Google zero-trust security framework goes beyond passwords


With a sprawling workforce, a wide range of devices running on multiple platforms, and a growing reliance on cloud infrastructure and applications, the idea of the corporate network as the castle and security defenses as walls and moats protecting the perimeter doesn’t really work anymore. Which is why, over the past year, Google has been talking about BeyondCorp, the zero-trust perimeter-less security framework it uses to secure access for its 61,000 employees and their devices. 

The core premise of BeyondCorp is that traffic originating from within the enterprise’s network is not automatically more trustworthy than traffic that originated externally. Instead of traditional methods such as VPNs and login credentials to establish trust and verify identity, Google relies on a “tiered access” model, which looks at the user’s individual and group permissions, the user’s privileges as defined by the job role, and the state of the device being used to make the request.

“As resource requests are made from devices, user credentials are verified and the state of the device is queried to assess its risk profile. On successful user verification, access to services is granted only if the assessed risk profile of the device matches the required trusted tier,” Michael Janosko, a manager in Google’s Security Engineering group, and Rosa La Prairie, a product manager for Google Android, wrote in a .

Tiered access associates internal services with a “trust tier” based on the sensitivity of the data, Google wrote in a . Access rights are based on multiple variables—usernames and passwords are just one part—such as device state, user’s group permissions, user’s job role, device behavior, and user behavior, to name a few. 

. Security startup Duo Security offers , the first major commercial implementation of BeyondCorp, which lets enterprises differentiate between trusted and untrusted devices, control access to data, and limit remote access.

For most enterprises the reality is that they can’t just focus on defending the corporate network, because a bulk of their sensitive data now lives in cloud applications and many of the critical operations are performed in the cloud. Google shares some of the lessons it learned along the way in its tiered access whitepaper and the earlier BeyondCorp whitepaper. IT teams can use that guidance to develop a flexible access control system that goes far beyond the traditional network perimeter.