Google reveals own security regime policy trusts no network, anywhere, ever
'BeyondCorp' plan prefers analysis of user behaviour and device state instead
Google sees little distinction between board rooms and bars, cubicles and coffee shops; all are untrusted under its perimeter-less security model detailed in a paper published this week.
The "BeyondCorp model" under development for more than five years is a zero-trust network model where the user is king and log in location means little.
Staff devices including laptops and phones are logged into a device inventory service which contains trust information and snapshots of the devices at a given time.
Employees are awarded varying levels of trust provided they meet minimum criteria which authors Barclay Osborn, Justin McWilliams, Betsy Beyer, and Max Saltonstall all say reduces maintenance cost and improves device usability.
"The goal of Google’s BeyondCorp initiative is to improve our security with regard to how employees and devices access internal applications," the team says in the paper BeyondCorp: Design to Deployment at Google [PDF].
"Unlike the conventional perimeter security model, BeyondCorp doesn’t gate access to services and tools based on a user’s physical location or the originating network; instead, access policies are based on information about a device, its state, and its associated user.
"BeyondCorp considers both internal networks and external networks to be completely untrusted, and gates access to applications by dynamically asserting and enforcing levels, or tiers, of access."
The centralised device inventory service has consumed billion of data sets on Google staff devices from 15 sources, including Active Directory; Puppet; and Simian; various configuration and corporate asset management systems; vulnerability scanners; certificate authorities, and network infrastructure elements such as ARP tables.
The zero trust architecture spells trouble for traditional attacks that rely on penetrating a tough perimeter to waltz freely within an open internal network.
Google's paper describes this security model in detail in order to help other security-advanced organisations follow suit.
"We believe that BeyondCorp has substantially improved the security posture of Google without sacrificing usability, and has provided a flexible infrastructure that will allow us to apply authorisation decisions based on policy unencumbered by technological restrictions," the team says.
"While BeyondCorp has been quite successful with Google systems and at Google scale, its principles and processes are also within the reach of other organisations to deploy and improve upon.
The "massive undertaking" was a challenge for security teams charged with minimising disruption. A two-pronged approach was run in a simulator where traffic was classified into services and security policies translated for each platform's firewall, finding decommissioned services that were still running without purpose.
Google security warns that lax communication about such a project will confuse users, while talking too much will prompt staff to request for exemptions.