These authorized users may then be trusted only to access the network resources that have been allocated to them, and perform only those actions which have been prescribed or permitted by the network’s security policy. This not only keeps unwanted “visitors” or attackers out but also assumes that those who remain within the boundary are only authorized users of the system. For this reason, organizations implementing BeyondCorp should also consider implementing Zero Trust principles to further reduce risk.The traditional model of network security relies on the establishment of a secure boundary, or perimeter. The third element – inspection and logging of all traffic – plays an important role to establish Zero Trust, because one should not presume all traffic from an endpoint is trustworthy or safe for data. Use a least-privilege strategy and strictly enforce access controlīeyondCorp provides a foundation to build a Zero Trust implementation. With Zero Trust and Zero Trust for the Cloud, everyone – whether they are inside or outside a given organization – is required to go through several steps of security (as defined by Forrester Research, a leading advisory firm):Įnable users to securely access all resources, regardless of location Many people are familiar with Zero Trust, an IT security model that removes the concept of trust from a network so an organization can better protect its assets. Otherwise, an attacker can easily move around within the network and take whatever data they want without anyone knowing. Visibility: Once a user has access to an organization’s network or applications, the organization must continually view and inspect all traffic to identify any unauthorized activity or malicious content. However, access control alone is not enough to ensure effective security. It provides organizations with an automated, scalable way to verify a user’s identity, confirm they’re an authorized user, and apply rules and access policies. This engine sits in front of every network request and applies rules and access policies based on the context of each request – such as user identity, device information, and location – and the amount of sensitive data in an application. The two most important tenets of BeyondCorp are:Ĭontrolling access to the network and applications: In BeyondCorp, all decisions about whether to give a person or device access to a network are made through an access control engine. This prompted many organizations to completely rethink their approach to security and look for new ways to consistently enforce security policies across multiple, disparate environments, such on-premises data centers cloud services, such as Google Cloud Platform (GCP™), Amazon Web Services (AWS®) and Microsoft Azure® software-as-a-service applications, such as Box.com and Office 365® and others. However, attackers that circumvented perimeter protections were able to quickly advance on goals with lateral movement, encountering few protection protocols.īeyondCorp came to life by posing the question, “How would you design your security if nothing could be trusted?” In other words, how would you protect your applications if your internal network was just as untrusted as a public network? The security model they used was based on the notion that everything bad was outside of the perimeter and everything inside it could be trusted. Years ago, organizations kept all their applications and data in on-site data centers. The goal is to enable users to securely work anytime, anywhere and on any device without having to use a virtual private network, or VPN, to access an organization’s resources. BeyondCorp ® is a cybersecurity architecture developed at Google that shifts access control from the traditional network perimeter to individual devices and users.