SLIDE 1
BeyondCorp: Beyond fortress security BA.net Private Cloud Office - - PowerPoint PPT Presentation
BeyondCorp: Beyond fortress security BA.net Private Cloud Office - - PowerPoint PPT Presentation
BeyondCorp: Beyond fortress security BA.net Private Cloud Office Open Source Software Freedom, flexibility, low cost, no vendor lock-in, no jumping through monopoly license hoops, byod, local software, hybrid cloud, retire old firewalls, new
SLIDE 2
SLIDE 3
New hybrid cloud model: risks and threats
SLIDE 4
How some enterprises think of security
But there are issues with this approach...
SLIDE 5
Four issues that are wrecking the castle approach
Mobile workforce Breaches Plethora of devices Cloud services
5
SLIDE 6
ERP SERVER
Access yesterday: On-premises walled gardens
VPN On Prem
Identity CRM SERVER
» What about contractors?
6
Employee
SLIDE 7
On-prem
ERP SERVER
Evolution: Not just employees with corporate devices
VPN
Identity CRM SERVER
Contractor
Unintended CRM access for contractor
Employee
» What about the cloud?
7
SLIDE 8
On-prem
Evolution: Infrastructure goes hybrid-cloud
VPN
Identity CRM VM ERP VM
» What about single sign on?
8
Contractor Employee
SLIDE 9
Evolution: Identity goes hybrid-cloud
Identity CRM VM ERP VM
Now everything is either local software
- r cloud replicated
» What threats are there in this new cloud world?
9
Contractor Employee
SLIDE 10
Problems
Identity CRM VM ERP VM
Phishing? Malware? Man in the Middle? No chokepoint to enforce access control?
» What should I do?
XSS/SQL injection?
10
Contractor Employee
SLIDE 11
WALLS DON’T WORK
BeyondCorp’s realization
SLIDE 12
Solutions
Identity CRM VM ERP VM
Security keys Device management TLS Proxy for access control, TLS termination, based
- n BeyondCorp
vision
Access proxy
» So what’s the ideal?
App security scans
12
Contractor Employee
SLIDE 13
I want my Office application service to be:
- Accessed only by employees
- From well-managed client devices
- In home country
- Using strong user authentication
- And proper transport encryption and
- Hardened against application attacks
13
SLIDE 14
Implementing BeyondCorp
SLIDE 15
3
Authenticated Authorized Encrypted
Core principles of BeyondCorp:
Any network Context-based access
2
v1
15
SLIDE 16
High level
Access proxy Single sign on
Access control engine
User inventory Device inventory Trust repository Security policy
16
SLIDE 17
Know your people
User inventory
Job function changes
17
SLIDE 18
Know your devices
Procurement End of life Provisioning Asset tracking Certificates
Device inventory
18
SLIDE 19
Dynamic trust repository
Policies Device inventory People
Level of trust
Certificates
Trust repository
19
SLIDE 20
Access policy
Service request
Access control engine
User inventory Device inventory Trust repository Security policy
20
SLIDE 21
Access from anywhere
Access proxy Single sign on
Access control engine
21
SLIDE 22
Migrating to BeyondCorp
SLIDE 23
New unprivileged network
New VLAN Add devices Deploy
+ +
23
SLIDE 24
Traffic analysis
24
SLIDE 25
Safely migrate devices
25
SLIDE 26
Better loaners
SLIDE 27
- An overview: A New Approach to Enterprise Security
- Front-end infrastructure: The Access Proxy
- Migrating to BeyondCorp: Maintaining Productivity
While Improving Security
- The Human Element: The User Experience
BeyondCorp Papers
27
SLIDE 28
Lessons learned: What 7 years taught us about migrating services to the cloud
SLIDE 29
Lessons learned migrating to hybrid cloud
Get, and retain, executive support Enable painless migration Run highly reliable systems
29
SLIDE 30
Lessons learned migrating to hybrid cloud
Get, and retain, executive support Enable painless migration Run highly reliable systems
30
SLIDE 31
31 Migrate carefully so as not to break existing users
3
Base all access decisions on what you know about the user and their device
2
Have zero trust in your network
v1
Remember:
SLIDE 32