We’ve traditionally secured our corporate systems by throwing up a perimeter around them. Until a few years ago, it was relatively easy to define the limits of that perimeter: almost everyone who needed access to our systems was sitting at a desk in one of our corporate locations (or in the data centre). The few users who were mobile or worked remotely could be given a company laptop and access corporate applications via a Virtual Private Network (VPN).
Today, the picture is very different. More of us are working from home or on the move, using personal or company-issued devices. We’re giving front-line workers smartphone apps to help them work more effectively and efficiently when out in the field. We’re increasingly working in teams that span organisational boundaries — and using cloud-based services that may be running anywhere in the world.
VPNs are no longer an effective response to these challenges.
- They’re difficult and expensive to set up and manage, especially at scale and when working with users’ own devices.
- They may set limits on how many users can connect and authenticate at once — and once someone’s inside the perimeter, they can easily access many different resources.
- They don’t let you enforce security policies on user devices, such as ensuring the operating system is running the latest security patches.
What we need today is a new security model that uses contextual clues to set and enforce policies on an application-by-application basis. These contextual clues will ensue access is granted only for:
- specific user groups
- connecting from a particular location — as narrow as a specific office or as wide as the user’s usual country of residence — and during specified hours
- using well-managed devices where minimum security policies are enforced
- using sufficiently secure encryption for network traffic, with the possible addition of strong 2-factor authentication
This is the basis for Google’s BeyondCorp security model. Originally created to meet Google’s own security needs, it lets your users connect over any network but only grants access to each application based on the user’s identity and whether the context of their request meets the rules set by your IT and security team. More than that, with BeyondCorp, every separate request must be encrypted, authenticated and authorised — all the time and not just when the user first connects. This allows users to work from anywhere on any device without needing a VPN while still ensuring your company systems and assets remain secure.
BeyondCorp can be implemented one application at a time, letting you start small with a proof of concept before slowly extending it to all your applications. And it can be applied to on-premise solutions as well as applications running in public or private clouds.
To find out more about how Google Security can help your organisation provide secure access to corporate resources from anywhere at any time with solutions like BeyondCorp, read about some of the other ways Google Cloud secures modern end-user computing, or come and talk to the security experts in our GCP team.