When thinking about the next step in network security, we should all take inspiration from Google’s perimeter-less BeyondCorp initiative, where ad-hoc permissions are granted, based on individual devices and users identity. BeyondCorp integrates two very important cybersecurity approaches: it translates the Zero Trust philosophy into a secured access architecture using Software Defined Perimeter (SDP) principles.
As Leonid Belkind, our Co-Founder and CTO, wrote in a blog post from the 2018 RSA Conference:
It’s all about identity, devices and applications, and no longer about IP based rules and network topologies.
It’s true. In BeyondCorp, there are no trusted entities. All resources are cloaked, and all traffic is regarded as suspicious until verified. And when access is granted, there is a secure link between the user and the specific isolated asset while all other company assets are hidden from non-authorized users.
“Rather than have a VPN around all this infrastructure, we decided to get rid of the walls entirely.’” - Neil Mueller, Head of Infrastructure Product Marketing at Google
Face-to-face With Challenges
When Google embarked on the BeyondCorp initiative, it was no mean feat to develop a solution for addressing modern network security challenges. They faced two main issues: design and implementation. The need to be mindful of both the user experience and maintaining productivity at every step was integral to the solution.
The solution needed to be designed to support cloud infrastructure, hybrid environments, BYOD, as well as meet all of the requirements of modern infrastructure: flexibility, scalability, and manageability. And all these factors had to be molded into a set of functional, intelligent, abstracted access policies to make sure that the right person accesses the right information in the right context. Surprisingly, this was especially relevant when designing access policies for internal-only services. Security policies needed to be extensive and robust enough to ensure resources were locked down in the most secure way, but still manageable at scale while providing a fast-access user-experience.
The BeyondCorp paradigm effectively addresses many issues that thousands of organizations are facing, but the system was originally designed to only be implemented internally at Google. While Google continues to refine their Zero Trust model, the high adoption rate of cloud-based resources is forcing companies of all sizes, regions and industries to re-evaluate traditional network security systems, such as firewalls, gateways, and intrusion prevention systems. It is clear that the answer to these security issues is a BeyondCorp-like security architecture, but the difficulty is that the majority of companies that want this type of corporate IT security don’t have the talent or resources to develop, implement, and maintain it.
Google has released some elements of its internal implementation, such as the Identity Aware Proxy (IAP) for Google Cloud Platform customers, but implementing these elements across an entire organization is almost impossible due to certain constraints they have introduced.
The reality is that there’s no need for companies to spend millions of dollars and countless man-hours on building their own BeyondCorp system. There is no reason to jump into the deep-end without access to the right kind of BeyondCorp experts who know how to make it work for you.
This is why we are advocating BeyondCorp-as-a-Service which removes this very steep barrier to entry. This type of solution has many of the same advantages as other “as-a-service” solutions, including all commonly used CRM, ERP, servicing, messaging and storage solutions. Low up-front-costs, quick setup and deployment, easy upgrades, accessibility, and scalability are strong reasons why “as-a-service” in general is integral to how we work today.
The added bonus of using this method to implement Zero Trust and SDP is the elimination of problems faced by Google. When provided as a service, deployment on your end is quick, straightforward, and seamless, so there is little to no productivity loss. There is no need to redesign security systems and processes within your company; the right solution should be easy to implement and connect effortlessly with your existing identity provider, development platform, internal notification solution, etc.
In addition, the onboarding process doesn’t require downtime or interruptions to ongoing company operations, and with the exception of one quick process of self-authentication, users simply log onto their applications to access their corporate assets without even knowing they are using a new means of secured access. Once implemented, security appliances like VPNs and DMZs are no longer required, which significantly reduces costs, eliminates latency and turns the the overall user experience into a cloud native one.
More Than Just a Security Solution
BeyondCorp-as-a-service is as it should be – easy, cost-effective, smooth, and efficient. When implemented as a well-designed Zero Trust architecture, based on the SDP principles, this solution will provide superior security while eliminating network exposure, isolating applications, and enforcing authentication and authorization procedures for all users.
BeyondCorp-as-a-service is more than just a security solution; it’s an efficient user experience that provides superior security across all corporate environments and assets.
Download your copy of the "10 steps to evaluate your remote access strategy"