Zero Trust Access with Beyondcorp

Prasanna Bhaskaran Surendran
Google Cloud - Community
4 min readAug 22, 2022

Zero Trust

Today most enterprises are moving towards Hybrid work and a large segment of users are working remotely post covid. Enabling this workforce securely to access resources is one of the key requirement of any Enterprise. Zero Trust is the solution industry moving towards addressing these challenges. Zero Trust is about a secure framework where user and device are validated before providing access to resources & services. Each user and device are considered untrusted and are checked for Threats, Data Protection, User & Device Context Information before providing access to resources.

Key Features of Zero Trust

Protection against Security Threats: Users connect from their homes and other untrusted networks. User endpoints have to be protected against malware and phishing based threats. The users should be protected from accessing malicious URLs

Replacement for Legacy VPN: Legacy VPN solution adds performance overhead. The Zero Trust Solution provides secure encrypted tunnel based communication which acts as a replacement for traditional VPN based access and improves performance whereby improving the user experience

Builtin Data Leakage Prevention: Data Protection is one of the key features since the users will be connecting from outside campus. The solution protects against intentional and unintentional Data leak

Validate User & Device with Context Aware & MFA: The user and device have to be authenticated before accessing resources as they connect from an untrusted network. Each user and device access is authenticated per session. Multi-factor authentication is provided to ensure that users are authenticated with a password and a secondary authentication, which can be a USB based authentication or an OTP to validate and protect against credential based attacks

Help Maintain Uniform Security Posture across Devices: Centralized management of assets helps in maintaining a uniform Security Posture across devices. Zero Trust Solution provides a way to monitor and manage assets centrally to ensure resources are access based on device context

Provide access to only specific Resources the user needs: Zero trust solutions enables administrators to provide the users with access only to the required resource, application access to reduce attack surface and provide fine grained access control.

Beyondcorp

Beyondcorp is Google’s new approach to Enterprise Security. Beyondcorp was started as an internal project in Google in 2011 and has scaled to enable employees to work from anywhere without the use of VPN. It validates user and device information before providing access to corporate resources

Beyondcorp Enterprise

Beyondcorp Enterprise is a Zero Trust model that Google offers for Enterprises to help enable their remote users to securely access the resources. Beyondcorp has key features like Threat Protection, Data Protection, DLP, Device Verification and secure access of applications.

Beyondcorp Enterprise Architecture (Figure 1)

Let’s take an example of above figure 1 here where there are 3 different users connecting from different devices to Beyondcorp Solution. Employees connecting from corporate devices, employees connecting from BYOD and contractors connecting from their office systems.

  • Users connecting from Corporate device will have full access
  • Users connecting from BYOD will have limited access
  • Contractors connecting from their office systems will have limited access to Contractor Apps

Threat & Data Protection

Beyondcorp Enterprise has key Threat and Data Protection features which provides Security to users and devices. It integrates with Chrome to enhance Protection. These include Protections against Web based Threats, Malware protection, Data Loss Prevention.

Administrators can use the Rule Audit Log to view logs and can use Security Dashboard to monitor the Security Events, Threat Summary, Data Protection Summary, Identify high Risk Users, High Risk Domains.

Access Protection

Beyondcorp Enterprise has fine grained access rules to Define and Restrict Services Access based on controls like User, Device, Location, time of Access. Beyondcorp leverages four Google Cloud offerings

  1. Identity and Access Management
  2. Identity Aware Proxy
  3. Access Context Manager
  4. Endpoint Verification

Identity and Access Management

Identity and Access Management enables conditions based access to Google Cloud resources. Administrators can use IAM conditions to define Access controls to principles based on defined Attributes

Identity Aware Proxy

Identity Aware Proxy helps Administrators to define HTTPS, TCP & SSH based on GCP resources. Identity Aware Proxy utilizes Identity and Access Management conditions to limit access to resources based on users. This helps to provide resource level access instead of providing IP / Port based access.

Access Context Manager

Access Context Manager helps Administrators define access controls based IP Address, User Identity, Device Type & Operating System. This helps define remote access based on BYOD policies and limits access based on the device from which (corporate or personal) user connects.

Endpoint Verification

Endpoint Verification is a Chrome extension that when installed gets information about devices like OS, Device encryption status etc.. This helps Administrators to maintain inventory of devices and generate inventory based reports

Zero Trust is a key framework every Enterprise looks at implementing and Beyondcorp Enterprise is a Key solution which enables Enterprises to adopt the framework and enable the remote work force to access resources securely.

Its a non VPN solution with inbuilt Threat & Data Loss Prevention and Identifies user and provides User/Device based access using IAM Conditions, Identity Aware Proxy and Access Context Manager and supports MFA

It helps with Centralized management of assets and provides access to only specific resources the user needs.

For more information on Beyondcorp Please check the documentation

--

--