Whether connected to the unprivileged network or the internet, users do not access resources through a Google network. Internet-facing applications and resources All wired and wireless devices must pass 802.1x authentication to join the unprivileged network. Unprivileged networksīeyondCorp replaced Google’s privileged, on-premises networks with a more limited network that only connects to the internet. User identificationĪ user and group database, combined with Google’s internally-developed Single Sign-On system, lets the company issue short-duration tokens that define each user’s current role. This lets the company maintain a device inventory database and ensure that all devices are kept updated. Google only allows users to access company resources through company-managed Chromebooks or devices running the Chrome browser. To make this possible, the BeyondCorp system relies on six elements: Device management and identification All access must be authenticated, authorized, and encrypted.Īll Google users now access the company’s resources over the internet.Access is based on the context of users and devices.Source networks do not influence user access.In its place, BeyondCorp operates on a new set of principles: The company eliminated its private, privileged network and the distinction between remote and on-site access. How does Google BeyondCorp work?īeyondCorp is an implementation of Zero Trust principles that leverages Google’s cloud-based network architecture.
Google launched the BeyondCorp project to replace the old paradigm with a new philosophy for network security. Moreover, companies can no longer assume that the networks inside the perimeter are safe. None of this is true anymore thanks to several trends:Īs a result, the perimeter extends too far beyond the privileged network for organizations to adequately protect. The secure perimeter approach assumes companies have trusted employees working on trusted networks behind layered defenses that keep threats at bay. Google assessed that the traditional secure perimeter had become inherently unsecurable. The attack contributed to Google’s decision to withdraw from the China market and set in motion a top-down review of the company’s security and access control strategies. In Google’s case, the hackers’ targets were the Gmail accounts of human rights activists in China, Europe, and the United States. A threat actor with ties to China’s People’s Liberation Army launched a campaign targeting many western companies. Remote or on-premises, the BeyondCorp system authenticates and authorizes users’ access to Google resources.Ī 2009 cyber attack dubbed “ Operation Aurora” was the initial spark that drove Google to change its security model. Over the course of a decade, BeyondCorp evolved into a complete, secure access control system. By redefining the perimeter from the network to individual users, the company eliminated its traditional VPN-based approach to remote access. “BeyondCorp” is the umbrella term Google applied to its Zero Trust network architecture. Fortunately, although BeyondCorp was the first Zero Trust implementation and was built for Google’s scale, organizations have options that are easier to deploy and maintain. In this article, we will review why Google launched the BeyondCorp initiative, how its access control system works, and what limitations organizations considering BeyondCorp should take into account. In the years since, Google inspired a new consensus within the security community that Zero Trust is the new model for enterprise network security that organizations should strive for as a way to mitigate the risks and shortcomings of the traditional fixed perimeter security model.
The BeyondCorp initiative was the first time a large enterprise had implemented modern Zero Trust concepts at scale. In 2014, Google revealed that it had begun a dramatic change in the way it secured and controlled access to its enterprise resources.
0 kommentar(er)
