Google BeyondCorp Breaks With Enterprise Security Tradition

Moving away from perimeter defenses, Google has adopted a cybersecurity architecture, called BeyondCorp, that focuses on understanding devices and users.

Thomas Claburn, Editor at Large, Enterprise Mobility

April 7, 2016

4 Min Read
<p align="left">(Image: LeoWolfer/iStockphoto)</p>

10 iPhone Apps Worth Buying

10 iPhone Apps Worth Buying

10 iPhone Apps Worth Buying (Click image for larger view and slideshow.)

As computing has shifted from desktop to mobile devices, the concept of a secure perimeter has become an anachronism. We may find it comforting to view walls as a defense against threats, but the security that barriers provide in the physical world doesn't translate into cyberspace.

The computer security industry caught on well before the mobile revolution, as it became apparent that defending data requires scrutiny of what happens on the network and inside the firewall, in addition to perimeter defenses. But companies haven't entirely changed how they think about virtual threats.

Since about 2009, Google has been developing and deploying a model for security that focuses on data about devices and users rather than locations and networks. It's an approach a few other companies like Coca-Cola, Mazda, and Verizon have taken, according to the Wall Street Journal.

Google began discussing its revised security strategy in August 2013 and revisited the topic in a research paper published in December 2014. By May last year, about 90% of the company's corporate applications had been migrated.

With the transition now largely complete, Google has summarized its more fluid security architecture in a paper titled "BeyondCorp: Design to Deployment at Google," published in the Spring 2016 issue of USENIX's journal, ;login:.

The BeyondCorp security model is perhaps best summarized by a tagline presented in an early episode of the TV series The X-Files: Trust no one.

"BeyondCorp considers both internal networks and external networks to be completely untrusted, and gates access to applications by dynamically asserting and enforcing levels, or 'tiers,' of access," the paper explains.

Google's approach to security involves several components. Access requirements are separated into Trust Tiers that reflect the sensitivity of the information to be accessed. The applications, services, and infrastructure subject to access control are enumerated as Resources, each of which is assigned a minimum Trust Tier. A system called a Trust Inferer continually evaluates the state of monitored devices and records that information in a constantly updated Device Inventory Service.

There are Access Policies that summarize Resources, Trust Tiers, and additional requirements for access. An Access Control Engine accepts or denies access based on information from Access Policies, Trust Inferer output, resources requested, and real-time credentials. And Gateways, such as SSH servers, Web proxies, or 802.1x-enabled networks, also inform authorization decisions.

The heart of the system is the Device Inventory Service, which gathers about 3 million pieces of data per day (80TB) from more than 15 sources.

"Retaining historical data is essential in allowing us to understand the end-to-end lifecycle of a given device, track and analyze fleet-wide trends, and perform security audits and forensic investigations," the paper says.

The Device Inventory Service records when a device was last scanned and the results of that scan, the policies and timestamp from the last Active Directory sync, and the OS version, patch level, and apps. It also collects IT-assigned data, like the designated owner, users and groups with access rights, and DNS and DHCP assignments.

Collecting data from multiple sources allows the Trust Inferer to cross-check information and identify conflicts, which might not be apparent if the system simply trusted the data received.

Trusting a device isn't merely a matter of checking a serial number. Devices have components like hard drives, network interface controllers, and motherboards -- any of which may have been swapped at some point.

To establish a high Trust Tier, Google's system might require that a device be encrypted; successfully execute all management and configuration agents; have an updated OS; and have consistent data from relevant input sources.

Are you prepared for a new world of enterprise mobility? Attend the Wireless & Mobility Track at Interop Las Vegas, May 2-6. Register now!

The paper describes various challenges Google overcame in the development and implementation of the BeyondCorp model. One such challenge involved ensuring the company had accurate data to manage its asset inventory. Transposed or missing device identifiers or failure to update records after repairs could prevent devices from accessing corporate resources. To deal with the issue, Google focused on local workflow improvements, automated input validation, and double-entry accounting to reduce errors.

Google also had to ensure that its Device Inventory Service could communicate without significant latency, that users received the appropriate amount of communication about the system and about addressing problems, and that disaster recovery scenarios had been adequately considered.

The paper concludes by noting that the BeyondCorp model has substantially improved Google's security posture and that other organizations can benefit from, and improve on, this approach.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights