About a decade ago, I was first introduced to the Jericho Forum, an international group of cybersecurity executives committed to defining new infosec tools and architectures. At that time, Jericho Forum was particularly focused on a concept called de-perimeterization. Wikipedia defines de-perimeterization as:
The removal of a boundary between an organization and the outside world. De-perimeterization is protecting an organization's systems and data on multiple levels by using a mixture of encryption, secure computer protocols, secure computer systems and data-level authentication, rather than the reliance of an organization on its network boundary to the Internet.
The Jericho Forum was way ahead of its time, preaching de-perimeterization before the deluge of cloud computing, IoT, and mobile devices over the past few years. Now that these IT initiatives are well established, de-perimeterization requirements have become much more acute at many enterprise organizations. Rather than rolling their own perimeter-free network security on a piecemeal basis, CISOs are looking for someone (anyone!) to step up with a reference architecture they can evaluate and emulate.
Enter Google with BeyondCorp, which it describes as, “a new approach to enterprise security” that was highlighted in a recent WSJ blog.
So what the heck is BeyondCorp? Remember the speakeasy movies where characters had to knock on the door and say, “Joe sent me,” before being granted admission? Well, BeyondCorp is sort of an Internet equivalent of this process.
With BeyondCorp, all users and devices reside on a quasi-public network, so no LANs, VPNs, etc., and all users and devices must be authenticated before being granted access to applications and IT services. User authentication requires multiple factors, not just usernames and passwords, while all devices are managed and approved devices as they are instrumented with digital certificates tied to each system's Trusted Platform Module (TPM). Upon authentication, all devices are then assigned to network segments (VLANs) based upon business and security policies in order to restrict them to only those network assets necessary to do their jobs. Finally, all network traffic between clients and applications is encrypted by an externally-facing network proxy.
On the back end, all externally-facing applications reside on semi-public networks with private address spaces and all applications have services for things like load balancing, global reachability, and DDoS protection. Aside from user and device authentication for network protection, each application is protected with entitlement policies that makes authorization decisions based upon the user, device, user group, artifacts on the device, and device location. In other words, application access and usage is dynamically controlled based upon risk factors.
I’ve really just scratched the surface of the Google BeyondCorp architecture as it is beyond the scope of my humble blog to provide deep technical details. Anyone interested in this increasingly-important topic should really read the Google BeyondCorp paper for more details. In my opinion, Google really deserves credit for making the Jericho Forum’s early 2000s vision into a reality.
In addition to Google, other security vendors offer a variety of tools and technologies that can certainly fit into a similar perimeter-free architecture. CISOs who want to follow Google’s lead with a more off-the-shelf approach should look into:
- Cisco ISE and TrustSec. While not a mirror image of the Google architecture, Cisco customers can build something similar using Cisco’s Identity Services Engine (ISE) and TrustSec for network segmentation. Others like Pulse Secure offer similar capabilities.
- The endpoint profiling crowd. Google wants to know details about endpoint devices before letting them through the TCP/IP door. Vendors like Great Bay Software, Promisec, and Tanium can provide similar details.
- NAC. Forget about NAC circa 2006, NAC has evolved into a new category that ESG calls endpoint visibility, access, and security (EVAS). Once a user and device are authenticated, NAC vendors like Bradford Networks, ForeScout, and Symtrex can enforce policies. Some vendors in this space also provide endpoint profiling and integrate with other elements of the network security infrastructure.
- FIDO. Issuing security tokens, implementing 802.1X, and managing digital certificates can be an operational burden requiring a big investment in skills and resources that many organizations can’t make. The Fast Identity Online (FIDO) alliance has the potential to commodify strong user and device authentication by supporting a range of authentication technologies with a common set of standards and technologies. Companies like Google, Lenovo, Microsoft, and Nok Nok Labs are already on board so it’s likely that a FIDO foundation for strong user and device authentication will come through the enterprise door on its own over the next few years.