BeyondCorp - A New Approach to Enterprise Security

Confidential + Proprietary

BeyondCorpA New Approach to Enterprise Security

Federico ScrinziOctober, 2016


$ whoami

Federico ScrinziSite Reliability Engineer at Google

● We "keep Google up"● I solve Rubik's cubes● I capture flags● I like speck :)


BeyondCorp

Let me tell you a story ...


A typical Intranet


A convergence of issues

An increasingly mobile workforce.

A plethora of client devices used by this mobile workforce.

The emergence of Cloud services.

Concerns about Cyber Attacks and our attack surface.


WALLS

WORK

DON’T

The realization ...

WALLS DON’T

WORK


A different approach


BeyondCorp means ...

1. Access to services is granted based on what we know about you and your device.

2. Connecting from a particular network must not determine which services you can access.

3. All access to services must be authenticated, authorized and encrypted.


Our Five Year Mission

● To re-architect the Corporate Infrastructure to remove any privileges that have been granted solely on the basis of having a private IP address.




or put another way

● To remove the need for a privileged Corporate network.




or put another way

● To remove the need for a privileged Corporate network.

or put another way

● To have every Google employee work successfully from untrusted networks, without use of a VPN.


The Components of BeyondCorp


Know your Devices

Keep an accurate device inventory.

Uniquely identify each device.


Know your Users

Keep an accurate user inventory.

Identify groups that users are in.

Externalize Single Sign On.


Build a Trust Model

Dynamically calculate trust of devices.

Multiple, on demand, data sources.

Policy driven.


Enforce Access Policy

Access depends on who you are.

Access depends on what groups you are in.

Access depends on the trust level of device you are using.

Policy driven.


Enable Access from anywhere

Same access from inside.

Same access from outside.


The Components of BeyondCorp


Migrating to BeyondCorp

Fifteen years of Corporate Infrastructure.

Fifteen years of assuming a privileged Intranet.

Problem Definition:

Move to BeyondCorp …but don’t break anyone.


The Managed Non-Privileged (MNP) Network

A brand new network VLAN.

Equivalent to an external network (no privilege).

Deployed across the company.

But how to get every device on MNP safely ?


Analyse our Network Traffic

Record and analyze our daily traffic.

Identify workflows that would fail on new unprivileged network.

Fix and repeat.


Safely Migrate Devices

Qualify workflows / job functions.

Encourage users off the VPN.

Analyze device traffic patterns.

=> Migrate devices only when safe to do so.


How we executed on BeyondCorp

Multi year, cross functional, program.

High level executive support.

Top level company goal for a number of years.


BeyondCorp described to the Industry (2014) ...


BeyondCorp described to the Industry (2016) ...


Lots of interest

Interest from many organizations.

Reviewed in the Wall Street Journal:

“Google Moves its Corporate Applications to the Internet” (1)

“Google Reveals Details About Its Device-Centric Security Approach” (2)

Industry definitely moving in this direction.

1 http://blogs.wsj.com/cio/2015/05/11/google-moves-its-corporate-applications-to-the-internet/2 http://blogs.wsj.com/cio/2016/04/05/google-reveals-details-about-its-device-centric-security-approach/


In a nutshell

1. Relying on perimeter defense is risky.

2. Have zero trust in your network.

3. Base all access decisions on what you know about the user and their device.


Questions and Answers ...

Technology

BeyondCorp - A New Approach to Enterprise Security