Google has announced an Enterprise version of its BeyondCorp implementation of zero-trust access (ZTA) technology for secure remote access.
Google has announced an Enterprise version of its BeyondCorp implementation of zero-trust access (ZTA) technology for secure remote access. The novelty is that it has obviated the need for software agents on end-user devices by using the Chrome browser as its source of endpoint data.
Google was a pioneer of zero-trust access
Google was actually a pioneer in ZTA development, the BeyondCorp project having begun after the Operation Aurora attacks on multiple US companies, including the search engine giant, in 2009. Google’s plan after Aurora was to get rid of its traditional virtual private networks (VPNs) for remote access, as well as privileged accounts, espousing three core principles to do so:
- A network connection must not determine which services a user can access.
- Access to services is granted based on what is known about a user and the device.
- All access to services must be authenticated, authorized, and encrypted.
Thinking of Alphabet as a group that includes Google among its companies, employee headcount is in excess of 100,000 (and bear in mind that until 2015 all these figures were reported as Googlers). Thus, the vendor has a decade’s worth of experience operating this ZTA platform at scale for all its employees. Added to this, because the Google Cloud Platform (GCP) has emerged as an IaaS and PaaS provider to challenge market leader AWS and number-two player Azure, Google had begun offering it to enterprise customers housing their applications in the GCP environment and/or using Google’s SaaS services (the G Suite).
Now, with BeyondCorp Enterprise, Google is expanding its offering to any company accessing applications in any location (on the company’s premises or in any cloud) and thus becomes a fully fledged competitor in the ZTA market.
ZTA entered the spotlight because of COVID-19
For several years, ZTA technology has been growing as a more secure, more efficient alternative to VPNs, not to mention other benefits such as faster onboarding of employees in M&A situations. ZTA has really gained a head of steam, however, as a result of the coronavirus pandemic, which has driven millions of knowledge workers around the globe to remote working and, in the process, raised security concerns around VPNs.
The problem with VPNs from a security perspective is that they are overly permissive. That is, the access they grant to a user, once authenticated and authorized, is potentially to a company’s entire infrastructure. A threat actor gaining access to a corporate network can plant code there to perform reconnaissance, discover privileged users’ credentials, and purloin them, thereby gaining access to the organization’s most valuable and/or sensitive data, which can then be exfiltrated to a command-and-control server out on the internet.
By contrast, ZTA enables access only to the specific application a user requires to perform a given task, with any subsequent app requiring re-authentication for a separate session. It also monitors and logs all user activity, both to detect anomalous behavior in real time and for any forensics post facto. ZTA has two distinct architectural approaches, namely the software-defined perimeter (SDP) route, as defined by the Cloud Security Alliance, and the identity-aware proxy (IAP) approach, favored particularly by companies that already operate their own global backbone network.
Chrome replacing the agent is a novel approach
BeyondCorp Enterprise is an IAP implementation, and like most platforms in this category, it is delivered as a service over Google’s own network, comprising some 144 network edge locations and available in over 200 countries and territories.
Both SDP and IAP architectures tend to prefer to use software clients – a.k.a. agents – on the end-user devices requesting access through their systems. These clients enable the ZTA provider both to protect the user from malware and phishing attacks and to gather data on the device itself, feeding it into the decision-making process for whether to grant access or not.
Some vendors offer an agentless/clientless version of their platforms as well as an agent-based one, but these usually come with only a subset of the platform’s functionality, enabling access, for instance, to a predefined set of SaaS applications, with links to those apps published in a portal controlled by the customer’s IT department. In this scenario, apps to which a given user does not have access rights are simply greyed out for them. Google, on the other hand, has gone completely clientless, with its Chrome browser instead assuming the functions of the agent.
Here Chrome provides security via its Safe Browsing feature, which provides insulation from malware and phishing attacks as well as a built-in data loss prevention (DLP) capability. In addition, Google has created the BeyondCorp Alliance of security and other tech vendors, who integrate with its ZTA platform via a Google API, enabling additional functionality. These include endpoint security and management vendors like CrowdStrike, Tanium, and McAfee, as well as virtual desktop infrastructure providers like Citrix and VMware.
Chrome’s commanding presence bodes well for this service
Will this reliance on Chrome limit take-up of BeyondCorp Enterprise? Probably no more than making your ZTA service reliant on the use of a software client, given the general reluctance of CIOs and CISOs to introduce yet another agent into their infrastructure. And now, of course, anyone offering a ZTA service with agents must compete against the agentless offering from Google.
If your organization is looking for ZTA to enable remote access, BeyondCorp Enterprise is a compelling option. After all, Chrome already accounts for around two-thirds of browser use globally: it is already on over four billion devices and has in excess of two billion regular users.
Pricing is also admirably straightforward at $6 per user per month, with volume discounts for larger deployments.
2021 Trends to Watch: Identity, Authentication, Access (December 2020)
Omdia Market Radar: Zero Trust Access (March 2020)
Rik Turner, Principal Analyst, Cybersecurity