Last week, I met with a multi-billion dollar bay area company. Among other topics, we discussed BeyondCorp and their desire to deploy Chromebooks to their employees. Encountering a large company seriously down this path really got me thinking. I’ve been a huge fan of BeyondCorp since Google Research published its concepts, presenting a model of security, trust and user enablement that I believe in.
I think the combination of the BeyondCorp-like philosophy and Chromebooks (or a similar workstation concept) is a new way of doing business that will inevitably become a standard. It improves security with regard to how employees and devices access applications, with policies based on information about a device, its state, and its associated user. As applications continue to move to the cloud, perimeter security practices are increasingly inadequate and that’s why IT management will be forced to adopt BeyondCorp-like practices. We are doing so today, and that’s why ScaleFT has just bought our entire company Chromebooks.
Why not Macbooks anymore?
Like most tech companies, we’ve deployed Apple Macbook Pros to our employees from the start. However, the utopian age of macOS™ being an unassailably secure computing platform is over. Sure, ten years ago, there were way fewer exploits in the wild against Macs. In fact, it was so rare, you could meet compliance requirements for workstation security simply by saying, “We use Macs.” There was no better solution for startup employee workstations, and it didn’t hurt that developers like me loved not having to configure X11. My workday revolved around local applications, sharing files with co-workers via email or committing to Subversion repositories. Access to these files or services might have been mediated by LDAP, but after I downloaded a file, its access control was now my personal problem.
Workflows have changed since then with the adoption of cloud services and mobile devices. If a document is just a file on my laptop, I can’t easily access it from my phone. Naturally now I’m using cloud services and storing documents in products like Google Docs. As access to these resources has become distributed, authentication and authorization has been centralized, keeping access control a corporate problem, and less of a personal one.
And while workflow changes are important, the threat model for Macs has changed too. Now you must protect Macs from malware and other threats – just like Windows 10 years ago. Companies solve this problem with compliance mandates of anti-virus, endpoint protection, disk encryption, and application whitelisting. These mandates make doing your job more complicated and they don’t make perimeter security a viable defensive posture.
Besides the inconvenience and lack of true security, deploying and managing a fleet of employee devices is all work that someone has to do. At ScaleFT (at least for today), that person is me.
How about Chromebooks?
The ChromeOS platform bakes security in at every layer. ChromeOS secures the boot loader, hardens the base OS, provides a viable TPM platform, and of course includes the Chrome browser. Additionally, the recent announcement of Android applications coming to Chromebooks will enable a better experience, especially for tools like Slack. Using a Chromebook means you have a minimalistic workstation with a secure base, limited local data, long battery life and workflows are forced to leverage cloud services for everything. As a consequence of using only cloud services, access control is now built-in and centralized.
Once we accept that we trust TLS for transport security, and we trust the Chromebook device, the perimeter collapses. There’s no reason to try to enforce an artificial perimeter around the office network. We can treat office Wi-Fi as just a faster version of a Starbucks Wi-Fi. This is good because many people love caffeine and will absolutely be working from coffee shops with their laptops anyway. Team members should be able to access everything they need to do their jobs from where they’re working.
Instead of focusing on defending an outdated, complicated, highly customizable computing device, we are focusing on putting the right permissions and access controls on our cloud resources. Cloud services are the canonical storage for our business. We use Google Apps, Slack, Zenefits, Github, AWS, and Google Compute Engine every day.
We think this is how the future of corporate IT should look: trusted devices with dynamic access control using cloud services.
The Zen of BeyondCorp
BeyondCorp proposes a model around devices, users and services, where access control is dynamic and centralized. Each device is assigned a trust tier, based on observations from many data sources. Users’ access to resources is determined by the intersection of a device’s trust tier and that user’s permissions. This means a highly trusted user on a less trusted device would have reduced access to resources. Generic devices are difficult to trust – malware, complex patching routines, firmware attacks and more. Chromebooks by comparison are easy to trust. An easy-to-trust device makes users easier to trust and makes security less annoying.
There’s more to BeyondCorp than using Chromebooks. Traditionally every application had to know how to evaluate trust of a user, have their own user accounts, and try to maintain a network ACL. In a BeyondCorp model, you want to centralize trust evaluation, and provide a simpler model for each application. I already see this happening. At ScaleFT, we use Google-authentication for every SaaS application that supports it.
BeyondCorp is just Google’s name for something even bigger. The transition to a perimeter free architecture in the office and the datacenter is happening. The core ideas are around dynamically establishing the identity and authorization of devices, users, and even processes. Trust is not static. Static trust systems create static attack topologies. We’ve seen how these systems fail; we’re living in the outcome. Thankfully we have a new ways to think about building secure organizations, and I’m excited about moving towards BeyondCorp.
Work in progress
Like Google has explained in their papers about BeyondCorp, it takes years to fully convert applications and workflows. For at least a year or two, we will have some Macbooks running 3 virtual machines and carrying sensitive data, so we are still implementing the classic IT controls, but we are working towards BeyondCorp. This is especially hard as ScaleFT builds native applications for Mac, Linux and Windows – but besides these development workflows almost everything else we do can be done on a Chromebook – and by focusing our company on the BeyondCorp model, less sensitive data will end up on these development machines regardless of how much we invest in putting controls on them. We think this is a good outcome.
Continuing the Conversation
I would love to hear what you think about deploying Chromebooks, the BeyondCorp philosophy, and the problems of organizational security. Organizational security is a cross cutting concern; It takes people from all perspectives and roles in our community to figure this out. I’d be happy to continue the conversation with you via email or Twitter (@pquerna).