“Rather than have a VPN around all this infrastructure, we decided to get rid of the walls entirely.” This is followed by a lot of testing.įor cloud apps,Google ditched VPNs for zero-trust identity-aware proxy #OreillySecurity /XeoAbKzv7sĪt Google, “we embraced the fact that walls don’t work,” Mueller said. And it is no walk in the park for admins either. To set up a new user, the admin would typically have to configure the cloud network, along with setting up the IPSec rules and firewall rules, the VPN. Plus, a VPN was cumbersome to use, and slowed performance, especially for overseas workers. Phishing, man-in-the-middle, SQL Injection attacks all find fertile ground on VPNs. It is probably already owned,” added Max Saltonstall, a Google program manager for corporate engineering, who also participated in the presentation. The problem with the “castle” approach is that once the perimeter is breached, the entire internal network, and all the associated applications, are at risk. It is the opposite of the traditional approach of security, which Mueller described as “the castle” approach, in which a strong firewall is used to set off an internal network that can only be accessed by way of a virtual private network (VPN). This model can be fall under a number of rubrics in the security community, including “zero-trust” or “perimeter-less” security. The company feels this approach, which it has dubbed BeyondCorp, is the “new cloud model,” for doing cloud security, asserted Neal Mueller, head of infrastructure product marketing at Google, who gave a presentation on this approach at the O’Reilly Security conference, held recently in New York. In 2018, it introduced Cloud Identity, which gives customers one console and platform to manage users, devices, apps and access.Today, none of Google’s employee-facing applications are on a virtual private network. Over the years, Google has rolled out other products based on BeyondCorp, such as Identity Aware Proxy (IAP), which helps Google Cloud customers control access to cloud and on-prem applications and VMs running on Google Cloud Platform (GCP). While BeyondCorp Remote Access is now offered as a way to safely access internal apps, Google said that over time it will offer the same security capabilities for nearly all applications and resources a user may need to access. It routes all traffic through a proxy to determine the identity of a user and what internal data they're allowed to access in the given context.įor instance, with BeyondCorp Remote Access, an admin could set a specific policy for contract HR recruiters working from home on their own laptops - only granting them access to a web-based document management system if they are using the latest version of the OS as well as phishing-resistant authentication.
#BEYONDCORP ACCESS PROXY VERIFICATION#
In contrast to traditional, perimeter-based security systems, BeyondCorp relies on verification of context, like your identity and the device you're using, to grant access to apps. To address those problems, the new tool uses the BeyondCorp framework, a zero-trust approach to security that Google adopted for its own, increasingly mobile workforce back in 2011. Additionally, the nature of perimeter-based security may be problematic when granting remote access to an extended workforce that can include contractors and temporary workers.
#BEYONDCORP ACCESS PROXY SOFTWARE#