This provides consistency and simplicity for users, which is extremely valuable in lessening the likelihood of successful attacks (as I’ve described in past writings). The gateway serves up authentication prompts, but also allows for fine-grained, attribute-based access control based on a risk profile. Google recently published a blog post to tout their 4thresearch paper on the topic, which described how they maintained productivity while going through the long process of migrating. To sum up the BeyondCorp architecture, there is no longer a differentiation between on-prem access and remote access…it’s just access. All authentication and access requests follow the same path through a centralized access gateway regardless of the user’s location or device. However, authentication challenges and access decisions may differ based on a number of risk factors. A big proponent of this security strategy, Google, has made large strides in implementing it, and has even been so kind to publish their process of doing so. Zero trust, and its spin-offs (the application is the new perimeter, etc.) are now making traction in real-world architectures and implementations.
Per usual, buzz words like this go through their hype cycle, starting with a lot of excitement and often not resulting in much action in the near-term. The argument was that we trusted everything based on an initial successful authentication, but never reallyverified thereafter.
Years ago, Forrester declared dead the old security mantra, “trust but verify,” and coined the term zero trust.
0 kommentar(er)
