Building a Zero Trust Network (and where osquery fits) – GitLab’s Real Life Roadmap Recap

Kathy Wang, GitLab’s Sr. Director of Security, and Philippe Lafoucrière, a distinguished GitLab Engineer, recently presented “Towards Zero Trust at” at Google’s Cloud Next ‘19 event.

AWS Builder Community Hub

While a simple “zero trust” google search will return a variety of educational resources on the topic, what I valued most about the GitLab teams story was how pragmatically they break down the steps they took (and are still taking) along their Zero Trust journey. It’s also one of the only case studies showcasing a 100% cloud native organization working to implement the zero trust approach BEFORE a major security breach. Below, I’ll recap the core concepts of Kathy & Philippe’s talk, but you can also catch the full conversation in this YouTube video.



First, let’s start with a quick explanation of what Zero Trust is. (or as Google calls it, BeyondCorp.)

What is Zero Trust?

Cloudflare defines Zero Trust as:

 “…an IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter.”

Kathy shares some additional perspective, saying, traditional network security is heavily perimeter based. Hard on the outside, soft on the inside. When an attacker does inevitably gain access, they can move laterally, gain privileged access, and cause a lot of headaches. Not ideal. Zero Trust means the device is authenticated and authorized, the user is authenticated and authorized and (Read more...)

*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Amber Picotte. Read the original post at: