Google Reveals Own Security Regime Policy Trusts No Network, Ever

Darren Pauli, reporting for The Register: Google sees little distinction between boardrooms and bars, cubicles and coffee shops; all are untrusted under its perimeter-less security model detailed in a paper published this week. The "BeyondCorp model" under development for more than five years is a zero-trust network model where the user is king and log in location means little. Staff devices including laptops and phones are logged into a device inventory service which contains trust information and snapshots of the devices at a given time. Employees are awarded varying levels of trust provided they meet minimum criteria which authors Barclay Osborn, Justin McWilliams, Betsy Beyer, and Max Saltonst all say reduces maintenance cost and improves device usability (PDF).

Re: I don't get it.

[JoshuaGriffis]

Zero trust runs deeper than that. The main point is that you do not trust a corporate provided device any more than a user's BYOD device. Essentially, you pull workstations out of the core network your servers are on, and only allow access to that core with jump boxes or virtual desktops to limit access and data exfiltration. Forester had a nice write up on Zero Trust Networks back in 2013.

Slight correction "devices", not "employees"

[shawn2772]

The summary says "Employees are awarded varying levels of trust provided they meet minimum criteria". That should say "employee devices...". Employees, of course, do have differing levels of access to various resources, based on the needs of their jobs, with very fine-grained access control. But the criteria-based trust the article is talking about varies based on device, not user. For example, because my phone isn't "fully trusted" (because I don't want to accept the authentication and other requirements that would impose), it can't access the bug report database or the code repositories, but it does have access to the employee directory, my company e-mail and calendar, etc. My laptop is fully trusted because of how it's configured and I can use it to look at anything I'm authorized to see.

The key point, though, is that all of this is completely network-independent. It doesn't matter if I'm connected directly to an internal LAN or sitting in a coffee shop, my access, based on my device and my authenticated identity, is the same. Google does still have VPN infrastructure for some legacy services that haven't been fully migrated to the perimeter-less architecture, but that's being phased out as those services are upgraded or replaced. I only use my VPN client a few times per year, and eventually I need it at all.