No Perimeter: Zero Trust & BeyondCorp Remote Access

With the rapid proliferation of remote work and the use of virtual private networks (VPN) over the past few months, we’ve seen customers run into many challenges with their remote-access VPN. These include bandwidth and security concerns.

When it comes to network security, the best rule of thumb is to trust no one. This means not just those on the outside of your network but also those on the inside. That concept has evolved since its 2010 inception and has gained momentum in IT departments in recent years as work-from-anywhere becomes a norm, rather than the exception. Here’s a look at how that happens.

What is Zero Trust Security?

Solutions like Google’s BeyondCorp Remote Access eliminate these issues, reduce IT project risks and deliver a secure enterprise computing environment that doesn’t focus on secure perimeters. For reference, in a traditional perimeter-based security model, outsiders have a tough time gaining access to a network. Everyone on the inside, however, is trusted by default. 

That sounds great until someone inside launches a malicious attack or a hacker breaches the network and becomes an “insider.” This has been the case in some of the most damaging data breaches. 

ransomewareEach year, IBM and the Ponemon Institute co-release the co-branded “Cost of a Data Breach Report.” The 2019 study shows that the average data breach costs $3.92 million with the most costly at $8.19 million. What’s at stake during the average breach? About 25,575 data records, the report reveals.

Such breaches gave birth to the Zero Trust security model. Fun fact: This security model grew out of work from analyst John Kindervag in 2010 when he was working for Forrester Research Inc. Kindverag, now CTO at Palo Alto Networks, continues to spread the gospel of Zero Trust.

Zero Trust security is based on the idea that organizations shouldn’t trust anyone, inside or outside of its network perimeters. Every attempt to access the network needs to be verified before access is granted. That means no access to IP addresses, machines, business apps, data...absolutely nothing. This approach authenticates both the user and the device before allowing role-based, context-aware access.

VPN

VPNs still run on a perimeter model, which doesn’t allow close scrutiny of every account and device logging into the network. Organizations are still using them, even in this era of widespread distributed workforces, but increasingly, this method of connecting remotely is losing favor. 

In fact, Gartner predicts that over the next three years, 60% of enterprises will be phasing out VPNs. VPNs death march has begun, as noted in this Network World article from December 2019. 

This is where BeyondCorp comes in.

What’s the Story about BeyondCorp Zero Trust Security?

zero trustBeyondCorp grew out of Google’s own need to improve its security. In late 2009, the company suffered a prolonged, advanced persistent attack (APT) named Operation Aurora. APTs seek to gain and maintain ongoing access to a network in order to mine sensitive data.

During the recovery phase, Google officials realized it needed better enterprise security and looked toward Zero Trust as the solution. It sought a way to move away from network segmentation and implement its own Zero Trust security network. BeyondCorp was born.

Google now deploys all of its corporate apps to the public Internet, making them accessible through user and device-centric authentication and authorization workflows. This ultimately meant its employees can securely work from anywhere on an untrusted network without needing to use a traditional VPN.

It’s a game-changer, and it’s now available for enterprise use. BeyondCorp Remote Access gives your remote workers a secure, reliable way to access work apps through Google’s global network using any device from any location. It’s all driven by Zero Trust security.

BeyondCorp Remote Access gives your remote workers a secure, reliable way to access work apps through Google’s global network using any device from any location. @OnixNetworking

This enterprise solution delivers a single-sign-on (SSO) security, access proxy, access control engine, user and device inventories, security policy and trust repository. The type of access granted depends on the particular network being used and what the system knows about the user and their device. All user access to services also is authenticated, authorized and encrypted.

Why Should I Consider a Zero Trust Security Solution?

Getting rid of a clunky VPN in favor of a remote-access solution that provides Zero Trust security has multiple benefits. These include:

Business Resiliency

Zero Trust solutions, such as BeyondCorp Remote Access, allows multiple dispersed users to remotely access corporate apps in a secure environment to maintain business as usual. It also gives organizations the ability to react to uncertain situations with no effort needed post-deployment.

Worker productivity

worker productivityUsers can quickly and easily access your internal web apps at any time, from anywhere on any device.

Access control

You can enforce identity-based access control for each application. Control can be based on device security, user status and location.

Quick deployment

There’s virtually no-premise technology to deploy, so apps can be available in days rather than the months that it takes to get a remote VPN up and running.

Little-to-no disruptions

BeyondCorp Remote Access deployment involves minimal changes to your existing network, security controls and app configurations. 

Reduced costs

You can offload deployment, maintenance and infrastructure management needs to the cloud.

What Else Can I Do to Foster a Secure Remote Work Environment?

Zero Trust security isn’t the only way to protect your network in this growing work-from-anywhere world. Cloud-native operating systems and devices, such as Google’s Chrome OS, which runs on Chromebooks, are built with this kind of security in mind. It can make BeyondCorp Remote Access even more secure.

Defense in depth

Remote WorkChrome’s security model provides multiple layers of protection. If one layer is bypassed or breached, the system is still protected by the other layers. All apps and web pages each work in a restricted environment known as a sandbox. For example, if you’re working on a Chromebook and inadvertently visit a malicious site, this action is contained to that page. It won’t affect the other tabs or apps on the device. Data also is encrypted in Chrome OS when it’s stored in the cloud, using tamper-resistant hardware.

Verified boot

Let’s say you do have a sandbox failure, and malware escapes. What happens then? Do you lose protection? Nope. Your Chromebook has your back. Each time it starts up, it runs what is called a “verified boot” to detect any tampering or corruption in the system. In most cases, it will repair itself and restore the OS to a like-new state.

Automatic updates

What’s more, all security updates are automatic and happen in the background, so users don’t have to worry about installing them or having work interrupted. You can be assured your remote workers’ devices are running the latest, most secure version of Chrome OS at all times.

It never hurts to be too safe when it comes to protecting your network, data and apps. As the remote workforce continues to grow, it’s time to start reassessing how your dispersed teams access this information. Easily overwhelmed VPNs aren’t the answer to your organization’s remote-connection needs.

Post Your Comments


SEARCH Blog

security audit

MEET THE AUTHOR

Doug Sainato, Enterprise Cloud Account Executive

Doug Sainato, Enterprise Cloud Account Executive

Across his 20+-year tech career, Doug Sanaito has helped organizations get the most out of the cloud. He has served as a business analyst, sales/solution engineer and sales account executive, roles that reflect his lifelong love of analytical problem-solving. It comes in handy more often than not in the tech world, as he can attest. When he joined Onix six years ago, he started as a Google Apps SESolution Engineer, a role that helped him quickly develop a passion for the cloud infrastructure and all of the possibilities it offers to organizations launching a cloud journey. He’s an original member of Onix’s GCP team and has held sales, consulting and leadership roles. When his head is out of the cloud, Doug enjoys listening to the Beatles, visiting the beach and finally hoping to catch a big fish.

MORE POSTS BY DOUG SAINATO, ENTERPRISE CLOUD ACCOUNT EXECUTIVE

How secure is your cloud environment?

We're here to help you uncover potential threats and follow best-practice security solutions to ensure your cloud environment is secure and accessible.

Get a Free Security Audit