What is BeyondCorp?
Beyondcorp is an approach to cloud security developed by Google. It is a zero trust security framework that not only tackles many of today’s cyber security challenges, it also helps to improve accessibility for employees. As remote, multi-device working shifts the way we work, it’s a framework that might just be future proof.
The principle behind it is a pragmatic one: dispensing with the traditional notion of a workplace network and using a public network instead. By moving away from the concept of a software perimeter, BeyondCorp makes it much more difficult for malicious attackers to penetrate your network. You’re no longer inside or outside the network; there are different permissions for different services. While these are accessible to those that have the relevant permissions, the lack of perimeter makes life very difficult for cyber criminals.
How does BeyondCorp work?
BeyondCorp works by focusing on users and devices rather than networks and locations. It works through a device inventory service. This essentially logs information about the user accessing the service, who they are, and what device they’re using.
Google explained the concept in detail back in 2016:
“Unlike the conventional perimeter security model, BeyondCorp doesn’t gate access to services and tools based on a user’s physical location or the originating network; instead, access policies are based on information about a device, its state, and its associated user.”
Of course, BeyondCorp encompasses a whole range of security practices. Implementation requires a good deal of alignment and effective internal communication. That’s one of the challenges the Google team had when implementing the framework – getting the communication and buy-in from the whole organization without radically disrupting how people work.
Is BeyondCorp being widely adopted by enterprises?
Google has been developing BeyondCorp for some time. In fact, the concept was a response to the Operation Aurora cyber attack back in 2009. This isn’t a new approach to system security, but it is only recently becoming more accessible to other organizations. We’re starting to see a number of software companies offering what you might call BeyondCorp-as-a-Service. Duo is one such service: “Reliable, secure application access begins with trust, or a lack thereof” goes the (somewhat clunky) copy on their homepage. Elsewhere, ScaleFT also offer BeyondCorp services.
Services like those offered by Duo and ScaleFT highlight that there is clearly an obvious demand for this type of security framework. But it is a nascent trend. Despite having been within Google for almost a decade, Thoughtworks’ Radar first picked up on BeyondCorp in May 2018. Even then, ThoughtWorks placed it in the ‘assess’ stage. That means that it is still too early to adopt. It should simply be explored as a potential security option in the near future.