No Perimeter: Zero Trust & BeyondCorp Remote Access

With the rapid proliferation of remote work and the use of virtual private networks (VPN) over the past few months, we’ve seen customers run into many challenges with their remote-access VPN. These include bandwidth and security concerns.
When it comes to network security, the best rule of thumb is to trust no one. This means not just those on the outside of your network but also those on the inside. That concept has evolved since its 2010 inception and has gained momentum in IT departments in recent years as work-from-anywhere becomes a norm, rather than the exception. Here’s a look at how that happens.
What is Zero Trust Security?
Solutions like Google’s BeyondCorp Remote Access eliminate these issues, reduce IT project risks and deliver a secure enterprise computing environment that doesn’t focus on secure perimeters. For reference, in a traditional perimeter-based security model, outsiders have a tough time gaining access to a network. Everyone on the inside, however, is trusted by default.
That sounds great until someone inside launches a malicious attack or a hacker breaches the network and becomes an “insider.” This has been the case in some of the most damaging data breaches.
Each year, IBM and the Ponemon Institute co-release the co-branded “Cost of a Data Breach Report.” The 2019 study shows that the average data breach costs $3.92 million with the most costly at $8.19 million. What’s at stake during the average breach? About 25,575 data records, the report reveals.
Such breaches gave birth to the Zero Trust security model. Fun fact: This security model grew out of work from analyst John Kindervag in 2010 when he was working for Forrester Research Inc. Kindverag, now CTO at Palo Alto Networks, continues to spread the gospel of Zero Trust.
Zero Trust security is based on the idea that organizations shouldn’t trust anyone, inside or outside of its network perimeters. Every attempt to access the network needs to be verified before access is granted. That means no access to IP addresses, machines, business apps, data...absolutely nothing. This approach authenticates both the user and the device before allowing role-based, context-aware access.

VPNs still run on a perimeter model, which doesn’t allow close scrutiny of every account and device logging into the network. Organizations are still using them, even in this era of widespread distributed workforces, but increasingly, this method of connecting remotely is losing favor.
In fact, Gartner predicts that over the next three years, 60% of enterprises will be phasing out VPNs. VPNs death march has begun, as noted in this Network World article from December 2019.
This is where BeyondCorp comes in.
What’s the Story about BeyondCorp Zero Trust Security?
BeyondCorp grew out of Google’s own need to improve its security. In late 2009, the company suffered a prolonged, advanced persistent attack (APT) named Operation Aurora. APTs seek to gain and maintain ongoing access to a network in order to mine sensitive data.
During the recovery phase, Google officials realized it needed better enterprise security and looked toward Zero Trust as the solution. It sought a way to move away from network segmentation and implement its own Zero Trust security network. BeyondCorp was born.
Google now deploys all of its corporate apps to the public Internet, making them accessible through user and device-centric authentication and authorization workflows. This ultimately meant its employees can securely work from anywhere on an untrusted network without needing to use a traditional VPN.
It’s a game-changer, and it’s now available for enterprise use. BeyondCorp Remote Access gives your remote workers a secure, reliable way to access work apps through Google’s global network using any device from any location. It’s all driven by Zero Trust security.
This enterprise solution delivers a single-sign-on (SSO) security, access proxy, access control engine, user and device inventories, security policy and trust repository. The type of access granted depends on the particular network being used and what the system knows about the user and their device. All user access to services also is authenticated, authorized and encrypted.
Why Should I Consider a Zero Trust Security Solution?
Getting rid of a clunky VPN in favor of a remote-access solution that provides Zero Trust security has multiple benefits. These include:
Business Resiliency
Zero Trust solutions, such as BeyondCorp Remote Access, allows multiple dispersed users to remotely access corporate apps in a secure environment to maintain business as usual. It also gives organizations the ability to react to uncertain situations with no effort needed post-deployment.
Worker productivity
Users can quickly and easily access your internal web apps at any time, from anywhere on any device.
Access control
You can enforce identity-based access control for each application. Control can be based on device security, user status and location.
Quick deployment
There’s virtually no-premise technology to deploy, so apps can be available in days rather than the months that it takes to get a remote VPN up and running.
Little-to-no disruptions
BeyondCorp Remote Access deployment involves minimal changes to your existing network, security controls and app configurations.
Reduced costs
You can offload deployment, maintenance and infrastructure management needs to the cloud.
What Else Can I Do to Foster a Secure Remote Work Environment?
Zero Trust security isn’t the only way to protect your network in this growing work-from-anywhere world. Cloud-native operating systems and devices, such as Google’s Chrome OS, which runs on Chromebooks, are built with this kind of security in mind. It can make BeyondCorp Remote Access even more secure.
Defense in depth
Chrome’s security model provides multiple layers of protection. If one layer is bypassed or breached, the system is still protected by the other layers. All apps and web pages each work in a restricted environment known as a sandbox. For example, if you’re working on a Chromebook and inadvertently visit a malicious site, this action is contained to that page. It won’t affect the other tabs or apps on the device. Data also is encrypted in Chrome OS when it’s stored in the cloud, using tamper-resistant hardware.
Verified boot
Let’s say you do have a sandbox failure, and malware escapes. What happens then? Do you lose protection? Nope. Your Chromebook has your back. Each time it starts up, it runs what is called a “verified boot” to detect any tampering or corruption in the system. In most cases, it will repair itself and restore the OS to a like-new state.
Automatic updates
What’s more, all security updates are automatic and happen in the background, so users don’t have to worry about installing them or having work interrupted. You can be assured your remote workers’ devices are running the latest, most secure version of Chrome OS at all times.
It never hurts to be too safe when it comes to protecting your network, data and apps. As the remote workforce continues to grow, it’s time to start reassessing how your dispersed teams access this information. Easily overwhelmed VPNs aren’t the answer to your organization’s remote-connection needs.
Post Your Comments