In 2014, four years after getting hacked by the Chinese government, Google published a paper outlining the security technology that they developed in response to the attacks.
The paper, known as BeyondCorp, detailed Google’s new approach to security. According to BeyondCorp, Google shifted access controls from the network to the user and without the need for a virtual private network (VPN). Google’s approach to network security puts emphasis on what the system knows about the user and device. It puts no trust on what network the user logged in from. It does not allow blanket access to services. Everything must be “authenticated, authorized and encrypted.”
BeyondCorp has a clear mission, stating “To have every Google employee work successfully from untrusted networks without use of a VPN.” VPNs are not too loved. They reflect the historical corporate tendency to use firewalls as a way to protect infrastructure. But as well documented, the approach poses some real issues when hackers punch through the perimeter and get access to the company intranet. Mobile and cloud technologies make the network ever more porous, which has lead to even further doubts about traditional security practices using VPNs.
A team from Rackspace found that they had taken a similar approach to Google. That team included the founders of ScaleFT, now a startup in San Francisco that has built a zero-trust platform that is programmable and real-time across servers and applications. The system adapts to changes that may be tied to an automated action that leads to an attempted hack. For example, the service may trigger a user to re-authenticate if there is a log in from an unknown location.
“Our team also believed the perimeter was the wrong approach because there are more mobile devices, more remote workers, more cloud applications. Bringing things down to the network was no longer effective,” said Ivan Dwyer, vice president of product marketing at ScaleFT.
ScaleFT recently launched a pre-release program for Access Fabric, the heart of its zero-trust access management platform. The platform covers both server protection, backed by ephemeral client certificates that are limited in scope and time to each request, and web access for employees, whether they are working in the office or access company assets remotely.
It puts controls at the application layer rather than the network layer, Dwyer explained.
Micro-perimeters are placed around specific data or assets so more granular rules can be enforced. With the network treated solely as transport, authentication and authorization become more independent services. Access control becomes a globally distributed system capable of making really fast decisions.
No Default Trust
Forrester Research coined the term “zero trust,” meaning there is no default trust for any users, devices, applications or packets — all have to be authenticated and authorized every time in real-time.
This is done through a strict, micro-granular security model that ties security to individual workloads and automatically provisions policies, John Kindervag, Forrester vice president and principal analyst explained at Dark Reading.
This approach prevents a malicious actor from breaching the perimeter then moving laterally through the network.
It involves inspecting all traffic in real time and combines tools such as forensics, packet capture, metadata analysis and network discovery flow analysis to provide access rapidly in a way that doesn’t inhibit employee workflow, according to Kindervag.
In a post-mortem report on the 2015 Office of Personnel Management breach, the House Committee on Oversight and Government Reform recommended that federal agencies adopt the zero-trust model.
The key components of a zero-trust platform are that it has to be fast and employees have to like it or they will find ways to bypass it, Dwyer said. That’s why ScaleFT has focused on minimizing latency and boosting user experience.
It works with an identity provider such as Google, Okta, Active Directory, or LDAP (Lightweight Directory Access Protocol) through agents placed on servers. Companies that have a BYOD policy will need to require workers to use a little application on their devices that communicate with the platform and collects data on basic state and attributes. It’s not endpoint monitoring, but the state of the device and time, he said.
Data such as device state, user attributes, session data, and access policies, are collected from various sources, and then streamed in real-time into authorization engines that are distributed globally.
ScaleFT uses the identity of the machine and the user to authenticate a session through an access gateway that acts as an intermediary between a user, the device and the resource he or she wants to access. It enforces access policies for that resource in making authorization decisions.
If access is denied, the user is redirected to the Remediation Helper service, which clearly explains why. It might be something as simple as needing to update the device to the latest operating system, Dwyer said, emphasizing that reducing employee frustration is a priority.
Based on Policies
Because it involves company security policies related to specific assets, it’s isn’t a drop-in solution, Dwyer pointed out.
As Kindervag pointed out, it involves identifying critical assets and mapping how data flows around them. Then companies need to write specific policies and determine how to best enforce access control and inspection policies at the segmentation gateway.
“It really starts with a policy framework. How do you enforce rules within your company? You might say that all employees must have the latest version of the operating system in order to access the corporate wiki. Or everyone must have the firewall turned on. You look at how employees or contractors are accessing internal resources and build policies from there,” Dwyer said.
ScaleFT works with customers on these aspects and advises clients to find a specific use case, such as server access or contractor access, as a place to start.
Alex Williams contributed to this story.