Security news that informs and inspires
An incomplete Rubik's Cube, with some pieces broken off.

BeyondProd Lays Out Security Principles for Cloud-Native Applications

First, it was Beyond Corp, to shift security away from the perimeter and onto individual users and devices. Now it is BeyondProd, to protect cloud-native applications that rely on microservices and communicate primarily over APIs, because firewalls are no longer sufficient.

Cloud-native architecture split workloads into smaller, more manageable units by using microservices, or components of modern applications hosted in software containers, and require a fundamentally new security model. Google has championed microservices because breaking applications into self-contained units meant significantly reduced costs and time needed for developers to write, build, and manage each one. The transition required changes to infrastructure and development process so that developers wouldn’t inadvertently introduce flaws that could leave the entire network vulnerable, Google said in its white paper introducing BeyondProd.

“Modern security approaches have moved beyond a traditional perimeter-based security model, where a wall protects the perimeter and any users or services on the inside are fully trusted,” wrote Maya Kaczorowski, Google’s product manager for container security, and Brandon Baker, horizontal lead for cloud security, on the Google Cloud blog. “In a cloud-native environment, the network perimeter still needs to be protected, but this security model is not enough — if a firewall can’t fully protect a corporate network, it can’t fully protect a production network either.”

Zero Trust to Cloud

As the name suggests, BeyondProd is an extension of BeyondCorp, the zero-trust concept Google introduced five years ago to shifting security away from VPNs and firewalls on the perimeter to the individual users and devices. BeyondProd applies zero-trust principles to how it connects machines, workloads, and services: network protection at the end; no mutual trust between services; trusted machines running known code; automated and standardized change rollout; and isolated workloads. Choke points ensure consistent policy enforcement across services, such as ensuring authorized data access.

“BeyondProd applies concepts like: mutually authenticated service endpoints, transport security, edge termination with global load balancing and denial of service protection, end-to-end code provenance, and runtime sandboxing,” Kaczorowski and Baker said.

A valuable part of BeyondProd is in how Google is talking about security, said said Greg Young, vice-president of cybersecurity at Trend Micro. The focus of the whitepaper is addressing security early in the development lifecycle, as a fabric that envelops and connects all microservices. Because developers don’t have to integrate security functionality into each individual application, security is standardized and consistent.

“Too often cloud service providers treat security as a feature, and just keep layering on more of them without any bigger design or integration,”

Principles, Not Tools

Much of what is being described in BeyondProd can be handled with existing tools, such as auchz, authc, and mtls for applications. Some of those tools and services come from Google: services such as Google Kubernetes Engine and hybrid platform Anthos, as well as open-source tools Envoy, Istio, and gVisor. The security controls, such as network segmentation, role-based access control, and other forms of authentication and authorization, are also well-known. The key point of BeyondProd is that there is no single tool or technique to use.

It will be difficult to move forward with BeyondProd unless infrastructure and security tools get better at interoperating, said Thomas Hatch, CTO and Co-Founder at intelligent IT automation software company SaltStack. The security tools will need to be able to work with Kubernetes to enforce isolation, vulnerability management, and detection.

“The complexities of large scale infrastructure and applications can't be resolved with a magic band aid in short order,” Hatch said.

Model as a Guide

Enterprises should not treat BeyondProd as architecture, but rather as a model, Young said. BeyondProd arose from how Google tackled its own cloud-native computing infrastructure, which runs on software containers and Borg, the container orchestration tool that is a precursor to the open-source Kubernetes, but those conditions don't exist in many companies outside of Google.

“Not everyone is a Google,” said Young.

A Midwest shoe manufacturer’s IT landscape is not going to look like Google’s—very few enterprises will match Google’s security requirements and architecture. BeyondProd at a university is going to look very different from Google’s because “very few servers and apps” are managed or touchable by security, Young said.

“Unfortunately, I think BeyondProd will get abused like BeyondCorp and Zero Trust and treated like a firm architecture or certification,” Young said.

Even so, BeyondProd can be a good learning piece for how production environments are different in modern clouds, especially highly containerized ones, Young said. He highlighted how Service Identity is a “really good construct” in how to think about entities rather than the traditional 3-tier models which tend to have liner and unchanging paths.

Different doesn’t mean no BeyondProd—just that the principles will be the same, but not the methods. Google said enterprises applying the security principles would “benefit from our experience” to protect deployment and communications.