If you are a network person you have probably heard of BeyondCorp, but maybe you have had difficulty explaining it to others in your organization. Fortunately, Google’s Max Saltonstall does it for you in his latest video. Saltonstall says that Google has shifted to a security model without an inside or an outside, where each access request is reevaluated as it is made.
Most Companies Look at Security as a Binary
Most companies look at security as a binary, with the good folks on the inside and the bad folks kept outside. Security teams install various firewalls and VPN tools to create a strong perimeter. They are always looking for taller thicker walls to respond to the last type of attack or compromise. But this model breaks down as soon as things get more complicated.
Employees have to work outside. Contractors need access to just one or two internal systems, not all of them. Mobile devices aren’t compatible with your VPN client and attackers are sneaking into your network on previously trusted devices, hiding inside like a Trojan horse. We’ve seen the reinforced perimeter model break down in many ways exposing the highly vulnerable interior.
We Shifted to a Model Without an Inside or an Outside
At Google, we shifted to a model without an inside or an outside. We reevaluate the trust of each request as it is made and test to see if we should grant access. All access to company resources gets decided based on the context of the request. Who is it and should they see this thing? What device are they on and do I consider that safe? If the identity plus device plus access policy all check out, then they get in. If not, it’s an express bus to 403 town. Permission denied.
In this model, there’s no trust inherent to any network or location. We don’t care if you’re sitting at home at a coffee shop or at the office, you get exactly the same level of access. It’s easy to start down this path on Google Cloud Platform with Identity-Aware Proxy. All you need is an app that’s using Compute Engine, App Engine or Kubernetes plus Google identities for your employees and you can start securing your apps with identity control.