BeyondCorp is Google's approach to access management that eliminates the need for a VPN. It is based on zero-trust principles where access is granted based on who the user is and what device they are using rather than which network they connect from. Google implemented dynamic access policies that consider user identity, device security properties, and request context to determine access in real-time. The key aspects of BeyondCorp include redefining corporate identity as the user and device, making access decisions based on their current attributes and state, removing trust from networks by centralizing access controls, and issuing short-lived credentials to authenticate users and devices securely. The document provides guidance on starting with BeyondCorp by taking inventories, defining access use cases as job stories

1. BeyondCorp: Closing the Adherence Gap
BeyondCorp New York Meetup - Feb 15th 2018
Ivan Dwyer | @fortyfivan

2. The Adherence Gap: A Written Policy That Isn’t Enforceable In Practice

3. All Too Common Behaviors
● Sharing/committing passwords and keys
● Not revoking credentials when employees leave
● Giving contractors too much privileged access
● Connecting to resources using unpatched devices
● Not logging and/or monitoring user activity
● Not assigning role based access controls

4. Google Got it Right With BeyondCorp
1 Connecting from a particular network must not determine which services you can access
2 Access to services is granted based on what we know about you and your device
3 All access to services must be authenticated, authorized, and encrypted
Mission: To have every Google employee work successfully
from untrusted networks without the use of a VPN

5. Google’s Own Implementation

6. A Zero Trust State of Mind

7. Redefine Corporate Identity
Is the user in good standing with the company?
Does the user belong to the Engineering org?
Is the user on Team A working on feature X?
Is the device in inventory?
Is the device’s disk encrypted?
Is the device’s OS up to date?
Identity = You + Your Device at a Point-in-Time

8. Make Smarter Decisions in Context
“You can’t submit source code from an
unpatched device”
“You can only reach the company wiki
from a managed device”
“Your disk must be encrypted to access
the confidential file repository”
“You can view the corporate phone
directory from any device”
Real-time trust attestation based on dynamic conditions

9. Remove Trust From the Network
Access
Controls
Why the request was denied
request context
NO
YES
Access
Policies
AuthN AuthZ
Centralize access controls at Layer 7 where policy can be enforced

10. Eliminate Static Credentials
➔ Issue short-lived client certificates or web
tokens to initiate secure sessions
➔ Inject metadata about the user and connecting
device into the credential
➔ Limit each credential in scope and time,
making it near impossible to hijack
Dynamic attestation needs a dynamic credential to match

11. Getting Started With BeyondCorp

12. The Discovery Phase
1 Take an inventory of all employee devices - workstations, laptops, tablets, and phones
2 Take an inventory of all company resources to protect - apps, databases, servers, etc.
3 Take an inventory of all static credentials - shared passwords, ssh keys, etc.
4 Diagram your system architecture and inspect traffic logs to understand behavior
5 Monitor device state - is the software up to date? Is the disk encrypted?

13. Write Job Stories for Your Use Cases
Alice - Build Engineer
When a release is ready, I want to login to the build
server over ssh, so I can inspect the build logs.
Bob - Recruiter
When I arrive at the office in the morning, I want to login
to the ATS, so I can review the day’s applicants.
Behavioral patterns should influence how policies are framed

14. Determine Your Policy Framework
➔ Role based access controls
➔ User attributes
➔ Device state
➔ Location-based rules
➔ Time-based controls
➔ Team federation
➔ Resource specific rules
Trust Tiers
User and device metrics are analyzed and placed in a tier
which must match the minimum tier associated with the
resource
Scoring System
User and device metrics are compiled and granted a
score which must match the minimum level associated
with the resource
Assertions
User and device attributes and state are individually
matched against an Access Policy where all assertions
must be true

15. Implement the Access Controls

16. Where ScaleFT Fits
WEB ACCESS
Manage who has access to what company
web apps through a simple policy-based
framework that authenticates and
authorizes every request in real-time
SERVER ACCESS
Securely connect to Linux and Windows
servers over SSH and RDP through a pure
client certificate architecture that eliminates
the use of static credentials

17. THANKS!!
Get in touch: ivan.dwyer@scaleft.com | @fortyfivan
www.scaleft.com
www.beyondcorp.com