In Duo’s latest white paper, Principal Security Strategist Wendy Nather explains the theory behind Google’s BeyondCorp security model, the different components required and the overall security architecture.
This white paper is part 1 of 2 in the Moving Beyond the Perimeter series. In part 2, we’ll describe how to implement the security model within your organization.
Why the Need for a New Security Model?
While traditional enterprise security methods focused on securing the perimeter, Google’s new approach addresses risks that extend beyond the perimeter. What’s inside the perimeter is what we traditionally considered as belonging to the enterprise - servers, desktops, network, applications and logins.
But external applications and resources, together with mobile endpoints and users, force us to acknowledge that a good portion of the enterprise isn’t inside the perimeter any more.
The idea is to make users and their devices pass the same tests and controls regardless of whether they’re outside the perimeter or inside. This also has the effect of tightening security on the inside so the perimeter isn’t the only thing keeping the attacker at bay.
To do this, Google launched a new architecture at their company called BeyondCorp.
What Risks Does BeyondCorp Address?
In summary, BeyondCorp addresses attacks that bypass firewall protection at the perimeter, or ones that start inside the internal network (insiders). It also helps mitigate risks associated with cloud-based applications, mobile users, and vulnerable endpoints.
Download the full white paper to get more detailed threat scenarios associated with attackers inside an internal network.
What is the BeyondCorp Implementation?
At a high level:
“Google’s implementation rests on the combination of validated users using validated endpoint devices. This combination is further locked down with end-to-end encryption between these devices and the resources they access. Finally, users are allowed only the bare minimum access needed for their roles (which is also known as ‘least privilege’).”
-- Wendy Nather, Moving Beyond the Perimeter: The Theory Behind Google’s BeyondCorp Security Model
How Can You Implement a Similar Security Model?
Building infrastructure for a new security approach can take time, resources and effort.
At Duo, we’ve made BeyondCorp easily attainable with our new platform, Duo Beyond. It’s a simplified security model containing most of the components, including:
- Device inventory
- Identification of trusted devices
- Access control engine
- Access proxy
- Single sign-on
- Multi-factor authentication (MFA)
Download Moving Beyond the Perimeter: The Theory Behind Google’s BeyondCorp Security Model today to get more detail on the theory behind BeyondCorp, the different components required, and an overview of the security architecture.
In part 2, Moving Beyond the Perimeter: How to Implement the BeyondCorp Security Model, we describe how to implement the BeyondCorp security model, including how to inventory users and endpoints, deploy digital certificates, and create effective access policies.