Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BeyondCorp - Google Security for Everyone Else


Published on

Presentation given at the Rocky Mountain InfoSec Conference - May 10, 2017.

Gives an overview of Google's BeyondCorp project, why Zero Trust is the right framework to follow, and how to get started at your own company.

Learn more about BeyondCorp at:

Learn more about ScaleFT at:

Published in: Technology
  • Be the first to comment

BeyondCorp - Google Security for Everyone Else

  1. 1. BeyondCorp: Google Security For Everyone Else Rocky Mountain InfoSec - May 10th 2017 Ivan Dwyer | @fortyfivan
  2. 2. The BeyondCorp story begins with Operation Aurora
  3. 3. Operation Aurora ➔ In 2009, a highly sophisticated APT originating from China targeted a number of large US-based Enterprises, including Google, with the goal of accessing source code repositories ➔ The typical fear-driven response by most companies affected was to beef up their network perimeter security by adding more firewalls and VPNs ➔ Google recognized that these traditional methods were no longer effective on their own, and began a new initiative to redesign their security architecture from the ground up
  4. 4. The network perimeter is not an effective way to determine trust
  5. 5. Problems with the Perimeter ➔ The modern organization is no longer confined to the walls of the office - more employees are remote, systems are running in the cloud, and business apps are SaaS-based ➔ Common network segmentation tools such as the VPN don’t provide any visibility into traffic, and don’t factor in context when authenticating and authorizing requests ➔ Privileged access is backed by static credentials that can be easily lost, stolen or misused - effectively handing over the keys to the kingdom to anyone in possession
  6. 6. Google got it right with BeyondCorp
  7. 7. Core Principles 1 Connecting from a particular network must not determine which services you can access 2 Access to services is granted based on what we know about you and your device 3 All access to services must be authenticated, authorized, and encrypted Mission: To have every Google employee work successfully from untrusted networks without the use of a VPN
  8. 8. The BeyondCorp Papers BeyondCorp: A New Approach to Enterprise Security Dec 2014 BeyondCorp: Design to Deployment at Google Spring 2016 BeyondCorp: The Access Proxy Winter 2016 Download at
  9. 9. Google’s Reference Architecture
  10. 10. The Major Components Device Inventory Service A system that continuously collects and processes the attributes and state of known devices. Trust Inferer A system that continuously analyzes device attributes and state to determine its maximum trust tier. Access Policies A programmatic representation of the resources, trust tiers, and other rules that must be satisfied. Access Control Engine A centralized policy enforcement service that makes authorization decisions in real time. Access Proxy A reverse proxy service placed in front of every resource that handles the requests. Resources The applications, services, and infrastructure that are subject to access control by the system.
  11. 11. A Typical User Workflow Access Proxy IdP User request to resource flows through access proxy User is authenticated against the IdP via an SSO service SSO User and device are authorized against the Access Policies A one-time credential is issued for the device to access the resource 1 2 3 4
  12. 12. The Decision Making Process Device Inventory Attributes State Trust Tier Access Control Engine Access Proxy Access Policy Trust Tier Trust Inferer
  13. 13. The Access Policy Language Global Rules Service-Specific Rules Coarse-grained rules that affect all services and resources “Devices at a low tier are not allowed to submit source code.” Specific to each service or hostname; usually involve assertions about the user. “Vendors in group G are allowed access to Web application A.”
  14. 14. The Outcome for Google ➔ Google eliminated any dependency on network segmentation and VPNs ➔ Employees are able to seamlessly access company resources from any location ➔ Google has better visibility into their employee activity, and can better protect their sensitive resources
  15. 15. Waymo vs Uber Case Example ➔ Google has accused a former employee of stealing proprietary technology documents ➔ In a deposition, they claim to have evidence as to all his activity on the company network ➔ The BeyondCorp architecture is a key reason they were able to collect such strong evidence
  16. 16. Zero Trust Enables BeyondCorp for Everyone Else
  17. 17. Why Zero Trust Matters 1 Better definition of Corporate Identity that aligns with how employees operate today 2 Access decision making is done with the right contextual information 3 Access controls are centralized with better visibility into employee activity 4 The enforced security measures encourage better corporate security posture 5 The network no longer determines trust, eliminating common attack vectors
  18. 18. Zero Trust introduces a new definition of Corporate Identity
  19. 19. Corporate Identity Redefined Is the user in good standing with the company? Does the user belong to the Engineering org? Is the user on Team A working on feature X? ... Is the device in inventory? Is the device’s disk encrypted? Is the device’s OS up to date? ... Corporate Identity = You + Your Device at a Point in Time
  20. 20. Decision making is done with the right contextual information
  21. 21. Revitalizing the AAA Framework +1 Authentication Authorization Auditing Alerting The new definition of Identity provides a better view of the requestor Access decisions are made in real time based on dynamic conditions Activity and traffic are inspected to identify patterns & anomalies Incorporate workflows to ensure requests are handled properly Follow the Corporate Identity through the lifecycle of the request
  22. 22. Access controls are centralized with visibility into employee activity
  23. 23. Centralized Access Gateway Access Gateway Safe MitM Consistent Logging Inherent Trust A reverse proxy in front of every resource handles every request A central point to log all traffic is better to analyze behavior Decouple access decision making from the resources themselves The Access Gateway should be globally distributed to avoid additional latency
  24. 24. Enforced security measures encourage better corporate security posture
  25. 25. Better Security Posture ➔ Keeping devices up-to-date with the latest software ➔ Maintaining an inventory of employee devices ➔ Monitoring all endpoints & logging all traffic ➔ Only communicating over fully encrypted channels ➔ Incorporating multi-factor auth ➔ Eliminating static credentials
  26. 26. Eliminating static credentials solves for the most common attack vector
  27. 27. Ephemeral Certificates ➔ A Certificate Authority issues single-use certificates to initiate a secure session ➔ Information about the user and connecting device can be injected into the certificate ➔ Each certificate is limited in scope and time, making it near impossible to hijack
  28. 28. Achieving a Zero Trust Architecture
  29. 29. Where to Start 1 Take an inventory of all employee devices - workstations, laptops, tablets, and phones 2 Take an inventory of all company resources to protect - apps, databases, servers, etc. 3 Take an inventory of all static credentials - shared passwords, ssh keys, etc. 4 Diagram your system architecture and inspect traffic logs to understand behavior 5 Start to collect device state metrics - is the OS up to date? Is the disk encrypted?
  30. 30. Determining the Right Policy Framework ➔ User attributes ➔ Device attributes ➔ Location-based rules ➔ Time-based controls ➔ Groups and Roles ➔ Team federation ➔ Resource specific rules
  31. 31. Trust Policy Models Trust Tiers Trust Scoring Trust Assertions User and device metrics are analyzed and placed in a tier which must match the minimum tier associated with the resource User and device metrics are compiled and granted a score which must match the minimum level associated with the resource User and device attributes and state are individually matched against an Access Policy where all assertions must be true Regardless of the model, Trust follows the principle of Least Privilege
  32. 32. Example User Stories Behavioral patterns should influence policy definitions Alice, a release engineer, always uses ssh from her desktop to login to the build server during a release. What if a request from Alice to the build server comes from a laptop during a non-release time? Bob, who works in staffing, logs into the HR app from his office desktop every morning at 9AM. What if a request from Bob to a finance app comes from outside the office during the evening?
  33. 33. Access Gateway Vendor Solutions The Access Gateway is the central component that ties the system together
  34. 34. Companies Who Have Implemented Zero Trust
  35. 35. Some Questions to Ask ➔ How will all the components integrate with each other? ➔ How to balance coarse-grained policies with fine-grained policies? ➔ What’s the best way to incorporate additional workflows for specific resources? ➔ What role does Identity Governance play? Can the IdP exist in the cloud? ➔ How to support legacy protocols and specifications consistently? Should you? ➔ How to track and monitor all the devices the employees use? ➔ How does this impact compliance? Where will it help?
  36. 36. Potential Market Effects ➔ A new category of Cloud Native solution providers are emerging that are disrupting the legacy security companies who focus primarily on strengthening perimeter security ➔ Defined market categories such as IAM and PAM will converge into a single Access Management category that works across privileged and nonprivileged users ➔ The Identity Provider space is about to heat up as cloud-based alternatives to Active Directory start to break through into the enterprise market ➔ The VPN market is going to be significantly impacted as more companies shift towards a Zero Trust model that places less (or no) emphasis on network protection as a security measure
  37. 37. Where ScaleFT Fits We help companies achieve their own Zero Trust security architecture Architecture Reviews Platform Implementations Community Development We work closely with companies to design the right Zero Trust architecture for the organization Our Access Management platform can be deployed in any cloud or on-prem environment We are leading the BeyondCorp movement, further educating the market about Zero Trust
  38. 38. THANKS!! Get in touch: | @fortyfivan