Google is launching a commercial zero-trust remote access service that will allow companies to enable their work-from-home employees to access internal web-based applications without the need of virtual private networks (VPNs). Called BeyondCorp Remote Access, the subscription-based service will be part of Google Cloud’s portfolio and will cost $6 per user per month, but it will not require customers to already be users of Google’s existing cloud-based services or enterprise collaboration tools.
Google has been an early adopter of zero trust network architecture for its own corporate network, a process that started a decade ago and has been documented over the years in a series of papers and blog posts. The company calls its approach BeyondCorp, and it is centered around the idea of access to applications and services being granted based on user and device identity and security posture regardless of their location in respect to the traditional corporate network perimeter.
With a lot of IT infrastructure moving to the cloud and enterprises having to accommodate outside contractors in addition to their own remote employees, having security policies tied to a strictly defined network perimeter has become increasingly hard. With BeyondCorp and zero-trust access in general, there is no network perimeter. All users are treated as external users and are subject to the same identity and security checks before being granted access to resources.
The COVID-19 pandemic has forced many organizations to adapt to a new reality where much of their staff have to work from home. This poses significant challenges because the existing VPNs companies had in place were not designed to handle a sudden explosion of remote workers. Because infrastructure is hard and expensive to scale, experts believe that this is a good opportunity to pilot zero trust networking, as it is more cost efficient and future proof.
“We’ve been actively working for the past few years to bring a version of BeyondCorp technology, which we pioneered many years ago, to the enterprise,” Sunil Potti, vice president and general manager for Google Cloud, tells CSO. With the advent of COVID-19, some of the core elements and technologies behind that approach have been accelerated into a product that allows companies to use basically the same infrastructure that enables 100,000 plus Google employees to work from home, he says.
How does BeyondCorp Remote Access work?
For now the platform can only enforce access controls for web-based applications, which means that companies connect their previously internal web-based apps to Google Cloud. The control plane and data plane related to access control is then done in the cloud. Google plans to expand the technology in the future to cover non-HTTP-based services and applications.
The platform uses signals and metadata collected through the browser or through an optional endpoint agent with a small footprint to establish user identity and determine the security state of the device. Customers can opt to use only the context-aware signals collected through the browser, but for a higher degree of accuracy and security, they can ask employees to install the agent. This is particularly useful when dealing with staffers working from non-enterprise-managed personal devices.
It’s not just the browser headers information, Potti says. “We know where you’re coming from. We know that you’ve used your session in the past. There’s a ton of behind-the-scenes machine learning technology that’s being applied to provide that context-aware access control. I would say that 60% to 70% of the core value is outside of the endpoint.”
“That’s the unique aspect of this particular solution: There’s so much metadata and signals and learning that we could be doing behind the scenes to provide a very high degree of contextual access control. Then that 60% to 70% goes up to 80%, 90% and 100% depending on how much you allow us to control your input.”
The Google zero-trust differentiators
While zero-trust access solutions exist from other companies, Potti believes some differentiators make Google’s solution stand out from the rest. For one, the product uses Google’s network, so it benefits from its global scale, low latency and reliability. The company is even deploying its own intercontinental underwater fiber optics cables.
It’s not just about the connectivity. The compute clusters and servers that process the information use all the security technologies and defenses that Google has developed for itself, from custom-made cryptographic chips like Titan on the back end to highly optimized TLS implementations and a global visibility into threats and attacks that Google has to deal with every day to protect its other services.
Many companies have thousands or tens of thousands of employees suddenly working from home and are tackling it by increasing VPN, but this is a way for them to get both a tactical solution that can scale two or three orders of magnitude more than what they’re used to and, at the same time, give them a better security posture, Potti says. “The biggest thing that Google has always done is that we use various signals from endpoints, from the network, from the user location, and a whole bunch of other things to essentially protect our own employees from threats, whether insider or external.”
“This is not only something you can do in the near term, but it’s the right architecture for the long term,” Potti says. “If you add more VPN, at some point in time, you will have to rip it apart as you move to a world of web applications or SaaS applications and so forth.”
Copyright © 2020 IDG Communications, Inc.