Author Archives: Max Saltonstall

How BeyondCorp can help businesses be more productive

Over the past few years, Google has been moving away from VPN-based security for our employees, and towards a trust model that's based on people and devices, rather than networks. We call it BeyondCorp—moving beyond a corporate network for internal services and applications. It’s the basis for Cloud Identity-Aware Proxy, which can be used to authenticate users for applications running on Google Cloud Platform.


We recently published our fifth research paper on BeyondCorp, this time focused on the employee experience—how they first end up using this system, and what it looks like when things go wrong. We discuss how onboarding has gotten easier with no VPN, how loaners are quick to activate, and how we give employees the ability to handle and resolve their own issues when the Chrome extension is getting in their way.


When new employees join Google, access is based on machines and identity, not the network. We tell them about our access policy: you can get to the tools you need no matter where you are, so long as you’re on your corporate issued laptop (a slight oversimplification, I’ll admit). As we prepare their computers for delivery on their first day at work, we make sure our inventory provisioning procedures add the devices to our asset management system and assign an owner. Then, when each employee signs into their own machine, we kick off automated requests for machine certificates. These are used to guide the machine to the right VLAN. This onboarding process streamlines our new device setup, and eliminates the need to install VPN software on each employee's laptop.


After their first day, the most interaction employees will have with BeyondCorp is through a Chrome extension, which shows the current status of their connection. This gives our IT teams and end users a way to find errors, troubleshoot and fix them quickly. Anyone can turn the proxy off manually using the extension—a common need when using captive portals or local network hardware.


The latest paper also discusses how we expose details about denial of access. While we want to make sure our employees, and the service desk assisting them, can quickly resolve access errors, we also need to make sure we don’t expose too much data to attackers in the way we say “nope, not allowed” to some requests. Building this explanation engine helped us troubleshoot BeyondCorp as we deployed more broadly, and it gave our troubleshooting teams insight into what’s going wrong when someone reports an unexpected access denied message.


BeyondCorp has helped us streamline the onboarding process, and given employees the tools they need to fix problems when things go wrong. We hope it will inspire you as well. You can read the research paper on Research at Google.

How BeyondCorp can help businesses be more productive

Over the past few years, Google has been moving away from VPN-based security for our employees, and towards a trust model that's based on people and devices, rather than networks. We call it BeyondCorp—moving beyond a corporate network for internal services and applications. It’s the basis for Cloud Identity-Aware Proxy, which can be used to authenticate users for applications running on Google Cloud Platform.


We recently published our fifth research paper on BeyondCorp, this time focused on the employee experience—how they first end up using this system, and what it looks like when things go wrong. We discuss how onboarding has gotten easier with no VPN, how loaners are quick to activate, and how we give employees the ability to handle and resolve their own issues when the Chrome extension is getting in their way.


When new employees join Google, access is based on machines and identity, not the network. We tell them about our access policy: you can get to the tools you need no matter where you are, so long as you’re on your corporate issued laptop (a slight oversimplification, I’ll admit). As we prepare their computers for delivery on their first day at work, we make sure our inventory provisioning procedures add the devices to our asset management system and assign an owner. Then, when each employee signs into their own machine, we kick off automated requests for machine certificates. These are used to guide the machine to the right VLAN. This onboarding process streamlines our new device setup, and eliminates the need to install VPN software on each employee's laptop.


After their first day, the most interaction employees will have with BeyondCorp is through a Chrome extension, which shows the current status of their connection. This gives our IT teams and end users a way to find errors, troubleshoot and fix them quickly. Anyone can turn the proxy off manually using the extension—a common need when using captive portals or local network hardware.


The latest paper also discusses how we expose details about denial of access. While we want to make sure our employees, and the service desk assisting them, can quickly resolve access errors, we also need to make sure we don’t expose too much data to attackers in the way we say “nope, not allowed” to some requests. Building this explanation engine helped us troubleshoot BeyondCorp as we deployed more broadly, and it gave our troubleshooting teams insight into what’s going wrong when someone reports an unexpected access denied message.


BeyondCorp has helped us streamline the onboarding process, and given employees the tools they need to fix problems when things go wrong. We hope it will inspire you as well. You can read the research paper on Research at Google.

Source: Google Cloud


How to use BeyondCorp to ditch your VPN, improve security and go to the cloud

The BeyondCorp security engineering team at Google just announced their fourth research paper: Migrating to BeyondCorp: Maintaining Productivity While Improving Security.

For those that aren’t familiar with it, BeyondCorp is a security approach used by Google that allows employees to work from anywhere, quickly and easily.

This is easier said than done. In 2010, we undertook a massive project to rethink how to provide employees with secure remote access to applications: We moved away from our corporate VPN, and introduced BeyondCorp, a zero-trust network security model.

With BeyondCorp, we no longer have a binary access model, where you are either inside the whole corporate network, with all the access that allows, or outside and completely locked out of applications. Our new approach provides a better, more convenient, and less risky way: access to individual services as you need them, based on who you are and what machine you're using.

While BeyondCorp makes applications easily accessible from anywhere, it also improves security in other ways. Over the course of the migration we’ve discovered services that we thought were long dead, because this change required taking a detailed look at our traffic, our dependencies and our employee usage patterns. It’s also allowed us to scale globally while reducing our attack surface, and increased our ability to provide access when appropriate.

This March, we began offering elements of BeyondCorp to other organizations, in the form of Cloud Identity-Aware Proxy (IAP). Already, Cloud IAP has helped Google Cloud customers put fine-grained access controls on their critical internal services and applications based on region, time, role or group. More importantly, Cloud IAP removes obstacles to getting work done. Authorized employees get in, wherever they are, and do their job, or Cloud IAP blocks them, because they aren’t supposed to have access.

BeyondCorp: a work in progress

At Google, we’ve been on our BeyondCorp journey for several years, gradually shifting more of our traffic and services away from a segmented, privileged corporate network and onto the public internet and cloud.

You may be wondering how to move to a similar model. What do you need to do? What's the potential impact on your company and your employees?  The latest installment of our research paper describes how we kept people productive at Google while shifting our security model. It covers:

  • The process of migrating individuals to our non-privileged network

  • How we supported the effort through our TechStop infrastructure (local and remote service desks)

  • How to handle edge cases

  • Diagnostic tools to troubleshoot access denials

  • The importance of self-service documentation

  • Why to run a publicity campaign about the project.

In the end, we moved to this new system successfully by breaking up the work into discrete chunks, parallelizing as much as possible, and focusing on the end-user experience. To learn more about the BeyondCorp approach and determine whether it’s the right fit for your business, read all four public research papers:

  1. BeyondCorp: A New Approach to Enterprise Security

  2. BeyondCorp: Design to Deployment at Google

  3. Beyond Corp: The Access Proxy

  4. Migrating to BeyondCorp: Maintaining Productivity While Improving Security

And to discuss whether BeyondCorp and Cloud Identity-Aware Proxy are right for your business, give us a shout—we’d love to hear from you.

How to use BeyondCorp to ditch your VPN, improve security and go to the cloud

The BeyondCorp security engineering team at Google just announced their fourth research paper: Migrating to BeyondCorp: Maintaining Productivity While Improving Security.

For those that aren’t familiar with it, BeyondCorp is a security approach used by Google that allows employees to work from anywhere, quickly and easily.

This is easier said than done. In 2010, we undertook a massive project to rethink how to provide employees with secure remote access to applications: We moved away from our corporate VPN, and introduced BeyondCorp, a zero-trust network security model.

With BeyondCorp, we no longer have a binary access model, where you are either inside the whole corporate network, with all the access that allows, or outside and completely locked out of applications. Our new approach provides a better, more convenient, and less risky way: access to individual services as you need them, based on who you are and what machine you're using.

While BeyondCorp makes applications easily accessible from anywhere, it also improves security in other ways. Over the course of the migration we’ve discovered services that we thought were long dead, because this change required taking a detailed look at our traffic, our dependencies and our employee usage patterns. It’s also allowed us to scale globally while reducing our attack surface, and increased our ability to provide access when appropriate.

This March, we began offering elements of BeyondCorp to other organizations, in the form of Cloud Identity-Aware Proxy (IAP). Already, Cloud IAP has helped Google Cloud customers put fine-grained access controls on their critical internal services and applications based on region, time, role or group. More importantly, Cloud IAP removes obstacles to getting work done. Authorized employees get in, wherever they are, and do their job, or Cloud IAP blocks them, because they aren’t supposed to have access.

BeyondCorp: a work in progress

At Google, we’ve been on our BeyondCorp journey for several years, gradually shifting more of our traffic and services away from a segmented, privileged corporate network and onto the public internet and cloud.

You may be wondering how to move to a similar model. What do you need to do? What's the potential impact on your company and your employees?  The latest installment of our research paper describes how we kept people productive at Google while shifting our security model. It covers:

  • The process of migrating individuals to our non-privileged network

  • How we supported the effort through our TechStop infrastructure (local and remote service desks)

  • How to handle edge cases

  • Diagnostic tools to troubleshoot access denials

  • The importance of self-service documentation

  • Why to run a publicity campaign about the project.

In the end, we moved to this new system successfully by breaking up the work into discrete chunks, parallelizing as much as possible, and focusing on the end-user experience. To learn more about the BeyondCorp approach and determine whether it’s the right fit for your business, read all four public research papers:

  1. BeyondCorp: A New Approach to Enterprise Security

  2. BeyondCorp: Design to Deployment at Google

  3. Beyond Corp: The Access Proxy

  4. Migrating to BeyondCorp: Maintaining Productivity While Improving Security

And to discuss whether BeyondCorp and Cloud Identity-Aware Proxy are right for your business, give us a shout—we’d love to hear from you.

Source: Google Cloud