Fundamentals of the BeyondCorp ‘Zero-Trust’ Security Framework

BeyondCorp is the result of an initiative within Google meant to improve their own security practices with regards to how employees and devices access internal resources. Originally sparked by a highly sophisticated APT attack known as Operation Aurora, where malicious actors gained privileged access to the private networks of a number of large enterprises, BeyondCorp is the culmination of years of design and implementation within Google. Since rolling out across the entire organization, BeyondCorp has had a profound impact on the company as a whole, and can be looked at as a modern enterprise security framework for other forward-thinking organizations to follow.

The details of the BeyondCorp architecture, along with Google’s own migration path can be found in a series of whitepapers: BeyondCorp: A New Approach to Enterprise Security (2014) and BeyondCorp: Design to Deployment at Google (2016).

Core Concepts

BeyondCorp was designed from the inside out, and introduces a lot of fresh ideas to the security community that are more aligned with the operations of a modern enterprise organization.

Perimeterless Architecture

With the rise of cloud computing, SaaS applications, and mobile devices, a company’s systems and workforce are no longer confined to the office or data center. This known fact is breaking down the walls of the traditional perimeter-based security methods, where trust is determined purely by being on the inside or outside. As we’ve seen from the numerous cyber attacks that have made the news on a regular basis, once an actor gains privileged access to a system, they have free rein with the company’s sensitive data.

Google recognized this early on in the design process, and completely dismissed the notion of network segmentation as the primary mechanism for securing their infrastructure. Instead, all applications and services are deployed to the public Internet, where access is granted based on a device, its state, and the associated user. This is significantly more effective in thwarting insider attacks due to the advanced security measures one takes to protect resources on the public Internet.

Zero Trust by Default

The underlying property of a perimeterless architecture is that all network traffic must be untrusted, regardless of origin. Instead of granting privileged access based on location and network rules, the BeyondCorp framework authenticates and authorizes every request in real-time based on a set of dynamic conditions, accounting for the constant changes in user status and device state. Once access is granted, a short-lived credential is issued only for that specific request.

To make this possible, Google maintains an always updating inventory of employee devices that they monitor with a system known as the Trust Inferer. This system captures device and host properties, such as whether the disk is encrypted or the latest patches installed. Based on this information, Google assigns the device to a Trust Tier, which is a representation of its permitted access levels. Every resource then has an associated minimum tier that must be met to be accessed, based on the sensitivity of the data.

Centralized Access Proxy

In order to manage all the network traffic, enforce security controls, and protect against DDoS attacks, Google places a reverse proxy in front of every resource. Each request flows through this central point, where it is fully authenticated and authorized. For authentication, Google operates its own Identity Provider service as the system of record, which supports a wide range of options such as OpenID Connect and OAuth to handle all of the types of methods a backend service may use. Once identity is confirmed, authorization is verified through Access Control Lists that are queryable via remote procedure calls. Google developed its own domain-specific language for the Access Control Lists that is easily understandable.

The Access Proxy handles coarse-grained policies across the organization, while the Trust Inferer enforces fine-grained policies more specific to an individual resource. These systems complement each other well, covering the the work needed to maintain strict policies and the logic to be performed with each request. The Access Proxy is a key component to the BeyondCorp architecture as it helps the overall framework scale effectively, making life easier for those in charge of managing security.

Key Advantages

In shifting access controls from the perimeter to individual users and devices, BeyondCorp is more aligned with how modern enterprise organizations operate their infrastructure, applications, and workforce.

Real-Time Trust Evaluation

Environments are always changing, which call for security practices that can adapt accordingly. BeyondCorp makes a point-in-time attestation of trust by building a profile from the user and connecting device on every request. For security teams, it is critical to know who has access to what, and why they are allowed access at any given time. With BeyondCorp, policies are more granular and real-time than traditional methods, such as keeping a long list of firewall rules.

Intelligent Decision Making

Security teams are tasked with protecting sensitive resources without impacting the user experience of the employees. This is often a point of tension within an organization, which leads to insecure workarounds. With detailed information about the user and connecting device, the BeyondCorp framework makes dynamic, intelligent decisions about whether to accept or deny a specific request, backed by logical reasoning. The authentication and authorization processes are tightly integrated with the workflows employees are already used to, providing advanced security measures without negatively affecting productivity.

Enforced Security Controls

BeyondCorp promotes secure thinking across the entire organization by ensuring employees keep their devices up-to-date with the latest security patches. Another byproduct of moving all sensitive resources to the untrusted public Internet is forming better habits for communicating over secure channels, encrypting data, monitoring all endpoints, implementing multi-factor authentication, keeping a device inventory, and managing credentials. The practices associated with the BeyondCorp framework contribute towards developing a culture of security, with levels of flexibility and visibility not found with traditional security methods.

Considerations

As with any transformative shift that impacts the people, processes, and technology within a company, migrating to a Zero Trust architecture such as BeyondCorp comes with its own set of considerations. It’s up to the stakeholders to examine how this impacts the operations of the company, and make a call where the benefits outweigh the risks.

Device Management

IT departments are faced with the challenge of tracking all employee devices – issued or bring your own. With BeyondCorp, device data is just as important as user data for evaluation. This means managing an inventory of devices, creating security policies, and monitoring usage. Google operates at the scale where it makes sense to manage this internally, however that may be too much to handle for your organization. Look to mobile device management vendors such as MobileIron or Citrix, and be sure to investigate how they integrate with your Identity Provider of record.

User Experience

For a security framework to be successful within an organization, it must not get in the way of how people get stuff done on a daily basis. You want to avoid forcing a poor user experience onto your employees. This could be taking too long to process or too many steps to get through. Another scenario to avoid is blocking access when justified, or kicking someone out mid-session. Follow Google’s lead and make the extra effort to ensure the workflows are streamlined, and consistent with how your employees work today.

Data Transformation

Collecting data from a wide range of devices across various protocols poses a number of challenges to ensure consistency across the inventory and policies. In order to provide real-time decision making, data must be correlated and transformed into a common format prior to analysis. Look to integration platforms such as Mulesoft or Dell Boomi that allow you to connect various data sources together in an aggregate form to make consistent trust decisions.

Adopting BeyondCorp

While originally developed for internal purposes within Google, BeyondCorp is a framework attainable by any forward-thinking organization willing to take a fresh look at their security practices. If we boil down BeyondCorp to its essence, it’s a modern take on the established Authentication, Authorization, and Accounting (AAA) framework that factors in the distributed teams and connected devices that make up a modern enterprise organization. Where BeyondCorp really stands on its own is how intelligent decisions are made in real-time, through understandable policies controlled by the organization.