The document outlines Google's BeyondCorp initiative, which enables secure access to corporate resources without traditional firewalls, emphasizing a zero trust architecture. Key principles include user and device verification for access, authenticated and encrypted service interactions, and enabling access from untrusted networks. It also shares implementation guidelines, lessons learned over six years, and best practices for migrating towards this model.

1. SESSION ID:SESSION ID:
#RSAC
Heather Adkins
BeyondCorp -
How Google Protects Its Corporate
Security Perimeter without Firewalls
TECH-T11
Director of Security
Google
Rory Ward
Site Reliability Engineering Manager
Google

2. #RSAC
Story time

3. #RSAC
How your Enterprise is probably set up

4. #RSAC
A convergence of issues
4

5. #RSAC
WALLS
WORK
DON’T
Google’s realization ...
WALLS DON’T
WOR
K

6. #RSAC
A different approach

7. #RSAC
BeyondCorp Principles ...
#1 Connecting from a particular network must not determine which
services you can access.

8. #RSAC
BeyondCorp Principles ...
#2 Access to services is granted based on what we know about
you and your device.

9. #RSAC
BeyondCorp Principles ...
#3 All access to services must be authenticated, authorized
and encrypted.

10. #RSAC
Our Six Year Mission
To have every Google employee
work successfully from untrusted networks
without use of a VPN.

11. #RSAC#RSAC
Implementing BeyondCorp
How we did it and guidelines for how you can do it.

12. #RSAC
High Level
Access
Proxy
Single
Sign On
Access
Control
Engine
User
Inventory
Device
Inventory
Trust
Repository

13. #RSAC
Get intimate with your Users
User Inventory

14. #RSAC
Get intimate with your Devices
Device Inventory

15. #RSAC
Build a Dynamic Trust Repository
Trust
Repository

16. #RSAC
Build and Enforce Access Policy
Access
Control
Engine
User
Inventory
Device
Inventory
Trust
Repository

17. #RSAC
Enable Access from anywhere
Access
Proxy
Access
Control
Engine
Single
Sign On

18. #RSAC#RSAC
Migrating to BeyondCorp
How we did it and guidelines for how you can do it.

19. #RSAC
Migrating to BeyondCorp

20. #RSAC
Deploy an Unprivileged Network

21. #RSAC
Analyse our Traffic

22. #RSAC
Safely Migrate Devices

23. #RSAC#RSAC
Outreach
Telling the broader community about BeyondCorp

24. #RSAC
BeyondCorp described to the Industry

25. #RSAC#RSAC
Lessons Learned
What six years has taught us

26. #RSAC
Lessons Learned
• Get, and retain, executive
support.

27. #RSAC
Lessons Learned
• Data Quality is key.

28. #RSAC
Lessons Learned
• Enable Painless Migration.

29. #RSAC
Lessons Learned
• Clear User Communications.

30. #RSAC
Lessons Learned
• Run Highly Reliable Systems.

31. #RSAC
Applying BeyondCorp
1. Have zero trust in your network.
2. Base all access decisions on what you know about the user and
their device.
3. Migrate carefully so as not to break existing users.

32. #RSAC
Questions and Answers ...