This week Google announced the general availability of their “planet scale” zero trust solution for the corporate environment, called BeyondCorp Enterprise.
BeyondCorp was the internal model Google developed to manage their controlled resources for remote access for employees. The premise was to migrate their trust model – away from the network addressing approach towards a device and identity model, leveraging access aware proxies to control web based access to internal APIs and services.
BeyondCorp followed the standard zero trust mantra made popular by the likes Forrester in recent years. The National Institute of Standards and Technology released their zero trust positioning paper in August 2020, as special publication 800-207. Whilst that is clearly focused on the protection of US federal systems, it has applicability for the private sector, in both the US and beyond.
The main concep of both the Forrester and NIST standpoints are the based on the following:
- Trust but verify
- Authenticate entities (people) as well as devices
- Leverage MFA for people based authentication
- Analyse context of the inbound request – including things like location, device hygiene, device risk posture and the transaction the request is attempting to perform
- Reduce the gap between the authentication event and the resource access or authorization event – leverage context captured at login time and compare to the context at resource time
- If contextual analysis results in differences, leverage adaptive access patterns to disrupt, degrade and deny access to downstream resources
Now it seems that BeyondCorp Enterprise is looking to allow Google to place themselves front and centre of the organisation security architecture conversation, in addition to their value as a consumer based provider.
Whilst this is clearly a new approach, their experience is not to be underestimated. They claim a decade of knowledge in developing their own internal zero trust position. Whilst their own internal system has taken substantial investment and redesign (effort that perhaps many commercial and public sector organisations do not always possess) that experience is worth leveraging.
It seems Google’s model is to leverage the broad ecosystem play – utilise the best the community and partners are creating from a software and technology perspective to create a fully integrate canvas. This fits in with Forrester’s view of the “Zero Trust eXtended Ecosystem Platform” (subscription required), where no one provider can deliver all capabilities simultaneously.
It is important to think of zero trust as essentially a set of controls that can help alter the risk posture of an organisation. Controls are typically not owned by a single player.
The BeyondCorp architecture is now fully documented and provides a rich array of features, from endpoint protection via the Chrome browser to the now standard DDoS (distributed denial of service protection) that many of the cloud providers can now deliver, by virtue of having access to such much inbound cloud data.
Whilst the standard functionality seems typical of many zero trust architecture patterns – identity aware, contextual and adaptive – the power of integrating Google Chrome into the design is interesting.
The browser is essentially the main entry point for controlled resource access and the Chrome team are placing a greater emphasis on security. Application sandboxing, HTTPS notification and validation, malware protection and insights extend the zero trust mantra down to the endpoint, without having to install agents of device management tooling.