What if all your company’s computers and applications were connected directly to the Internet? That was the assumption behind BeyondCorp, a new model for network security that Google proposed back in 2014, and it’s one that’s starting to get some attention from networking and security vendors.
Enterprises have moved beyond the traditional workspace in recent years, allowing employees to work remotely by using their personal devices and accessing apps in private or public clouds. To bring roaming workers back into the fold, under the security blanket of their local networks, companies rely on VPNs and endpoint software to enforce network access controls.
Google's BeyondCorp approach to enterprise security takes the focus away from the network perimeter and puts it on devices and users. It doesn't assign higher or lower levels of trust to devices based on whether they're inside the internal network or not.
Some security vendors have already started to embrace this no-trust-by-default security model. Duo Security, a two-factor authentication provider launched its own BeyondCorp-inspired offering last week, and enterprise software startup ScaleFT has had dynamic access management service based on the same principles for a while.
Even networking and security appliance manufacturers like Cisco Systems have begun moving what were traditionally perimeter security gateways into the cloud to better serve roaming employees.
Duo Security's new Duo Beyond service consists of a software package that serves as an authentication gateway for all of a company's web-based applications, whether they're hosted inside the local network or in the cloud. It can be deployed in the company network's demilitarized zone (DMZ) and provides a single sign-on service that enforces device and user-based access policies.
Duo Beyond assumes a zero-trust environment for all devices by default, regardless of whether they're connecting from within the enterprise network or from the outside. That said, it does provide administrators with the ability to differentiate between corporate devices and personal devices by deploying Duo certificates to those that are managed by the company.
This device identification process has several benefits. It allows for the easy discovery of new devices that are used to access corporate applications, which helps companies create and maintain accurate inventories that include employees' personal devices. It also allows restricting access to certain applications or accounts to company-managed devices where a certain degree of security can be guaranteed.
The service can also check the security state of a connecting device by looking at whether it's running the latest OS and browser version, whether the browser plug-ins are up to date and, in the case of mobile devices, whether encryption and passcode enforcement are turned on. This allows administrators to create fine-grained access rules based on device "health" and ensure that only reasonably secure devices can access company applications, even if those devices are owned and managed by the employees themselves.
Duo Security doesn't expect customers to completely give up on VPNs if they deploy Duo Beyond, but based on the company's experience so far, customers can cut down VPN licensing costs by up to 80 percent. That's because most roaming employees only use VPN connections to access a few popular intranet web applications like Confluence, Jira or Sharepoint.
The Duo Beyond service is priced at $9 per user per month and includes everything in the company's older Duo Access service, plus the new certificate-based device identification and the mechanism for controlling which internal apps are accessible by remote users.
Moving towards a BeyondCorp security model, where the location of devices does not matter, can help companies avoid having to raise virtual walls inside their networks. Network segmentation, which relies on setting up firewalls and VLANs to restrict access to certain applications and services, is not easy to implement and can quickly become an administrative burden.
In fact, as evidenced by many publicly documented security breaches, attackers often succeed in moving laterally inside a network once they break in. Most hackers start with targeting low-level employees through phishing or other methods and then, once inside a network, jump from system to system, exploiting vulnerabilities and stealing access credentials along the way until they reach the organization's crown jewels.
Google's own network was breached in late 2009 as part of a cyberespionage campaign of Chinese origin known as Operation Aurora. The hackers, who started by targeting the company's employees, sought access to the Gmail accounts of human rights activists.
Other security vendors are embracing BeyondCorp too, and, while there are differences in the implementation, the general goal is the same: moving security beyond a strictly defined network perimeter.
Duo Beyond works only for web-based applications and its device insight technology is agentless. The information about a laptop's OS, browser and plug-ins is obtained through the browser itself.
This approach limits what kind of information can be gathered, but Duo believes that it strikes the right balance between security and usability, since convincing users to install company-mandated software on their personal devices can be problematic.
By comparison, another company called ScaleFT provides a BeyondCorp-inspired solution called Dynamic Access Management that works for SSH (Secure Shell) and RDP (Remote Desktop Protocol), remote access protocols for Linux and Windows servers. ScaleFT's service does requires the installation of client software that synchronizes short-lived access certificates and handles device enrolment and local account creation.
Pushed by the need to address the issue of roaming employees, BYOD and software-as-a-service, some networking vendors have even started to move security appliances outside the network perimeter and into the cloud.
On Monday, Cisco Systems announced what it calls the first Secure Internet Gateway (SIG), which is based on the cloud-based OpenDNS Umbrella service that the company acquired in 2015.
"A SIG provides safe access to the internet anywhere users go, even when they are off the VPN," Cisco said in a blog post. "Before you connect to any destination, a SIG acts as your secure onramp to the internet and provides the first line of defense and inspection. Regardless of where users are located or what they’re trying to connect to, traffic goes through the SIG first."
If this new way of thinking of enterprise security catches on it might even help speed up the adoption of IPv6, which is held back partly by fears that it could punch holes through network perimeters and because many companies still have old firewalls and equipment that don't have proper support for it.