Life on the go

Remember when making a phone call in public meant finding a pay phone, hunting down a quarter, and squeezing into a small, dirty glass box for the entire conversation? Now, of course, anyone can make a phone call at any time from anywhere. We’ve all developed a different way of thinking about phone calls.

Googlers are often on the go

Likewise, life in the cloud offers more convenient ways to connect with each other and to think about the security of these connections. At Google—just like in many other organizations—we aren’t working solely at our desks. To be agile and productive, we need to be able to work just as securely on our laptops, tablets and mobile phones.

The traditional Virtual Private Network (VPN)-based intranet security model functioned like a moat around a castle. Outside of that moat, no one could gain access or even see in; the castle had no windows. But if someone could manage to breach the moat and sneak past the guards, they gained access to just about everything on the intranet.

Of course, Googlers don’t hang out in a castle all day. We’re exceedingly mobile, and in order to be productive, we need equal access from anywhere at any time. Which is why we’ve abandoned the idea of putting all our trust in a privileged intranet and launched a new security initiative called BeyondCorp.

This new paradigm in network security removes the need for a VPN, which eliminates the need for a VPN client, which makes life easier—and more secure—for both IT and our community of Googlers.

With BeyondCorp, we’ve shifted from a perimeter security model to one that doles out trust per user and device using a Trust Inferer—a system of real-time analysis that continuously checks and annotates device state and grants access with tiers of trust. Different types of resources are assigned different levels of security, and access is granted based on the state of both the user and the device at the time of the request.

Tiers of trust

Traditional IT security assumes that everything inside the Local Area Network (LAN) is safe, and everything outside is unsafe. But neither is inherently true; we can’t take for granted perfect safety inside the network and refuse to trust anything outside. And at the same time, we can’t just assume that because someone is using a Google device inside of Google’s network, security is assured.

Max Saltonstall, Program Manager, IT aka Corporate Engineering, Google

No network is inherently trustworthy across the board; we start with that premise, and make every device earn its trust.

—Max Saltonstall, Program Manager, IT aka Corporate Engineering, Google

Instead of giving Googlers access to everything at the office and nothing when they walk away from their desk, BeyondCorp makes a real-time, intelligent decision about whether to grant users access to data and internal applications in the moment. Now, they can be productive whether they’re in the office, at the coffee shop down the street, or on an airplane halfway to Singapore.

The level of trust users and devices are assigned is dynamic—it’s continuously reassessed and can be downgraded or upgraded at any time. Googlers are granted access to data and corporate applications depending on their user credentials, their device, and the device’s current state.

As long as a machine is in Google’s Device Inventory Service, it can be assigned a level of trust and given access to data according to that level. So, we have all the information we need—and that information is constantly changing—to make an access call in the moment.

Assigning trust levels

BeyondCorp is powered by several types of reverse proxies, a gateway that sits between the client and the resources to control access and balance load, so we can make real-time decisions about whether to grant that user, on that device, access to that resource. If both the user and device are cleared to access that level of trust, it’s a go.

Of course, the actual process that goes into making this flash decision is based on a lot of interconnected moving parts, including a reverse proxy, a dynamic device inventory, and a Trust Inferer. (For a more elaborate explanation, read BeyondCorp: Design to Deployment at Google.)

BeyondCorp components and access flow

The access decisions are based on two types of data:

  • 1. Prescribed data: Static, defined data, such as who is assigned to the device, its model number and serial number, and what access it has been given to particular VLANS.
  • 2. Observed data: Things that change, but are automated for easy check-in: Is the device encrypted? Does it have the latest OS and any crucial patches? When was a security scan last performed?

All Google devices report back to a central inventory system, so we can rigorously and continuously compare all devices to our current set of security policies to detect if a machine is out of compliance, and by how much. Every resource in the Google network is assigned a minimum trust tier required for access. The device and the user must both currently possess at least that basic trust tier in order to access the resource.

A device’s status can change at any time. As a device is given more and more access to higher-sensitivity resources, however, Google tests that device more frequently to ensure that it is retaining trustworthiness.

A device that reports back that it’s missing a critical security patch or showing the presence of an infection might be disabled so that the only resource it can access is remediation services; a device reported stolen would be denied access to all corporate resources.

2 Steps to anytime verification

Some resources simply require login from any machine. Others require a higher level of trust. In those cases, BeyondCorp requires a 2-step authentication process:

  • 1. The user logs into a trusted machine with something she knows (a password)
  • 2. And then proves that she is actually at that machine with something she has (for instance, Security Key, a physical device that can be inserted into a USB port)
Googlers use small USB security keys like this to prove that they are physically at the machine.

With this 2-step method of authentication, Google can confirm a user’s trustworthiness in the moment, and assign a level of access accordingly.

The same principle applies whether the user is at her desk at Google headquarters, at a colleague’s desk down the hall, or offsite entirely. This decision is based on the status of the device, not the user’s location.

Our ability to assign levels of trust give users convenient access while keeping our network safe—regardless of who crosses the moat.

Security in motion

Our philosophy is to empower Googlers with world-leading technology, and that commitment guides everything our IT team does. We always look at challenges with fresh eyes—never assuming that the status quo way of doing things is the best way.

In an organization that considers mobile a “first-class citizen,” we can’t afford to sideline mobile devices with an out-of-date security model. So, we built a security system that allows users to work in an intuitive, fluid and utterly productive way.

BeyondCorp has enabled better security at Google without sacrificing usability, and it has also given us a flexible infrastructure that we continue to iterate and finesse. And as we prove to ourselves that BeyondCorp’s new security paradigm works internally here at Google, we intend to share its principles and processes with other organizations.

  • Author
    Max Saltonstall, Program Manager, Corporate Engineering, Google

  • Topics
    Security, Privacy

  • Roles
    IT Leaders

  • Industries

Want to continue the discussion?