BeyondCorp

How BeyondCorp enables companies to get rid of VPNs? while improving their security?

Google Cloud is committed to having a pivotal role in the seamless transition of enterprises from a traditional to a modern working environment. This modernization is forcing enterprise employees to access company data and resources remotely. While virtual private networks (VPNs) have enabled this access, their security model is binary; it assumes that anything within the network’s perimeter poses no threat and everything outside does. Enterprise data is available on multiple platforms, such as SaaS and IaaS applications, extending the network perimeter beyond the corporate premises. This makes it easier for cybercriminals, as they have numerous entry points within a company’s cloud.

BeyondCorp Enterprise is a Google Cloud offering that solves this problem. It works exclusively to provide end-to-end protection to both, on-premise applications and applications hosted in the Google Cloud Platform. Contrary to VPNs, BeyondCorp’s security consists of multi-layered protocols, both at the front end and back end, which must be passed to grant a given user access to company data and resources. BeyondCorp’s Zero Trust model ensures that devices, systems, workloads, and even users must undergo authentication before authorization, regardless of the location. Following this  ‘Zero Trust’ approach, none of the above-mentioned parameters are treated as trusted by default. This solution ensures better security to companies’ networks while ensuring user efficiency. 

BeyondCorp security

BeyondCorp Enterprise’s security model is based on the fundamental principle that only the right user, using the right device under the right circumstances can access company data and resources. BeyondCorp uses Cloud Identity to regulate access to SaaS applications and secure user accounts. To achieve this, BeyondCorp requires those with administrative power in companies to provide all users’ information and any other metadata about them to build a consistent process of dynamically granting access to each employee in the organization. BeyondCorp allows the usage of other identity providers such as Okta, etc. 

To ensure that the company’s employees can work from anywhere and even on their personal devices, while still protecting the company’s data, BeyondCorp uses Endpoint verification. This is a chrome extension that, once enabled via Google Workspace (formerly G Suite) Admin Console, allows the company’s management to set up Endpoint verification for on-premise and employee personal devices. The Endpoint verification extension provides a detailed inventory of devices that have accessed an organization’s network. As long as BeyondCorp is aware of the security posture of a particular device, it will be granted access to the network.

Google Cloud services behind BeyondCorp

One of the ways BeyondCorp presents a security advantage over VPNs is through Access Context Manager. This is a set of rules that the organization’s management sets to regulate access to their applications. These applications are separated into tiers, with critical applications at the top tier. Top-tier applications are given security priority with more rules restricting access. 

At the heart of BeyondCorp’s Zero Trust model is the Identity Aware Proxy (IAP). This access proxy is more secure and much simpler to operate than VPN. All information from the platforms mentioned above must run through IAP. IAP checks the context, identity, and device of a given request before determining whether it is a safe request or not. IAP also handles requests made by the system itself, for example, to install updates and disable user authentication.

BeyondCorp Enterprise’s offerings ensure the security of corporate data via multifactor authentication protocols, which are individually competent. It also ensures that corporate resources and data are accessible to employees as long as they meet the security requirements. For these reasons, there is no need for companies to use VPNs when this solution exists.

Previous
Previous

Infrastructure as Code (IaC)

Next
Next

Google Cloud BeyondCorp Enterprise [GCP Security Week #5]