Ivan Dwyer, profile picture
Uploaded byIvan Dwyer
2,044 views

BeyondCorp and Zero Trust

1. Google implemented a zero trust architecture called BeyondCorp to allow employees to work from untrusted networks without using a VPN. It granted access based on identity and device attributes rather than network location. 2. BeyondCorp has several components including an identity provider, device inventory, trust inferer, access policies, access proxy, and access control engine. It eliminated VPNs, streamlined the user experience, and reduced IT support tickets. 3. Zero trust is applying BeyondCorp principles to other organizations. It redefines identity as the user and device attributes. Access decisions are made in real time based on those attributes and dynamic conditions like being on an up-to-date device. This improves security by enforcing encryption and

Embed presentation

Downloaded 154 times
BeyondCorp and Zero Trust Bay Area Cyber Security Meetup - Sep 7th 2017 Ivan Dwyer | VP of Product Marketing | @fortyfivan
The BeyondCorp story begins with Operation Aurora
Google Got it Right With BeyondCorp 1 Connecting from a particular network must not determine which services you can access 2 Access to services is granted based on what we know about you and your device 3 All access to services must be authenticated, authorized, and encrypted Mission: To have every Google employee work successfully from untrusted networks without the use of a VPN
Google’s Reference Architecture
The Major Components Identity Provider The corporate system of record for employees and contractors, with groups and roles Device Inventory Service A system that continuously collects and processes the attributes and state of known devices Trust Inferer A system that continuously analyzes device attributes and state to determine its trust tier Access Policies A programmatic representation of the resources, trust tiers, and other rules that must be satisfied Access Proxy A reverse proxy service placed in front of every resource that handles the requests Access Control Engine A centralized policy enforcement service that makes authorization decisions in real time
Key Outcomes for Google ➔ Eliminated the use of perimeter-based network security controls – VPNs ➔ Streamlined end user experience for all Google employees across the globe ➔ More visibility into employee activity to identify behavioral patterns ➔ A 30% reduction in IT Support tickets through a better user experience
Zero Trust is BeyondCorp For Everyone Else
Corporate Identity Redefined Is the user in good standing with the company? Does the user belong to the Engineering org? Is the user on Team A working on feature X? Is the device in inventory? Is the device’s disk encrypted? Is the device’s OS up to date? Identity = You + Your Device at a Point-in-Time
Smarter Decision Making “You can’t submit source code from an unpatched device” “You can only reach the company wiki from a managed device” “Your disk must be encrypted to access the confidential file repository” “You can view the corporate phone directory from any device” Real-time trust attestation based on dynamic conditions
Better Security Posture ➔ Keeping devices up-to-date with the latest software ➔ Maintaining an inventory of employee devices ➔ Monitoring all endpoints & logging all traffic ➔ Only communicating over fully encrypted channels ➔ Incorporating multi-factor auth ➔ Eliminating the use of static credentials When security is usable, people like it and keep up with it
How to Achieve Your Own Zero Trust Architecture
Collect Your Relevant Data 1 Take an inventory of all employee devices - workstations, laptops, tablets, and phones 2 Take an inventory of all company resources to protect - apps, databases, servers, etc. 3 Take an inventory of all static credentials - shared passwords, ssh keys, etc. 4 Diagram your system architecture and inspect traffic logs to understand behavior 5 Collect device state - is the software up to date? Is the disk encrypted?
Determine the Right Policy Framework ➔ User attributes ➔ Device state ➔ Location-based rules ➔ Time-based controls ➔ Groups and roles ➔ Team federation ➔ Resource specific rules
Write Job Stories to Understand Your Users Behavioral patterns should influence policy definitions Alice - Build Engineer When a release is ready, I want to login to the build server over ssh, so I can inspect the build logs. What if a request from Alice to the build server comes from a laptop during a non-release time? Bob - Recruiter When I arrive at the office in the morning, I want to login to the ATS, so I can review the day’s applicants What if a request from Bob to a finance app comes from outside the office during the evening?
Implement the Access Controls The ScaleFT Access Fabric
Recommendations 1 You don’t have to build the whole system yourself - leverage solutions for the hard parts 2 Be selective with the environments you support - operating systems, protocols, etc. 3 Start with simple global coarse-grained access policies before getting too fine-grained 4 Test your new system with simple apps that don’t contain sensitive data 5 Keep your network controls in place until absolutely confident the new system works
Companies Who Have Been Successful
THANKS!! Get in touch: ivan.dwyer@scaleft.com | @fortyfivan www.scaleft.com www.beyondcorp.com

More Related Content

PDF
BeyondCorp and Zero Trust
byIvan Dwyer
 
PDF
BeyondCorp - Google Security for Everyone Else
byIvan Dwyer
 
PDF
Zero trust in a hybrid architecture
byHybrid IT Europe
 
PDF
BeyondCorp: Closing the Adherence Gap
byIvan Dwyer
 
PDF
BeyondCorp New York Meetup: Closing the Adherence Gap
byIvan Dwyer
 
PDF
BeyondCorp Seattle Meetup: Closing the Adherence Gap
byIvan Dwyer
 
PDF
BeyondCorp Myths: Busted
byIvan Dwyer
 
PDF
BeyondCorp Austin Meetup: BeyondCorp Myths Busted
byIvan Dwyer
 
BeyondCorp and Zero Trust
byIvan Dwyer
 
BeyondCorp - Google Security for Everyone Else
byIvan Dwyer
 
Zero trust in a hybrid architecture
byHybrid IT Europe
 
BeyondCorp: Closing the Adherence Gap
byIvan Dwyer
 
BeyondCorp New York Meetup: Closing the Adherence Gap
byIvan Dwyer
 
BeyondCorp Seattle Meetup: Closing the Adherence Gap
byIvan Dwyer
 
BeyondCorp Myths: Busted
byIvan Dwyer
 
BeyondCorp Austin Meetup: BeyondCorp Myths Busted
byIvan Dwyer
 

What's hot

PPTX
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
bycentralohioissa
 
PPTX
5 Steps to a Zero Trust Network - From Theory to Practice
byAlgoSec
 
PPTX
COSAC 2021 presentation - AWS Zero Trust
byFrans Sauermann
 
PPTX
Ethical hacking
byAishwary Sinha
 
PDF
Forrester zero trust_dna
byCristian Garcia G.
 
PDF
CIS Security Benchmark
byRahul Khengare
 
PDF
Data protection on demand in hybrid it
byHybrid IT Europe
 
PDF
Top Azure security fails and how to avoid them
byKarl Ots
 
PPTX
Jason Kent - AppSec Without Additional Tools
bycentralohioissa
 
PPTX
Cloud – Helps or Hurts Insider Threat?
byThinAir
 
PPTX
Simplifying Security Management in the Virtual Data Center
byAlgoSec
 
PPTX
Bil Harmer - Myths of Cloud Security Debunked!
bycentralohioissa
 
PPTX
Kent King - PKI: Do You Know Your Exposure?
bycentralohioissa
 
PPTX
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
bycentralohioissa
 
PDF
How Google Protects Its Corporate Security Perimeter without Firewalls
byPriyanka Aash
 
PPTX
Insider Threat: How Does Your Security Stack Measure Up?
byThinAir
 
PPTX
Disección de amenazas en entornos de nube
byCristian Garcia G.
 
PDF
Managing risk and vulnerabilities in a business context
byAlgoSec
 
PDF
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
bycentralohioissa
 
PPTX
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
bycentralohioissa
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
bycentralohioissa
 
5 Steps to a Zero Trust Network - From Theory to Practice
byAlgoSec
 
COSAC 2021 presentation - AWS Zero Trust
byFrans Sauermann
 
Ethical hacking
byAishwary Sinha
 
Forrester zero trust_dna
byCristian Garcia G.
 
CIS Security Benchmark
byRahul Khengare
 
Data protection on demand in hybrid it
byHybrid IT Europe
 
Top Azure security fails and how to avoid them
byKarl Ots
 
Jason Kent - AppSec Without Additional Tools
bycentralohioissa
 
Cloud – Helps or Hurts Insider Threat?
byThinAir
 
Simplifying Security Management in the Virtual Data Center
byAlgoSec
 
Bil Harmer - Myths of Cloud Security Debunked!
bycentralohioissa
 
Kent King - PKI: Do You Know Your Exposure?
bycentralohioissa
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
bycentralohioissa
 
How Google Protects Its Corporate Security Perimeter without Firewalls
byPriyanka Aash
 
Insider Threat: How Does Your Security Stack Measure Up?
byThinAir
 
Disección de amenazas en entornos de nube
byCristian Garcia G.
 
Managing risk and vulnerabilities in a business context
byAlgoSec
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
bycentralohioissa
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
bycentralohioissa
 

Similar to BeyondCorp and Zero Trust

PPTX
Zero Trust Model
byYash
 
PDF
Practical Enterprise Security Architecture
byPriyanka Aash
 
PDF
110307 cloud security requirements gourley
byGovCloud Network
 
PDF
BATbern48_How Zero Trust can help your organisation keep safe.pdf
byBATbern
 
PDF
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
byCristian Garcia G.
 
PPSX
Zero-Trust SASE DevSecOps
byAraf Karsh Hamid
 
PPTX
Adopting A Zero-Trust Model. Google Did It, Can You?
byZscaler
 
PPTX
Overview of Google’s BeyondCorp Approach to Security
byPriyanka Aash
 
PDF
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
byHyTrust
 
PDF
The 1st Step to Zero Trust: Asset Management for Cybersecurity
bynathan-axonius
 
PDF
Enterprise Security Reloaded
byXylos
 
PDF
BeyondCorp SF Meetup: Closing the Adherence Gap
byIvan Dwyer
 
PDF
BeyondCorp Boston Meetup: Closing the Adherence Gap
byIvan Dwyer
 
PDF
How Zero Trust Changes Identity & Access
byIvan Dwyer
 
PPTX
Embracing secure, scalable BYOD with Sencha and Centrify
bySumana Mehta
 
PDF
SAP Application Access with Instasafe Zero Trust
byInstaSafe Technologies
 
PDF
Manage risk by protecting apps, data and usage
byCitrix
 
PDF
Moving Beyond Zero Trust
byscoopnewsgroup
 
PDF
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
byHitachi ID Systems, Inc.
 
PPTX
Secure adn Contained Access for Everybody, at Anytime
byUni Systems S.M.S.A.
 
Zero Trust Model
byYash
 
Practical Enterprise Security Architecture
byPriyanka Aash
 
110307 cloud security requirements gourley
byGovCloud Network
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
byBATbern
 
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
byCristian Garcia G.
 
Zero-Trust SASE DevSecOps
byAraf Karsh Hamid
 
Adopting A Zero-Trust Model. Google Did It, Can You?
byZscaler
 
Overview of Google’s BeyondCorp Approach to Security
byPriyanka Aash
 
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
byHyTrust
 
The 1st Step to Zero Trust: Asset Management for Cybersecurity
bynathan-axonius
 
Enterprise Security Reloaded
byXylos
 
BeyondCorp SF Meetup: Closing the Adherence Gap
byIvan Dwyer
 
BeyondCorp Boston Meetup: Closing the Adherence Gap
byIvan Dwyer
 
How Zero Trust Changes Identity & Access
byIvan Dwyer
 
Embracing secure, scalable BYOD with Sencha and Centrify
bySumana Mehta
 
SAP Application Access with Instasafe Zero Trust
byInstaSafe Technologies
 
Manage risk by protecting apps, data and usage
byCitrix
 
Moving Beyond Zero Trust
byscoopnewsgroup
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
byHitachi ID Systems, Inc.
 
Secure adn Contained Access for Everybody, at Anytime
byUni Systems S.M.S.A.
 

Recently uploaded

PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
December Patch Tuesday
byIvanti
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
API-First Architecture in Financial Systems
bycyy111112
 
The year in review - MarvelClient in 2025
bypanagenda
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 

BeyondCorp and Zero Trust

  • 1.
    BeyondCorp and ZeroTrust Bay Area Cyber Security Meetup - Sep 7th 2017 Ivan Dwyer | VP of Product Marketing | @fortyfivan
  • 2.
    The BeyondCorp storybegins with Operation Aurora
  • 3.
    Google Got itRight With BeyondCorp 1 Connecting from a particular network must not determine which services you can access 2 Access to services is granted based on what we know about you and your device 3 All access to services must be authenticated, authorized, and encrypted Mission: To have every Google employee work successfully from untrusted networks without the use of a VPN
  • 4.
  • 5.
    The Major Components IdentityProvider The corporate system of record for employees and contractors, with groups and roles Device Inventory Service A system that continuously collects and processes the attributes and state of known devices Trust Inferer A system that continuously analyzes device attributes and state to determine its trust tier Access Policies A programmatic representation of the resources, trust tiers, and other rules that must be satisfied Access Proxy A reverse proxy service placed in front of every resource that handles the requests Access Control Engine A centralized policy enforcement service that makes authorization decisions in real time
  • 6.
    Key Outcomes forGoogle ➔ Eliminated the use of perimeter-based network security controls – VPNs ➔ Streamlined end user experience for all Google employees across the globe ➔ More visibility into employee activity to identify behavioral patterns ➔ A 30% reduction in IT Support tickets through a better user experience
  • 7.
    Zero Trust isBeyondCorp For Everyone Else
  • 8.
    Corporate Identity Redefined Isthe user in good standing with the company? Does the user belong to the Engineering org? Is the user on Team A working on feature X? Is the device in inventory? Is the device’s disk encrypted? Is the device’s OS up to date? Identity = You + Your Device at a Point-in-Time
  • 9.
    Smarter Decision Making “Youcan’t submit source code from an unpatched device” “You can only reach the company wiki from a managed device” “Your disk must be encrypted to access the confidential file repository” “You can view the corporate phone directory from any device” Real-time trust attestation based on dynamic conditions
  • 10.
    Better Security Posture ➔Keeping devices up-to-date with the latest software ➔ Maintaining an inventory of employee devices ➔ Monitoring all endpoints & logging all traffic ➔ Only communicating over fully encrypted channels ➔ Incorporating multi-factor auth ➔ Eliminating the use of static credentials When security is usable, people like it and keep up with it
  • 11.
    How to AchieveYour Own Zero Trust Architecture
  • 12.
    Collect Your RelevantData 1 Take an inventory of all employee devices - workstations, laptops, tablets, and phones 2 Take an inventory of all company resources to protect - apps, databases, servers, etc. 3 Take an inventory of all static credentials - shared passwords, ssh keys, etc. 4 Diagram your system architecture and inspect traffic logs to understand behavior 5 Collect device state - is the software up to date? Is the disk encrypted?
  • 13.
    Determine the RightPolicy Framework ➔ User attributes ➔ Device state ➔ Location-based rules ➔ Time-based controls ➔ Groups and roles ➔ Team federation ➔ Resource specific rules
  • 14.
    Write Job Storiesto Understand Your Users Behavioral patterns should influence policy definitions Alice - Build Engineer When a release is ready, I want to login to the build server over ssh, so I can inspect the build logs. What if a request from Alice to the build server comes from a laptop during a non-release time? Bob - Recruiter When I arrive at the office in the morning, I want to login to the ATS, so I can review the day’s applicants What if a request from Bob to a finance app comes from outside the office during the evening?
  • 15.
    Implement the AccessControls The ScaleFT Access Fabric
  • 16.
    Recommendations 1 You don’thave to build the whole system yourself - leverage solutions for the hard parts 2 Be selective with the environments you support - operating systems, protocols, etc. 3 Start with simple global coarse-grained access policies before getting too fine-grained 4 Test your new system with simple apps that don’t contain sensitive data 5 Keep your network controls in place until absolutely confident the new system works
  • 17.
    Companies Who HaveBeen Successful
  • 18.
    THANKS!! Get in touch:ivan.dwyer@scaleft.com | @fortyfivan www.scaleft.com www.beyondcorp.com