creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
757f1c8eae4e288d20f7dfde7f7a42a4d30cffc7
Anthropic-Cybersecurity-Skills/skills/implementing-beyondcorp-zero-trust-access-model/assets/template.md
T

4.8 KiB
Raw Blame History

BeyondCorp Zero Trust Access - Migration Checklist

Project Information

Field Value
Organization Acme Corporation
Project ID acme-prod-beyondcorp
Lead Engineer J. Smith, Security Architecture
Start Date 2026-01-15
Target Completion 2026-04-15

Pre-Migration Checklist

Identity Provider Configuration

  • Google Workspace or Cloud Identity configured as primary IdP
  • MFA enforced for all users (FIDO2 security keys for privileged accounts)
  • User groups defined and synchronized (engineering, finance, contractors, executives)
  • Service accounts inventoried and mapped to applications
  • Break-glass accounts created with documented access procedures

Google Cloud Infrastructure

  • IAP API enabled on all production projects
  • Access Context Manager API enabled at organization level
  • BeyondCorp Enterprise API enabled
  • Cloud Audit Logs enabled for IAP data access
  • OAuth consent screen configured
  • IAP OAuth clients created per application tier

Endpoint Verification

  • Endpoint Verification extension deployed to Chrome managed browsers
  • Device inventory populated (2,847 devices enrolled)
  • Device compliance baseline established (target: 95%)
  • Non-compliant device remediation plan documented
  • BYOD enrollment policy defined

Access Level Design

Access Level Device Policy Encryption Screen Lock Geo Restriction Applications
basic-access Any enrolled Not required Not required None Public wiki, cafeteria menu
standard-access Enrolled + managed Required Required US, GB, DE Email, calendar, chat
enhanced-access Managed + EDR Required Required US, GB Internal tools, CI/CD
high-trust Managed + EDR + patched Required Required US only Finance, HR, admin panels

Application Migration Tracker

Application Hosting Protocol Current Access IAP Status Access Level Migration Date
Internal Wiki App Engine HTTPS VPN Enabled basic-access 2026-02-01
CI/CD Dashboard GKE HTTPS VPN Enabled enhanced-access 2026-02-08
HR Portal On-prem HTTPS VPN Connector deployed high-trust 2026-02-15
Finance System Compute Engine HTTPS VPN Enabled high-trust 2026-02-22
Git Repository GKE SSH+HTTPS VPN Enabled enhanced-access 2026-02-08
Monitoring Cloud Run HTTPS VPN Enabled standard-access 2026-02-01
Admin Console On-prem HTTPS VPN Connector pending high-trust 2026-03-01

Session Policy Configuration

Application Tier Session Duration Re-auth Method Re-auth Trigger
General (Tier 1) 8 hours LOGIN Session expiry
Sensitive (Tier 2) 4 hours LOGIN Session expiry, device change
Critical (Tier 3) 1 hour SECURE_KEY (FIDO2) Session expiry, IP change
Admin (Tier 4) 30 minutes SECURE_KEY (FIDO2) Any context change

Post-Migration Validation

Functional Testing

  • All migrated applications accessible through IAP without VPN
  • Access denied for users not in authorized groups
  • Access denied for non-compliant devices
  • Re-authentication triggers working per policy
  • Break-glass access procedure tested successfully
  • On-premises connector failover tested

Security Testing

  • Direct application access blocked (only through IAP)
  • IAP bypass attempts detected and logged
  • Session hijacking mitigations verified
  • Cross-tenant access properly denied
  • Audit logs capturing all access decisions

Monitoring

  • BigQuery audit pipeline operational
  • Alert policies configured for repeated denials
  • Dashboard showing real-time access metrics
  • Monthly access review process documented

VPN Decommission Timeline

Phase Date Action Status
Parallel Start 2026-03-01 VPN and BeyondCorp running side by side Pending
VPN Monitoring 2026-03-01 to 2026-03-15 Track remaining VPN usage Pending
VPN Block New 2026-03-15 Block new VPN connections Pending
VPN Shutdown 2026-04-01 Decommission VPN infrastructure Pending
Post-Mortem 2026-04-15 Migration lessons learned review Pending

Sign-Off

Role Name Date Signature
CISO _________________ __________ __________
Security Architect _________________ __________ __________
IT Operations Lead _________________ __________ __________
Application Owner _________________ __________ __________
Reference in New Issue View Git Blame Copy Permalink