Google Releases More Details on VPN-Free Security Trust Model

Google has released more details about the company’s approach to authenticating and provisioning employee access to IT systems and services.

Google has so far released four whitepapers describing various aspects of the approach, which it calls BeyondCorp. The previous papers have dealt with the technical challenges associated with implementing BeyondCorp, a so-called zero-trust approach that focuses on people and device-based authentication rather than Virtual Private Network-based security.

The fifth paper published Sept. 27 describes how employees first end up interacting with the system. It includes details on everything from initial onboarding of new employees and setting up their computers to helping users troubleshoot and respond to issues within their control.

Google is releasing the program details as it does periodically with many internally-developed IT management practices. Google’s objective in publishing such details is to help other enterprises learn from the IT practices it has developed over the years to manage the company’s massive global infrastructure.

The new paper discusses “how onboarding has gotten easier with no VPN, how loaners are quick to activate, and how we give employees the ability to handle and resolve their own issues,” stated Max Saltonstall a technical director at Google in a blog.

BeyondCorp allows employees to access Google’s network based on machines and identity rather than a VPN. When new hires join Google, the company uses a variety of platform management tools and inventory processes to set up their company devices for initial use. The devices are added to Google asset management system and each device is assigned an owner.

When the employee then logs into their device, BeyondCorp initiates requests for machine certificates that then guide the user’s system to the appropriate resources on Google’s network.

The system uses several mechanisms to ensure device trust including checking when the last security-scan was conducted, inspecting the installed software on it and verifying it has the appropriate access credentials for the assigned device owner.

Once a user’s credentials are validated, Google pushes a custom Chrome extension to the device. If the Chrome extension has a green icon, the user has access to whatever corporate resource he or she is trying to reach regardless of whether the user is at a Google office or attempting to log in remotely. In fact, so long as a connection is good, Google employees can access the vast majority of the tools they need for their jobs via BeyondCorp without the need for a VPN.

Google has implemented processes to encourage employees to use BeyondCorp instead of the company’s legacy VPN infrastructure.

For instance, new employees do not get default access to the VPN and instead must specifically request access for it via a portal.  When requesting access, they are reminded that BeyondCorp is configured to automatically provision access to most of the resources they likely need and they are encouraged to use it.

If a user chooses to access the VPN anyway, an automated analysis is conducted to see if the resource the user is requesting was accessible via BeyondCorp. In situations where a user had no real reason to use the VPN, Google has implemented a system where their access to it is revoked over a period of time.

“By more or less eliminating the need for a VPN client, we can encapsulate almost all access needs—whether remote or onsite—through one entry point, the BeyondCorp Chrome extension,” the whitepaper noted.