Slashdot Mirror
Google's Plan To Kill the Corporate Network
mask.of.sanity writes "Google has revealed details on its Beyond Corp project to scrap the notion of a corporate network and move to a zero-trust model. The company perhaps unsurprisingly considers the traditional notion of perimeter defense and its respective gadgetry as a dead duck, and has moved to authenticate and authorize its 42,000 staff so they can access Google HQ from anywhere (video). Google also revealed it was perhaps the biggest Apple shop in the world, with 43,000 devices deployed and staff only allowed to use Windows with a supporting business case."
Wow, Google has invented the VPN! What great innovators.
The world's burning. Moped Jesus spotted on I50. Details at 11.
why use so many Apple computers when there's your own awesome Chromebook?
with companies less profitable than google?
Mac's are expensive
most people don't own Mac's personally
lots of people use personal computers to VPN to work
how would it work with the files on file servers people use to get work done? like MS Access databases?
What happened to their internal deployment of Goobuntu?
http://en.wikipedia.org/wiki/Goobuntu
What a coincidence. Zero Trust is EXACTLY what I have in google.
My dog eats its own poop.
Why do they do this?!?
The rj45 jacks in the office are just plain old dirty connections to the Inet. We each have multiple OpenVPN connections on our localhost giving us access to different parts of the network depending on our roles. It's convenient because our workstations work identically wherever we are ( home, work, coffee shop ) and it's convenient when someone leaves because operations just invalidates the VPN certs and the former employee is cut off no matter where they physically are. A side effect is whenever your VPN credentials don't work you're left wondering is you're about to get fired and ops just jumped the gun haha.
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
I may be wrong with this but if your computer sends data to their meta inventory system, all the hacker needs is that data to replicate with some packet capture software and use that info to log in...wont it ?
PC Gaming enthousiast that gives comments, opinions and reviews on Games. I'm just having fun with games while doing let
Ever hear of a place called Apple? Apple has about 80,000 employees, and I'm sure they average more than one.
Google lives in a fantasy world, where the WAN is as fast as the LAN. For me, both at home and in the workplace, you're talking about two and a half orders of magnitude difference. That's the whole reason all this cloud stuff, streaming (as opposed to download) video, etc all seems so bizarrely alien. You're talking about such a tremendous performance downgrade, that I just can't begin to really take it seriously.
I suppose the thinking is that they are planning for the future, when some day the WAN gets reasonably fast, where my home and business DSL line is replaced with fiber. Cool. Be ready, Google. But how are you going to spend those decades of waiting? Some cons are a little too long, IMHO.
What about apples higher price and lack of hardware choice??
Also there laptops are very limited,
Most are stuck with on board video, memory is built into the computer maxing at 16GB right now. At an $200 upgrade from 8GB. Want a NVIDIA GeForce GT 750M only in the $2600 system.
Flash storage only with 1TB MAX at an $500-$800 upgrade. Some systems are locked at 128GB PCIe-based flash storage or 256GB. And useing the cloud over wifi can very a lot 3g/4g/LTE fast in some areas but with high overage costs.
Built-in battery.
On the desktop the New mac pro has a very high price for an 1 CPU system and there is workstation work that does not need a lot of GPU power. Or may need a lot of storage.
mac's don't even real sever hardware and the laptops are unrepairable
http://www.cultofmac.com/251359/ifixit-finds-2013-retina-macbook-pros-as-unrepairable-you-can-get/
I'm genuinely interested in this. You say repeatedly that it is convenient, but running a bunch of openVPN tunnels from my desktop/laptop doesn't sound convenient at all. The number of issues I have getting my openVPN connections through firewalls and NAT is very discouraging.
Please tell us more about your setup.
What type of work does the company and you do?
Approximately how many users work like this?
Does this company operate primarily as a standard physical office environment, or is this a distributed(work from home) startup?
Where are the servers, on-site, datacenter, cloud?
Approximately how many servers?
What type of applications are used, web, small applications like QB, MS Exchange or SQL systems?
What are the negative aspects of this system?
Why would Google buy Macs if they don't use OS X? They could use Linux on ANY cheaper computer they choose but bought Macs anyway.
I believe Google thinks like a lot of us: OS X for desktops, Linux for servers, a mix of iOS and Android for mobiles.
Get free satoshi (Bitcoin) and Dogecoins
From a security perspective, Google is right about the notion that your internal corporate network being "safe" is dead. Between all the laptops, tablets, smartphones and very portable USB devices, there really isn't a secure perimeter on your network. Security needs to be applied at each entry point to the network, whether that is wired (internal or external doesn't matter), wireless or virtual.
The summary implied that the need for security devices goes away once you give up the idea of a perimeter, but that isn't the case at all. The form that security comes in may change, but you still need it. Authenticated users connecting via secure tunnels doesn't eliminate the risk of malware, so you still need IPS and anti-malware devices (Fidelis, FireEye, etc.) to keep your protect company assets from valid authenticated users.
If you can't trust any of the devices on your network, then you need to inspect 100% of the traffic entering the network.
If I'm not mistaken, OSX was based on BSD, not Linux...
bork bork bork!
to bad Mac OS is not on more hardware or even stuff that is not cut down / made very hard to fix due to being thin.
expensive" computer is a small rounding error but some mac system can end up costing X2 or more then the cost of a PC.
the new mac pro will have it's high cost added to by all the cost over head of expansion boxes and cables. With a lot's of power bricks.
They picked a company that stands behind its platform over a platform that has no clear owner. It has nothing to do w/ how 'real' the UNIX is, or the license (okay, that may be a factor) or whether the company itself makes an arguable alternative.
I agree with you that GPU options are very limited with Macs, but why the hell would onboard video and 16GB of RAM not be good enough for regular desktop work?
Get free satoshi (Bitcoin) and Dogecoins
Why would Google buy Macs if they don't use OS X? They could use Linux on ANY cheaper computer they choose but bought Macs anyway.
I believe Google thinks like a lot of us: OS X for desktops, Linux for servers, a mix of iOS and Android for mobiles.
Because Apple makes good, attractive, hardware? Besides, hardware cost is inconsequential compared to the cost of a developer, whether his laptop costs $1500 or $3000 doesn't matter. Our entire development team uses Macbooks - and of 12 users, only two of them run OSX. One of them is even geeky enough to paste a Tux logo over the light-up Apple logo.
Since they deploy on Linux servers, it makes sense to develop on Linux. Write-once run-anywhere still isn't a reality - obscure platform specific bugs can still come back to bite you.
Oh boo hoo. 8GB RAM / 256GB SSD is plenty if you use your machine to run terminals, browsers, and text editors.
All the "real" processing probably happens on servers.
Google development is done on Linux but Mac laptops at Google run MacOS. Laptops (or chromebooks, there's a mix of both) aren't used for development (except via ssh, etc); they are used for email, web, etc.
You're kidding, right? Google - home of the cloud - is going to worry about local storage limits on drone machines. And...again...drone machines - onboard video is probably 4x as fast as they need it to be for nearly all conditions. They've rolled out fiber in an entire town; I'm going to guess that they've got a pretty speedy wireless system on campus.
Apple hardware is very limited if (a) you're looking for a bargain and aren't on a corporate buying plan, or if you're a hardcore gamer, or if you are running massive analysis software, or you are locked into industry software packages which are platform locked. None of that is an issue for desk machines at Google.
I'm not, in any way an Apple fan, but pretty much none of the problems you state are of any consequence to their usage profile.
Is it just my observation, or are there way too many stupid people in the world?
Well, based on Mach 2.5, which contained BSD 4.4 and Mach kernel code.
It's more about the locked ram choice then the size of it. 16 Is good now but 4 years down the road?
4 years is easily longer than average corporate update cycle. Feel free to say that's crazy but that's how it is -- and in any case the people who use computers for more than 4 years probably aren't the most demanding users.
They buy Apples to save money?
Cue the frothing idiot tax minions....
Our entire development team uses Macbooks - and of 12 users, only two of them run OSX. One of them is even geeky enough to paste a Tux logo over the light-up Apple logo.
The last time I visited Google HQ (about 5 years ago) the most common setup I saw was Thinkpads running Linux with Macbooks running Linux in a close second.
I have been using Linux as my dev station since I started working full time and I have to say that the customizability is a big plus to productivity. Also, if you use default ubuntu unity UI you are barely one step above windows.
Being a developer is a craft, take your time to tune your tools.
The second you connect the thing to the Internet it's just a subnet that happens to be corporate-controlled. You will still need firewalls et al. to keep appliances from getting pwned by undocumented network vulnerabilities but this is more a logical retreat from "we must defend the users!" to "to hell with the users, the servers are the only thing that matters."
Ironically the NSA has probably done more to push IPv6 and IPSec than any other organization on the planet.
Thanks for your response.
Elucidating.
It's more about the locked ram choice then the size of it. 16 Is good now but 4 years down the road?
4 years down the road the machine goes into the bin. What part of "corporate upgrade cycle" are you fuzzy on?
To keep those nasty data slurpers at Google (nee NSA) out of your business. What goes on inside your business is nothing to do with the Chocolate Factory.
You (corporate IT) might even go so far as to put Google/G+ and everyother Google site on your company blacklist.
To paraphrase Pink Floyd
"We don't need no google education"
Some places like to have so IT'S EASY to take out the HDD for data security. HP, dell and others even let you destroy the HDD when going under an warranty replace.
Will apple do that?
Four years from now I'll be using a one year old machine. :-) Any developer that I'm paying good money to is worth a new computer every three years. Compared to salary and benefits the cost of hardware is minimal.
"Almost every wise saying has an opposite one, no less wise, to balance it." - George Santayana
or you are locked into industry software packages which are platform locked.
The reason behind Microsoft's hegemoney.
We play the game with the bravery of being out of range
well some places to do push 4 years but with apple 2 years is out of date for some systems.
I'm really surprised they don't just have a third party build Linux boxes to spec. Why give money to Apple who wants to put Google out of business?
"...staff only allowed to use Windows with a supporting business case." That's why MS feels scroogled.
In their whole talk they assumed the users of the services know what they are doing and how to behave. I'm sure that in Google's case all their workers are well trained, but I sure as hell couldn't allow VPN connections to our CRM database. Who knows what workers install on their laptops once they leave the office.
The mac pro (not the ashtray version, don't know what that's like) is still a solid workstation. You can cram 64GB of ECC RAM in it quite happily. I don't know how long Apple will keep making things like that though, now it's evident there is a lot more money to be made in the consumer market.
> Also there laptops are very limited,
Where laptops? Your post doesn't make a damn bit of sense.
Your post is hilarious in the context of an article about Google only buying Apple machines. Was it intentional, are you posting in 1993 or do you not understand what hegemony means?
Because any cheap laptop is just that cheap. With the exception of the thinkpad (and even that can be a bit bulky) most laptops are still kinda shit. Macbook Pros are easily the best laptop you can have even if you never run OSX.
"Out of Date" isn't the same as "No longer does what it was bought to do".
I've never seen anyone upgrade the RAM in a Windows laptop in our workplace (~5000 employees) - and they're often woefully underspecced to start with, but they still get used for 3+ years - and then handed down to some poor newbie. So I fail to see why Google using Macs would be any problem, no matter how non upgradeable they may or may not be.
Remember that Corporations are not enthusiasts, they have a _completely_ different set of expectations for technology.
Keylog and steal their credentials and you've got a jumping off point to worm in to the rest of their network.
2-factor authentication helps, the key logger can only get one of the factors. The second, say a time based one time password (TOTP), is still secure.
but with apple 2 years is out of date for some systems.
You have actual facts to back this up, right? Because otherwise you're spewing bullshit. Let's take some examples from recent Apple OS version. Mavericks runs on:
iMac (Mid-2007 or later)
MacBook (13-inch Aluminum, Late 2008), (13-inch, Early 2009 or later)
MacBook Pro (13-inch, Mid-2009 or later),
MacBook Pro (15-inch or 17-inch, Mid/Late 2007 or later)
MacBook Air (Late 2008 or later)
Mac mini (Early 2009 or later)
Mac Pro (Early 2008 or later)
Xserve (Early 2009)
iOS 7 runs on:
iPhone 4 and later
iPad 2 and later
iPad mini
iPod touch (5th generation)
So a 3.5 year old phone, a 2.5 year old tablet and so far the 2 year old iPod Touch and they are continuing to get all the point releases. Even the 4 year old iPhone 3GS got iOS updates to 6.1.3.
So, unless you have some evidence to the contrary you're full of shit.
So to wrap up, the only products that have only been supported for 2 years are those things that are only 2 years old. Basically everything else is from 3 to 6.5 years old.
I believe the earlier name for "cloud services" was timesharing. The 70's called and want their VM370/TSO back.
Apple devices != MacOS. Google itself runs on Linux. Android is based on Linux. So yeah, you're trolling.
Android is hosted on Linux, not based on Linux. Android users can't and most developers don't see Linux. Developers have to jump through hoops (NDK) to even see Linux.
Not sure why you got modded down. This is exactly what DirectAccess was created for and many organisations are leveraging it, I guess because you put the word Microsoft in your post.
People keep bitching about the limited hardware choices with apple gear, but the simple fact is that whilst you may think you're getting something big by being able to tweak spec to the Nth degree, you simply don't. Games being an exception, somewhat.
The big performance jumps are had by upgrading from one generation to another, not by obsessing over minor differences between particular models of part within a particular product generation.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
4 years down the road the box is out of warranty/support and you'll get a massive performance jump by upgrading the machine - far more than sticking an extra few sticks of RAM in the box will give.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Given that apple offer applecare on machines for 3 years, false statement is false.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
"This webpage has a redirect loop"
On a workstation, I get dual Xeon, thats 12 cores, and up to 256Gb of memory.
Say again, why are you using mobile cpus with 16Gb of memory _today_? My workstation is now ready to be replaced, its three years old has 4 cores and 16Gb of memory. That machine is for me now depricated, its to less horsepower, to less memory, simply its starting to feel slow. And this machine is still "State of the art" when you compare to laptops.
As a developer I ask myself, WHY? WHY laptop? WHY?
I know this isn't the main point of the article, but I don't think Google can really claim the largest deployment of Macs. I think Apple's own deployment must be far larger. Per the 2013 annual report, Apple had 80,300 full-time equivalent employees. Then consider the possibility that Apple may outsource a large portion of their customer service, tech support, sales, and other customer-facing (non-retail) workers. Those people might work in remote locations, but would have to be using Macs connected to Apple's corporate network. I think 120,000 Macs would be a conservative estimate for worldwide deployment covering HQ/corporate, Apple Retail, AppleCare, Apple Online Store, iTunes/App Store, plus the staff that serve niche markets like education, enterprise and public sector. So I'm afraid Google can't claim #1. However, I can't think of any other company that could even come close to Google's number, so they're probably secure in the #2 spot. Plus, this number says "Apple devices" so if you include mobile devices, Apple's own number would almost certainly surge past 200,000.
The idea of a secure network and a VPN to get into it if you're working away from the office is all very fine, but the list of problems it throws up is huge - and it just gets bigger as your company expands:
- You almost invariably wind up with a two-tier experience. People who are in the office and get nice fast access to everything and people who are out of the office and everything's dog slow. Oh, sure, you can reduce this problem somewhat by putting servers in a colo, but now you've got to engineer systems so you don't wind up with everyone getting the dog slow experience. (I'm particularly looking at legacy file servers here; SMB was never really designed for use over a slow, high-latency link, though I understand newer versions of Windows Server have mostly cracked this).
- You don't gain an enormous amount of security. Even with a heavily locked-down perimeter firewall it's seldom that difficult to figure out a way to get information out, as long as you can get something nefarious in. And that really isn't difficult with a little light social engineering.
- Expanding beyond one office gets very expensive very fast. You need to be looking into Terminal Server, very fast (=expensive) links or have branch offices put up with terrible application performance. IT as an industry automatically assumes that multiple branches = huge business with a huge budget that takes IT very seriously (seriously, throw that bit of information into any proprietary system you're pricing up and watch the price skyrocket). I can tell you now that every single town has loads of small businesses spread across multiple branches that don't have a huge budget, don't feel the need to dedicate enormous resources to IT and they are absolutely loving the various web-based products such as espoused by Google.
Oh, sure, there's a lot of business applications that are designed on the assumption that you're a company in just one office - or if you have several offices, you have gigabit links between them - but I don't think Google really need to care too much about those.
Google = Zero Trust
Really I don't know.
Should be OK, but I agree, not great.
Not really. MBP last a long time physically. My wife's was bought in 2006 and is still 100% OK (with 3 changes of battery and one change of HD). Fine if you want an OK laptop with low end characteristics (2GB of RAM is the main problem)
Google had implicit trust due to laziness and ignorance and the whole benefit of the doubt thing. Google knew all along there is no actual privacy, but their customers didn't see it as an issue, and Google profited off the difference - exploiting and selling that data that their users did not think to protect, and offering cloud services to people who did not consider whether the cloud was secure.
The NSA scandal blew that wide open. Now their whole business model is in jeopardy. Where previously they said trust us, now everyone is saying lets go overseas to find someone trustworthy. Trust cannot be regained, so what Google needs to do is convince everyone that trust is not an issue. You can't trust us, but you really shouldn't trust anyone. And look: it won't impact your profits, and it fact it will save you a lot of money.
So Google is eating their own dog food, playing their own guinea pig. They'll work out the technologies on themselves. They'll say look its working for us, and you should do this too. If they can pull this off - simultaneously eliminate trust and save money doing it - corporate America will be compelled to follow whether they like it or not, because they can't deny the dollars. And like sheep, the public will follow whatever their corporate overlords are doing.
This has an additional benefit: Google can now say to people: hey privacy isn't our problem, it's yours. If you have something to hide that's your responsibility. This can of course be spun as "save the children" vs. "hiding criminal activity from the NSA" to give it some teeth. It lets Google totally off the hook and gives them carte blanche to do anything they want with your data. I'm thinking they'll still give us the tools to do it, but they know that most people are too lazy and complacent to bother, and those few smart or paranoid enough to do to do it will only make themselves targets to the gov't. Except for corporations, who get a free pass to maintain privacy. Once the ecosystem shifts to no trust and no privacy, and laws are passed restricting "technologies that could be used to conceal criminal activity," it will be hard to have any privacy without going offline. (And really, it already is.)
This not only saves Google's business plan, it accelerates it. I'll bet Facebook is going to be all over this too.
What corporation in their right mind would put their data on some one el;se's servers? That opens it to government snooping as if it weere public data according to the administrations interpetation. It also removes it from their direct control.and it would need to be stored in duplicate at different sites, with archival backup. I coud never recommend that anyone store their data like that, let alone a coreporation. Like the power grid. It opens up many more avenues for failure and data compromise.