Google BeyondCorp: Top 5 Limitations
In 2014, Google revealed that it had begun a dramatic change in the way it secured and controlled access to its enterprise resources. The BeyondCorp initiative was the first time a large enterprise had implemented modern Zero Trust concepts at scale. In the years since, Google inspired a new consensus within the security community that Zero Trust is the new model for enterprise network security that organizations should strive for as a way to mitigate the risks and shortcomings of the traditional fixed perimeter security model.
In this article, we will review why Google launched the BeyondCorp initiative, how its access control system works, and what limitations organizations considering BeyondCorp should take into account. Fortunately, although BeyondCorp was the first Zero Trust implementation and was built for Google’s scale, organizations have options that are easier to deploy and maintain.
“BeyondCorp” is the umbrella term Google applied to its Zero Trust network architecture. By redefining the perimeter from the network to individual users, the company eliminated its traditional VPN-based approach to remote access. Over the course of a decade, BeyondCorp evolved into a complete, secure access control system. Remote or on-premises, the BeyondCorp system authenticates and authorizes users’ access to Google resources.
A 2009 cyber attack dubbed “Operation Aurora” was the initial spark that drove Google to change its security model. A threat actor with ties to China’s People’s Liberation Army launched a campaign targeting many western companies. In Google’s case, the hackers’ targets were the Gmail accounts of human rights activists in China, Europe, and the United States. The attack contributed to Google’s decision to withdraw from the China market and set in motion a top-down review of the company’s security and access control strategies.
Google assessed that the traditional secure perimeter had become inherently unsecurable. The secure perimeter approach assumes companies have trusted employees working on trusted networks behind layered defenses that keep threats at bay. None of this is true anymore thanks to several trends:
- Mobile workforces.
- More varied device usage.
- Migration to cloud-based resources.
- More sophisticated threats.
As a result, the perimeter extends too far beyond the privileged network for organizations to adequately protect. Moreover, companies can no longer assume that the networks inside the perimeter are safe. Google launched the BeyondCorp project to replace the old paradigm with a new philosophy for network security.
BeyondCorp is an implementation of Zero Trust principles that leverages Google’s cloud-based network architecture. The company eliminated its private, privileged network and the distinction between remote and on-site access. In its place, BeyondCorp operates on a new set of principles:
- Source networks do not influence user access.
- Access is based on the context of users and devices.
- All access must be authenticated, authorized, and encrypted.
All Google users now access the company’s resources over the internet. To make this possible, the BeyondCorp system relies on six elements:
Google only allows users to access company resources through company-managed Chromebooks or devices running the Chrome browser. This lets the company maintain a device inventory database and ensure that all devices are kept updated.
A user and group database, combined with Google’s internally-developed Single Sign-On system, lets the company issue short-duration tokens that define each user’s current role.
BeyondCorp replaced Google’s privileged, on-premises networks with a more limited network that only connects to the internet. All wired and wireless devices must pass 802.1x authentication to join the unprivileged network.
Whether connected to the unprivileged network or the internet, users do not access resources through a Google network. With the BeyondCorp model, Google uses internet-facing proxies that point to its enterprise applications. These proxies have public DNS entries, making them accessible from anywhere by any Google user.
Once users are authenticated, they do not automatically get access. The BeyondCorp access control engine uses several variables to infer a level of trust that it assigns to each user and device. Policies based on workgroup, role, and trust level determine whether — and to what degree — the user can access a resource.
By replacing VPN and other secure perimeter technologies with an approach based on Zero Trust, BeyondCorp delivered several benefits to Google:
- Leverages Google’s cloud infrastructure for scalable, global availability.
- Unified access control for all users and resources whether on-premises or in the cloud.
- Google administrators get more visibility over user and device activity.
- BeyondCorp’s “it just works” solution is easier for users than VPN.
- An improved security posture reduces Google’s vulnerability to constant cyberattacks.
However, this was not an overnight success. Google launched the BeyondCorp initiative in 2011 and spent most of the decade implementing it across its global operations.
A 2014 Google research paper published in USENIX’s online magazine introduced BeyondCorp to the computing community. The concept of Zero Trust had been floating around for years. Forrester analyst John Kindervag had popularized Zero Trust Architectures, but BeyondCorp was the first time a major company had committed to making Zero Trust happen at scale.
As Google shared BeyondCorp’s progress with the community, the idea that Zero Trust could solve the growing weaknesses of secure perimeter approaches solidified. Vendors that had focused on VPN and similar technologies began offering Zero Trust solutions. CISOs began considering Zero Trust as a path forward for their security strategies. Most recently, the Biden Administration has directed all U.S. federal agencies to adopt Zero Trust.
As Zero Trust establishes itself in enterprise security, BeyondCorp’s role remains an open question. Google now offers a product, BeyondCorp Enterprise, that lets “virtually any organization” adopt its flavor of Zero Trust. But many companies will find philosophical and practical disadvantages to adopting Zero Trust with BeyondCorp:
- Relevance of a cloud-first model.
- Concerns about internet visibility.
- Compatibility with legacy systems.
- Google Chrome dependence.
- Google Cloud dependence.
Google’s infrastructure and corporate culture were already cloud-centric. By moving every application to the cloud and delivering access over the internet, BeyondCorp simply accelerated Google along an existing trajectory.
Other companies rely on a more heterogeneous mix of systems. A similar cloud-centric commitment may never be possible. Financial firms, for example, are not likely to replace their big iron mainframes and on-premises legacy systems with cloud apps anytime soon.
Google’s complete, end-to-end control over its BeyondCorp implementation makes it easier to put applications behind internet-facing proxies. But anything with a DNS entry is visible to cybercriminals. That will be a step too far for many security professionals, especially those without the security resources of Google.
Since Google’s Single Sign-On service and enterprise apps are largely developed in-house, its developers could adapt these systems to Zero Trust operating models. Many companies do not have the same resources or development talent at their disposal. In addition, most companies rely on third-party and legacy systems that may not easily integrate with BeyondCorp.
Google makes operating systems, mobile devices, and browsers which made it easy to create a client-side experience based on the Chrome platform. Furthermore, BeyondCorp required Google’s employees to use managed Chromebooks.
Most companies, however, have much more diverse ecosystems with fleets of Windows, macOS, and Linux devices. BYOD policies complicate matters even further. Although BeyondCorp Enterprise will work on other devices through the Chrome browser, many companies standardize on other browsers.
That BeyondCorp Enterprise only works on Google Cloud could be a challenge for many companies. Although Google promises integrations and support that let BeyondCorp work with on-premises and non-Google cloud services, Google Cloud’s single-digit share in the cloud infrastructure market puts it at a disadvantage.
In Google’s defense, it was creating a blank-sheet design at a time when Zero Trust was largely theoretical. To solve its security problems at its global scale, Google naturally based BeyondCorp on its own infrastructure. Today, organizations of all sizes have more options.
Modern Zero Trust solutions such as Twingate are proven technologies. Twingate’s approach to Zero Trust uses software-defined perimeters to hide resources from view on private networks as well as the internet. As a software-based solution, companies can implement Twingate without replacing their existing network infrastructure. In fact, clients have deployed Twingate globally in as little as fifteen minutes.
Twingate is also easy to use and maintain. Users can install Twingate and get up and running without any IT support through a consumer-like experience. An intuitive administrative console makes it simple to quickly onboard and offboard users, and an API lets these and other common management tasks be automated.
Google’s BeyondCorp initiative broke new ground by proving a global enterprise could implement Zero Trust. A deep bench of researchers and developers, combined with its own cloud and device infrastructure, let Google create from scratch a replacement for traditional secure perimeter technologies.
Thanks to modern Zero Trust solutions like Twingate, overhauling an entire network architecture is not necessary. Organizations can deploy Twingate quickly to start benefiting from Zero Trust’s easier, more secure access control. Contact Twingate today to learn more.