As computing has shifted from desktop to mobile devices, the concept of a secure perimeter has become an anachronism. We may find it comforting to view walls as a defense against threats, but the security that barriers provide in the physical world doesn't translate into cyberspace.
The computer security industry caught on well before the mobile revolution, as it became apparent that defending data requires scrutiny of what happens on the network and inside the firewall, in addition to perimeter defenses. But companies haven't entirely changed how they think about virtual threats.
Since about 2009, Google has been developing and deploying a model for security that focuses on data about devices and users rather than locations and networks. It's an approach a few other companies like Coca-Cola, Mazda, and Verizon have taken, according to the Wall Street Journal.
Google began discussing its revised security strategy in August 2013 and revisited the topic in a research paper published in December 2014. By May last year, about 90% of the company's corporate applications had been migrated.
With the transition now largely complete, Google has summarized its more fluid security architecture in a paper titled "BeyondCorp: Design to Deployment at Google," published in the Spring 2016 issue of USENIX's journal, ;login:.
The BeyondCorp security model is perhaps best summarized by a tagline presented in an early episode of the TV series The X-Files: Trust no one.
"BeyondCorp considers both internal networks and external networks to be completely untrusted, and gates access to applications by dynamically asserting and enforcing levels, or 'tiers,' of access," the paper explains.
Google's approach to security involves several components. Access requirements are separated into Trust Tiers that reflect the sensitivity of the information to be accessed. The applications, services, and infrastructure subject to access control are enumerated as Resources, each of which is assigned a minimum Trust Tier. A system called a Trust Inferer continually evaluates the state of monitored devices and records that information in a constantly updated Device Inventory Service.
There are Access Policies that summarize Resources, Trust Tiers, and additional requirements for access. An Access Control Engine accepts or denies access based on information from Access Policies, Trust Inferer output, resources requested, and real-time credentials. And Gateways, such as SSH servers, Web proxies, or 802.1x-enabled networks, also inform authorization decisions.
The heart of the system is the Device Inventory Service, which gathers about 3 million pieces of data per day (80TB) from more than 15 sources.
"Retaining historical data is essential in allowing us to understand the end-to-end lifecycle of a given device, track and analyze fleet-wide trends, and perform security audits and forensic investigations," the paper says.
The Device Inventory Service records when a device was last scanned and the results of that scan, the policies and timestamp from the last Active Directory sync, and the OS version, patch level, and apps. It also collects IT-assigned data, like the designated owner, users and groups with access rights, and DNS and DHCP assignments.
Collecting data from multiple sources allows the Trust Inferer to cross-check information and identify conflicts, which might not be apparent if the system simply trusted the data received.
Trusting a device isn't merely a matter of checking a serial number. Devices have components like hard drives, network interface controllers, and motherboards -- any of which may have been swapped at some point.
To establish a high Trust Tier, Google's system might require that a device be encrypted; successfully execute all management and configuration agents; have an updated OS; and have consistent data from relevant input sources.
The paper describes various challenges Google overcame in the development and implementation of the BeyondCorp model. One such challenge involved ensuring the company had accurate data to manage its asset inventory. Transposed or missing device identifiers or failure to update records after repairs could prevent devices from accessing corporate resources. To deal with the issue, Google focused on local workflow improvements, automated input validation, and double-entry accounting to reduce errors.
Google also had to ensure that its Device Inventory Service could communicate without significant latency, that users received the appropriate amount of communication about the system and about addressing problems, and that disaster recovery scenarios had been adequately considered.
The paper concludes by noting that the BeyondCorp model has substantially improved Google's security posture and that other organizations can benefit from, and improve on, this approach.