Google has made big news of late with their “BeyondCorp” initiative — in which they are moving all corporate applications out to the Internet. This is a great case of Google putting their money where their mouth is — after all, if their applications are secure enough for the rest of us, they definitely should be secure enough for Google’s internal use as well!
Little and big
Google is certainly a giant, and the steps of giants often make the most noise. But in this case they aren’t so different from the smallest, nimblest modern companies.
In fact, any small company founded today would likely make the same choice. Why spend your hard earned bootstrapping dollars, or your early investment, on server hardware that’s obsolete as soon as you buy it? Why power and cool those servers, and then invest in VPN to provide access from all your employees. Heck — why have an office at all? With today’s cloud applications, mobile devices, and ubiquitous Internet, it’s easier, cheaper, and arguably safer to abandon the corporate network altogether — and use the cloud for all your business data, apps, and resources.
What’s a network for?
In the past, we needed a local network. We all worked in one place, networking was slow, and we had to be physically close to the resources we used in order to be productive. We also leveraged the private nature of that network to prevent bad guys from accessing our stuff, and only allow the good guys access. We had policies in place to allow engineers access to some things, and sales access to others, and we were good.
But that takes knowledge. It takes hardware. It takes physical space. It takes power. It takes time.
Today, Google Apps for business, and Office 365, and DropBox for business, and SalesForce, and Marketo, and Concur (and name your countless other cloud apps), mean enterprises are no longer bound to a physical space. Powerful mobile devices and laptops means users no longer need to be chained to a desk.
The old network is basically pointless today. With increasingly rare exception, there is a cloud-based alternative that can save cost and hassle. Turnkey apps, hosted resources, and PaaS/IaaS solutions provide the services we need to get work done — from anywhere, and on any device.
Today’s attacks — why break in when you can be invited?
This idea that we can move from private networks to the cloud, assumes that internal network is just as dangerous as the public Internet. This isn’t new. Heck, Security Analysts like John Kindervag have been preaching this for years.
Our perimeter defenses (firewalls chief among them) have become so strong that attackers have essentially given up breaking through them. Instead they realized they can attack much more easily by stealing the keys — the username and password — and then getting access easily. Rather than try to thwart a firewall, if I can just log in as an employee, I can steal whatever that employee has access to.
Google knows this, and that’s why they have moved the trust away from the perimeter, and out to the devices and users.
Identity, SAML, and the end of passwords
Centrify Identity Service provides our customers the same type of “BeyondCorp” security and access — all based on identity. We can provide users a single master credential, managed by IT. Then IT controls who can get to which resources, at what time, from which devices, networks, locations, and more.
Then we leverage SAML (for example) to eliminate simple username and passwords from the target services. That means attackers have nothing to steal, and users have nothing extra to remember.
Lastly we provide multi-factor authentication (MFA), integrated with device management, so IT can ensure the users are who they say they are, and can revoke access when things get fishy.
Sound familiar? It’s BeyondCorp — for your corp. And it takes only minutes to set up.
The end of the firewall?
Does this mean firewalls are dead? No way. It just means that they only do what they were meant to do — prevent attackers from getting access to your resources. But increasingly, they are “part of” the resource. When you fire up a VM in Amazon Web Services, you use their firewall. When you use DropBox, you rely on DropBox’s firewalls to prevent access. They are out there, but just like, say, a network stack, they are becoming part of the solution, and not something you have to configure on your own.
Just make sure you have a new perimeter, based on identity.