In recent years, Google has put tremendous effort into creating a security architecture that better maps to their global organization, the scale at which they operate, and the products that they offer. The BeyondCorp papers that we often reference here at ScaleFT have provided insight into their practices for how employees access protected resources, and now we’re fortunate to be presented an in-depth view into how they secure their entire infrastructure through the publication of a new whitepaper - Google Infrastructure Security Design.
Why would a company like Google go to such great lengths to promote their internal security practices so openly? It has less to do with sharing for the sake of sharing, and more to do with their enterprise sales strategy. Cloud adoption has skyrocketed in the past few years, with the once skeptical enterprises now making the leap to the cloud. While Google Cloud Platform is playing catch-up to AWS in this space, they’ve made up a lot of ground in the last year alone; however, the continued battle for the enterprise will come down to a number of factors beyond just price and features - chief among them being trust. Transparency from the ground up is something that Google is eager to share as it provides assurances that sensitive company information is safeguarded when adopting Google Cloud Platform and G Suite.
For those of us with a keen interest in BeyondCorp outside of Google, this whitepaper backed up a number of key points with regards to the people, processes, and technology associated with the reference architecture. Here I’ll cover 5 quotes that caught my attention, and what they mean for anyone looking to adopt a BeyondCorp architecture within their own organization.
“We do not rely on internal network segmentation or firewalling as our primary security mechanisms”
The central theme of BeyondCorp is that it’s a perimeterless architecture, which is more aligned with the distributed environments of Google’s systems and workforce. That’s not to say subnets and firewalls should be killed off entirely in one fell swoop, just that these methods shouldn’t stand alone.
While this certainly makes for a powerful statement, it’s not the first step an organization should take down this path. Rather, it’s the end goal. You must first implement authentication, authorization, and accounting (AAA) that covers your employees, systems, and applications. At ScaleFT, we work closely with our customers to design the right AAA framework that leads to a perimeterless architecture like BeyondCorp.
“An end user login is verified by the central identity service which then issues a user credential, such as a cookie or OAuth token, to the user’s client device. Every subsequent request from the client device into Google needs to present that user credential.”
BeyondCorp is about making intelligent access decisions based on the user and the state of the connecting device. This is only really useful if the corresponding credentials are dynamic, issued at a point-in-time that is understood, revocable, and auditable.
With a centralized Identity Provider such as Active Directory, Google Identity Platform, or Okta handling authentication, the next step is to tie in the authorization process with the resource being requested. ScaleFT Dynamic Access Management integrates with your IdP to issue short-lived client-certificates for every authorization event, removing the use of static credentials that can easily be lost or stolen.
“In effect, any internal service which chooses to publish itself externally uses the GFE as a smart reverse-proxy front end. This front end provides public IP hosting of its public DNS name, Denial of Service (DoS) protection, and TLS termination.”
Pushing all internal applications to the public Internet quickly forces better security practices such as end-to-end encryption and perfect forward secrecy, but can open your systems up to network attacks. Placing a reverse proxy in front of the services manages the traffic by balancing the load and identifying any potential threats.
Adopting BeyondCorp doesn’t necessarily mean you have to operate infrastructure the same way Google does, or anywhere near the same level of scale. For most organizations, it’s a better option to leverage a service such as CloudFlare for DDoS protection. For an on-prem solution, F5 offers a robust appliance for similar use.
“Being on the corporate LAN is not our primary mechanism for granting access privileges. We instead use application-level access management controls which allow us to expose internal applications to only specific users when they are coming from a correctly managed device and from expected networks and geographic locations.”
Identity is of course a crucial component of the workflow, but what makes BeyondCorp unique is how both the user and connecting device together make up a profile where trust decisions can be made in real-time. Let’s say that Bob logs into a Sales app from his iPhone in San Francisco, it would be certainly be suspicious for there to be another login attempt by Bob on a PC in Boston. It is up to the access policy what happens next – the request could be outright denied, or the user prompted for another auth factor.
Every organization will have different risk tolerances, so it’s a matter of finding the right balance between security and usability. These competing forces often make for a lot of debate, but with BeyondCorp, the policies are fine-grained, and the decisions made are dynamic, allowing for more adaptability. A core component of ScaleFT Dynamic Access Management is the built-in Role Based Access Controls that allow managers to tune their team’s access policies.
“We aggressively limit and actively monitor the activities of employees who have been granted administrative access to the infrastructure and continually work to eliminate the need for privileged access for particular tasks by providing automation that can accomplish the same tasks in a safe and controlled way.”
BeyondCorp is just as much about minimizing the risk of insider threats as it is about thwarting cyber attacks. The level of visibility within the BeyondCorp architecture means that Google is always learning and adapting. They are being smart about automation in this regard by acknowledging that privileged access can often have a broader reach than the particular task being examined.
Organizations adopting DevOps best practices should closely examine the security implications of automation. For example, a CI/CD pipeline may include a number of tools coordinating with each other through an event-driven pipeline. These tools are performing administrative functions, which means the need the privilege to do so. A key feature of ScaleFT Dynamic Access Management is service users, where an automated tool can be authenticated and authorized in the same manner as a human, and issued short-lived credentials for one-time use.
Being able to learn from Google’s own efforts is what makes BeyondCorp an achievable security architecture for any organization willing to take a fresh look at how they manage privileged access to infrastructure and applications. Given that promoting their security practices closely aligns with their business strategy, I expect to see further transparency and more shared experiences come from Google.