Google brings beyondCorp zero-trust security to the masses

Google today made available BeyondCorp Remote Access, marking the first commercial product based on the zero-trust approach to network security that Google pioneered and has used internally for almost a decade. The cloud-based service lets employees access internal web apps from most devices, and from any location, without a traditional remote-access virtual private network (VPN).

Google originally planned to release the product later this year. But then the COVID-19 pandemic, and the resulting newly remote global workforce, drastically increased demand for remote worker security. And so Google bumped up the release date for a portion of the entire BeyondCorp stack that targets enterprise’s now-working-from-home employees, said Sunil Potti, VP and GM of Google Cloud, in an interview with SDxCentral.

“So, technically it is based on what Google’s using,” Potti said. “Functionality, scale wise, security wise, ease of configuration, ability to ramp another thousand, 10,000, 100,000 users —they are all literally checkboxes.”

And then later in the year Google plans to make available a “full stack offering” with additional capabilities and protection for more applications and resources, he said.

What Is BeyondCorp?

Google started developing BeyondCorp in 2010 after Chinese hackers successfully breached Google and other Silicon Valley tech giants’ networks, and stole intellectual property. This spurred Google to shift access controls from the network perimeter to individual users and devices.

“There was a major investment by Google to essentially hit the reset button on how to approach protection of both employees and assets,” Potti said. “And core to this was the fact that we shouldn’t differentiate between external threats versus internal threats. So when I’m in the office, or I’m at Starbucks, or I’m at home, everyone is viewed as an external user from a security-posture perspective. Independent of your location, you should be operating like a user on the network as long as you’re the right user.”

A year later the company rolled out BeyondCorp. It’s a zero-trust access approach that assigns rules and policies to workloads, virtual machines (VMs), or network connections, and then only allows necessary actions and connections in a workload or application and blocks anything else. The goal was to enable every Google employee to work from untrusted networks without the use of a VPN.

“Fast forward 10 years later, inside Google we have 100,000-plus employees who, with two weeks or a few weeks, we went from our majority being internal employees to external employees with no major ramp up of any additional technology,” Potti said.

Versus VPNs

As other enterprises face similar networking and security challenges related to a newly all-remote workforce, Potti says BeyondCorp provides a simpler and more secure alternative to traditional remote-access VPNs. These can be difficult to deploy and manage, and can be tough to scale to meet demand from an enterprise’s employees, contractors, and partners.

BeyondCorp Remote Access, on the other hand, can be deployed in days rather than months, according to Google. It is delivered as a cloud service so companies don’t need to upgrade VPN appliances or install agents on individual laptops. “You’re essentially not having to do anything major,” Potti said. It uses the Google network to connect to enterprise applications and resources, and it costs $6 per user per month.

“And this [BeyondCorp] has been going on for a while — this isn’t something that we just turned on as 1.0,” Potti said. “This is something that we already use to protect 100,000 employees, over 100,000 contractors, and it is also used to protect Google Cloud.”

Additionally, after the pandemic, when life returns to “normal,” whatever that looks like, the BeyondCorp approach will remain relevant to enterprise security, Potti said.

“What we’ve tried to adopt is a practical trade off: how fast can we get something into everybody’s hands, at scale, globally, with the least friction, while still providing, 60%, 70% of the value? And then, on that same foundation, 6 months from now or 12 months from now you can add more. The enterprise can control when to get to that 100% version of Google. This isn’t a COVID-19 Band-Aid. This is using the opportunity to hit the reset button like we did many years ago.”

―SDX Central