migrate devices

25

Better loaners

● An overview: A New Approach to Enterprise Security● Front-end infrastructure: The Access Proxy● Migrating to BeyondCorp: Maintaining Productivity

While Improving Security● The Human Element: The User Experience

BeyondCorp Papers

27

Lessons learned:What 7 years taught us aboutmigrating services to the cloud

Lessons learned migrating to hybridcloud

Get, and retain, executive supportEnable painless migrationRun highly reliable systems

29

Lessons learned migrating to hybridcloud

Get, and retain, executive supportEnable painless migrationRun highly reliable systems

30

31

Migrate carefullyso as not to breakexisting users

3Base all access

decisions on what youknow about the user

and their device

2Have zero trustin your network

v1

Remember:

Thank you