How to use BeyondCorp to ditch VPN, improve security and go to the cloud

Great to see them continue this series, and glad that this one touches on what it takes for other companies to achieve something similar. I talk about BeyondCorp a lot as evidence that the Zero Trust model works, and that employees will love it.<p>The most common feedback I get is that it seems like too much of a stretch for companies that don’t operate at Google scale. That may be true if looking at the system as a whole, but the principles behind the architecture should attract anyone’s attention - remove trust from the network by authenticating and authorizing every request based on what’s known about the user and connecting device at the time of the request.<p>Disclaimer: I work for ScaleFT, a provider of Zero Trust access management solutions.<p>Edit: If folks are interested in hearing more about how other companies can achieve something similar, here&#x27;s video of a talk I gave at Heavybit a few months ago on the subject: <a href="https:&#x2F;&#x2F;www.heavybit.com&#x2F;library&#x2F;blog&#x2F;beyondcorp-meetup-google-security-for-everyone-else&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.heavybit.com&#x2F;library&#x2F;blog&#x2F;beyondcorp-meetup-goog...</a>

I commend the Google team for not only deploying an effective and innovative security solution, but also for contributing to security community through this series of informative articles.<p>Enterprises need to know that while BeyondCorp is Google-specific, there are similar types of open architectures that they can deploy today, most notably the Software-Defined Perimeter (SDP).<p>SDP is an open architecture from the Cloud Security Alliance, and with it security teams can ensure that:<p>. All users are authenticated and authorized BEFORE they can access network resources<p>. Network resources are inaccessible to unauthorized users, dramatically reducing the attack surface<p>. Fine-grained policies control access for all users – remote and on-premises – to all resources , whether physical, virtual, or cloud<p>. All network traffic is encrypted, even if the underlying protocol is insecure<p>Here’s a video of me presenting on Software-Defined Perimeter at the CSA Summit at the 2017 RSA Conference <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=ysi_9c5fmBg" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=ysi_9c5fmBg</a> and a brief overview from our corporate site <a href="https:&#x2F;&#x2F;www.cryptzone.com&#x2F;products&#x2F;appgate&#x2F;why-a-software-defined-perimeter" rel="nofollow">https:&#x2F;&#x2F;www.cryptzone.com&#x2F;products&#x2F;appgate&#x2F;why-a-software-de...</a><p>Disclaimer: I led the CSA’s Software-Defined Perimeter working group publication of SDP-for-IaaS, and am leading the current effort to create an SDP Architecture Guide. I also work at Cryptzone, an SDP platform vendor.

My ex-manager who left Google to another well established company once said the most missed thing from Google was the ability to work remotely right away on corp laptop with BeyondCorp.<p>Disclaimer I work for Google not related to BeyondCorp.

I work for Duo Security, which this year launched the first major commercial implementation of BeyondCorp as a part of our product offering. Using it to jump on to the wiki, for diff reviews, and other internal resources has been excellent.<p>In addition to simple primary and second factor, you can design policies for MDM-controlled devices only (i.e. designing endpoints that are trusted for remote access), geolocation, and software versions on a per-application basis, for example.<p>I think save for a few use cases (SSH into your datacenter, e.g.), VPNs will be dead before we know it.

This is really awesome. My own venture ZeroTier (www.zerotier.com) was strongly influenced by the original BeyondCorp paper. Our vision is a little different in that we do network virtualization that treats the whole world like one data center. Instead of eliminating the LAN you make it fully virtual and mobile and replace the physical perimeter with a cryptographic one.<p>Here&#x27;s a somewhat over-simplified TL;DR on Google&#x27;s approach:<p>Make everything in your company a SaaS app that lives on the Internet via cloud hosting or a proxy.<p>Nice but not always readily do-able.

Yesterday, I saw an article[1] about Amazon&#x27;s plans to block websites in their stores (a very bad thing) and was wondering when a company like Google was going to launch a VPN service. I wonder if these things will meet in the long term. If companies that control the network try to limit access to information about their competitors, then their competitors might try to liberate that information.<p>[1] <a href="http:&#x2F;&#x2F;gizmodo.com&#x2F;just-in-time-amazon-patents-method-to-prevent-comparis-1796195563" rel="nofollow">http:&#x2F;&#x2F;gizmodo.com&#x2F;just-in-time-amazon-patents-method-to-pre...</a>

This seems so completely obvious that it&#x27;s surprising how common intranets and internal services locked only by network rules are.<p>Also highly recommend <a href="https:&#x2F;&#x2F;www.scaleft.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.scaleft.com&#x2F;</a> for anyone who wants beyondcorp-style access to infrastructure.

How is this different or more secure than let&#x27;s say TLS client authentication with the private key on a smart card &#x2F; Yubikey?

Dumb question - is the 4th article in the series only available via ;login;[1]?<p>The other articles in the series have PDF links, but not the latest one. I&#x27;m assuming it will eventually...<p>[1] <a href="https:&#x2F;&#x2F;www.usenix.org&#x2F;publications&#x2F;login&#x2F;summer2017&#x2F;peck" rel="nofollow">https:&#x2F;&#x2F;www.usenix.org&#x2F;publications&#x2F;login&#x2F;summer2017&#x2F;peck</a>

With productivity apps being cloud hosted (Office 365, Google Docs, Tableau, PowerBI, etc) and with source code and team management services being hosted (Github, Visual Studio Online, Gitlab, etc) huge percent of people&#x27;s day to day work can seemingly happens without a VPN.<p>The largest notable exceptions seem to be internal file shares, and remote connections to machines that need to be behind a firewall.<p>I guess the overall point I have is that with the data files for both productivity and source code being stored cloud side, that VPNs become less and less necessary for a large % of workers.

Part 3 [0] discusses &quot;Wrapping SSH traffic in HTTP over TLS.&quot; Can one comfortably do coding over a good cellular (LTE) connection over this?<p>I ask because, I find it relatively comfortable to do coding on a chromebook over a &#x27;mosh&#x27; session over LTE.<p>[0] <a href="https:&#x2F;&#x2F;static.googleusercontent.com&#x2F;media&#x2F;research.google.com&#x2F;en&#x2F;&#x2F;pubs&#x2F;archive&#x2F;45728.pdf" rel="nofollow">https:&#x2F;&#x2F;static.googleusercontent.com&#x2F;media&#x2F;research.google.c...</a>

It almost seems like this could be described as dynamically building a per-user VPN, via inbound proxies for admission control and traffic src&#x2F;dst filtering, and services hosted behind multiprotocol terminating proxies. Some extra client analysis (practically effective, even if no theoretically valid remote attestation), tedious but necessary work to understand the access patterns for all the internal services, etc.<p>It seems there can still be lateral re-infection via difficult to patch shared services (finance&#x2F;procurement&#x2F;obscure wikis). The examples in one of the papers (delivery people not needing access to financial systems) is completely bogus -- sometimes the worst engineered, most xss-y, mission critical apps have to be accessed by everyone, have insanely hand coded &#x27;business logic&#x27;, and no docs. Content aware behavioral profiling would seem to have a role in managing that risk.

Sorry this will come off as a super dumb question. I use ssh. I can login, edit, develop, run, basically anything. What am I missing? I thought VPNs are for &#x27;admin&#x27; types that need access to a MS Excel file.

&quot;Over the course of the migration we’ve discovered [Google] services that we thought were long dead...&quot;<p>Maybe some Google employees were still using Google Reader?

Stumbled across beyondcorp.com a few months ago. Great to see google, scaleft, and others pushing the envelope here.

This sounds a lot like Microsoft&#x27;s DirectAccess which has been in the Enterprise version of Windows since Windows 8. Please correct me if I&#x27;m wrong though.

Interesting. This will never happen at my big company, though. Seems hard to imagine most companies being able to manage the complexity.

Link the blog post now points to a downloadable PDF thanks to Google Drive.

Anywhere we can read the publication without being a subscriber to LOGIN?

Is there a link to the actual (fourth) paper? I only see the abstract.

&quot;We discovered services we thought were long dead...&quot;

What&#x27;s wrong with VPN?

Google wants my traffic for themselves and calls it “more secure”. Ha ha, nice try.

off topic: I never noticed that there&#x27;s a .google TLD...

I n k

Llllklklll

Duo Security seems to be offering a BeyondCorp-like third-party solution for client companies:<p><a href="https:&#x2F;&#x2F;duo.com&#x2F;pricing&#x2F;duo-beyond" rel="nofollow">https:&#x2F;&#x2F;duo.com&#x2F;pricing&#x2F;duo-beyond</a>

Yes turn keys over to Google. I am sure if you are an American Fortune 500 company you have no problem with this. Not so if you are a non-American company. Though a lot of people will jump on board despite the huge security implications of doing something like this and turning over all your security over to Google. Meanwhile nation states are exploring how to use quantum encryption to prevent eaves dropping others are being coerced to simply hand over security to a third party that you hardly trust with any sense of privacy.

So google bought the .google TLD!