The network perimeter is obsolete, according to Google’s engineers
Google has revealed plans to move all of its corporate IT operations into the cloud, embracing the trend of mobile working through something it calls ‘the BeyondCorp initiative’.
A spokesperson for the company told the Wall Street Journal it had already shifted around 90 percent of its corporate applications to remote data centers.
In terms of security, this approach relies on managed devices and user credentials instead of VPNs, firewalls and other techniques that limit unauthorized access to a corporate network.
I want to break free!
Source: Thinkstock / Brilt
Death of the perimeter
BeyondCorp, first described in a whitepaper published in December, replaces traditional network security with just three steps: authentication, authorization and encryption.
Its authors note that while a firewall might successfully prevent attackers from getting inside the network, it wouldn’t stop them from moving freely once they get inside.
“While most enterprises assume that the internal network is a safe environment in which to expose corporate applications, Google’s experience has proven that this faith is misplaced,” wrote Google engineers Rory Ward and Betsy Beyer.
“Rather, one should assume that an internal network is as fraught with danger as the public Internet and build enterprise applications based upon this assumption.”
In contrast to the traditional model, BeyondCorp allows Google employees to work from anywhere in the world, although only when using laptops, smartphones and tablets issued and managed by the company. It also introduces blanket encryption, even for connections made from inside one of Google’s offices.
At the center of the new system is a database of all of the company’s employees. This database is continuously updated as people join, leave or change positions within the company, and lists all of the devices associated with their account. When a user signs on, they are issued temporary authorization for specific resources.
In addition, every device is continuously rated on its security measures: for example, a smartphone that is missing important updates would be denied access to high value data. The system also tracks device locations, so unusual movements could also result in restricted access – a similar approach is currently practiced by major banks to prevent credit and debit card fraud.
Even though most of the work is already complete, the paper states that it will be much harder to migrate the remaining 10 percent of applications to the cloud.
“We anticipate a long tail of workflows that will take some time to move to BeyondCorp. For example, fat-client applications that use proprietary protocols to talk to servers will be a challenge,” concludes the paper.
“We are investigating ways to BeyondCorp such applications, perhaps by pairing them with an authentication service.”