Can we all agree that securing the perimeter of an enterprise's IT assets--through firewalls and such--doesn't work and needs a reboot? In 2009, a series of highly-publicized cyberattacks, likely carried out by a nation-state, made global headlines. Afterwards, the common response was for enterprise security teams to bolster their network perimeter defenses, effectively buying more firewalls and VPNs.
It didn't work. Indeed, it cannot work.
No one was faster to pick up on this than Google, which recognized that "improving" perimeter security was an inadequate response. Instead, Google started an internal initiative to completely rethink and redesign corporate security architecture. That initiative, named BeyondCorp, eliminates the concept of a privileged corporate network entirely. It assumes that all traffic is untrusted by default.
SEE: Network security policy template (Tech Pro Research)
While Google gets a lot of attention for its many innovations, the BeyondCorp security architecture breakthrough may be one of the company's most disruptive to date. Yes, security tends to be viewed as a mundane and necessary evil, but in our world where everything connected to the internet can be hacked, it's suddenly sexy to be able to deliver real security.
To better understand BeyondCorp and its implications, I sat down with Sam Srinivas, product management director in Google's Cloud Security and Privacy team. Srinivas came to Google from Juniper Networks where he was chief technologist in the Security Business Unit. He is also president of the security industry's FIDO Alliance, which is working on open standards for strong authentication.
Dump your VPNs
TechRepublic: What do you believe BeyondCorp gets right with regards to corporate security?
Srinivas: Access management is about making sure the right person accesses the right information in the right context. Ideally, you should be able to define access policies at a high level of abstraction--e.g., "Allow the off-site contractors I hired to access project 21 in my bug system, but only if they are taking reasonable precautions."
BeyondCorp is about doing exactly that.
SEE: How to build a successful career in cybersecurity (free PDF) (TechRepublic)
Intelligent access proxies allow you to operationalize policies which reflect your intent rather than approximating it with lower level primitives like hostnames and port numbers. You can use the access proxy to operationalize something like "All members of contractor-group are allowed to access bugs.acme.com/project21/* from anywhere, but only if the user's device has a screen lock and encrypted disk and they used a phishing-resistant second factor." In an older network security-centric world, it is very hard to implement such a policy.
The fundamental idea is that access control should be identity and application-centric, not network-centric.— Sam Srinivas, Google
The fundamental idea is that access control should be identity and application-centric, not network-centric. The current model that depends on a remote access VPN connection to access applications give an all-or-none type of access that doesn't fit with the way organizations work today.
TechRepublic: How were you first introduced to the project? What was your role in the implementation?
Srinivas: I drove product management from concept through to production for the access proxy and phishing-resistant authentication, both of which are central to this model. Today, my team works on Google Cloud Platform capabilities which enable customers to implement the core concepts which underpin BeyondCorp. We call this concept "context-aware access."
Making BeyondCorp work
TechRepublic: What were the major "gotchas" during the implementation that challenged you?
Srinivas: Implementing application layer access management has become practical due to one fundamental trend, which is the move of enterprise applications to the web. Any web application, modern mobile application, or modern cloud API fits naturally into this new model of access management.
SEE: BeyondCorp: Borderless security for today's mobile workforce (TechRepublic)
However, older client-server applications don't fit the model well. For example, a third-party, web-based finance application we used turned out to have a client-side java applet which made direct, non-HTTP connections to the server. This didn't work through the proxy. In this case, we had to upgrade the application to a more modern version which was pure web.
TechRepublic: How has the rollout improved the security posture of the company?
Srinivas: In the BeyondCorp model, all access to resources has become "need to know" and loggable as to who did what. This radically improves the security posture. Our move to Security Keys, which deliver phishing-resistant strong authentication, has also improved our security posture in a massive way -- our employees are continually targeted by phishing attacks. We developed the technology to do this from concept to a deployed open standard (see the FIDO Alliance).
Solving the people problem
TechRepublic: One of the challenges of security is the people you're trying to secure. If you can't get them to play along, often the security measures will fail. How has a BeyondCorp approach improved the experience of your work force?
SEE: How public cloud providers are making security a non-issue for app developers (TechRepublic)
Srinivas: From the employee perspective, our internal applications are conveniently available directly on the web. You don't have to fire up a VPN. Non-sensitive apps are available from anywhere (e.g,, shuttle bus timetable), not just from company laptops. When logging in, people no longer have to fumble with one-time passcodes, they just touch a button on a tiny Security Key. If it's a laptop, the Security Key has a small model that is permanently inserted unobtrusively in the laptop's USB port--so it becomes part of the laptop, nothing extra to carry.
How to get started?
TechRepublic: Not everyone gets to be Google. How would you recommend companies who wish to achieve a similar outcome start down the path to context-aware access?
Srinivas: Do it incrementally. Take a set of core web applications and make them available on the internet using this model as a convenient alternative to your current remote access methods. You may be surprised to find that this is all most employees need. If such proves to be the case, you can gradually turn off alternative remote access to those who are not using the old remote access method, while retaining it for those who need it. Google Cloud Platform provides the building blocks for anyone who wants build such a solution: The Identity-Aware Proxy, and the full-featured Cloud Identity service with our Security Key enforcement feature.
- BeyondCorp: Borderless security for today's mobile workforce (TechRepublic)
- CIOs still don't care about Hadoop data security (TechRepublic)
- How public cloud providers are making security a non-issue for app developers (TechRepublic)
- MongoDB ransacked: Now 27,000 databases hit in mass ransom attacks (ZDNet)
- How the FBI defends against insider threats (ZDNet)
- Guidelines for building security policies (Tech Pro Research)