Google Secures It’s Enterprise with Zero Trust Networks
You know how they say “identity is the new perimeter?” Yet for all the hoopla around de-perimeterization over the years, most organizations still have complex firewall infrastructures and clunky VPNs.
Google has reinvented its security perimeter around devices through its groundbreaking “BeyondCorp” initiative. In a talk at the RSA conference this month, two Google security leaders shared how this transformation took place, where it’s headed, Google’s migration strategy, and the lessons learned.
Here is the link to the detailed PDF describing BeyondCorp.
Or if you prefer video, here is the link to the RSA session.
Read the PDF or watch the video and you will find that Google has indeed gotten rid of VPNs. They have also done an impressive job of implementing contextual user+device authentication. Don’t worry, they still have have some perimeter devices in their data centers (called an Access Control Engine), so your personal search data may still be safe 🙂
Here’s how it works:
- Requests are directed to the access proxy.
- A managed device provides its certificate.
- The access proxy does not recognize the user and redirects to the SSO system.
- The user provides his or her primary and second-factor authentication credentials, is authenticated by the SSO system, is issued a token, and is redirected back to the access proxy.
- The access proxy now has the device certificate, which identifies the device, and the SSO token, which identifies the user.
- The Access Control Engine performs the specific authorization check configured for the application.
- An authorization check is made on every request against the user’s group memberships, trust level, device security status, device trust level. If any of the above checks fails, the request is denied.
The PDF didn’t discuss bring your own device (BYOD), could it be Google doesn’t have any? Whether they do or don’t allow BYOD access, the contextual authentication system described SHOULD have the ability to provide risk-based authentication metadata to the access control engine which, depending on the resource, could allow or deny access to unknown devices…