Forget the network perimeter, say security vendors

Google’s 'BeyondCorp' network security model is starting to influence security offerings

What if all your company’s computers and applications were connected directly to the Internet? That was the assumption behind BeyondCorp, a new model for network security that Google proposed back in 2014, and it’s one that’s starting to get some attention from networking and security vendors.

Enterprises have moved beyond the traditional workspace in recent years, allowing employees to work remotely by using their personal devices and accessing apps in private or public clouds. To bring roaming workers back into the fold, under the security blanket of their local networks, companies rely on VPNs and endpoint software to enforce network access controls.

Google's BeyondCorp approach to enterprise security takes the focus away from the network perimeter and puts it on devices and users. It doesn't assign higher or lower levels of trust to devices based on whether they're inside the internal network or not.

Some security vendors have already started to embrace this no-trust-by-default security model. Duo Security, a two-factor authentication provider launched its own BeyondCorp-inspired offering last week, and enterprise software startup ScaleFT has had dynamic access management service based on the same principles for a while.

Even networking and security appliance manufacturers like Cisco Systems have begun moving what were traditionally perimeter security gateways into the cloud to better serve roaming employees.

Duo Security's new Duo Beyond service consists of a software package that serves as an authentication gateway for all of a company's web-based applications, whether they're hosted inside the local network or in the cloud. It can be deployed in the company network's demilitarized zone (DMZ) and provides a single sign-on service that enforces device and user-based access policies.

Duo Beyond assumes a zero-trust environment for all devices by default, regardless of whether they're connecting from within the enterprise network or from the outside. That said, it does provide administrators with the ability to differentiate between corporate devices and personal devices by deploying Duo certificates to those that are managed by the company.

This device identification process has several benefits. It allows for the easy discovery of new devices that are used to access corporate applications, which helps companies create and maintain accurate inventories that include employees' personal devices. It also allows restricting access to certain applications or accounts to company-managed devices where a certain degree of security can be guaranteed.

The service can also check the security state of a connecting device by looking at whether it's running the latest OS and browser version, whether the browser plug-ins are up to date and, in the case of mobile devices, whether encryption and passcode enforcement are turned on. This allows administrators to create fine-grained access rules based on device "health" and ensure that only reasonably secure devices can access company applications, even if those devices are owned and managed by the employees themselves.

Duo Security doesn't expect customers to completely give up on VPNs if they deploy Duo Beyond, but based on the company's experience so far, customers can cut down VPN licensing costs by up to 80 percent. That's because most roaming employees only use VPN connections to access a few popular intranet web applications like Confluence, Jira or Sharepoint.

The Duo Beyond service is priced at $9 per user per month and includes everything in the company's older Duo Access service, plus the new certificate-based device identification and the mechanism for controlling which internal apps are accessible by remote users.

Moving towards a BeyondCorp security model, where the location of devices does not matter, can help companies avoid having to raise virtual walls inside their networks. Network segmentation, which relies on setting up firewalls and VLANs to restrict access to certain applications and services, is not easy to implement and can quickly become an administrative burden.

In fact, as evidenced by many publicly documented security breaches, attackers often succeed in moving laterally inside a network once they break in. Most hackers start with targeting low-level employees through phishing or other methods and then, once inside a network, jump from system to system, exploiting vulnerabilities and stealing access credentials along the way until they reach the organization's crown jewels.

Google's own network was breached in late 2009 as part of a cyberespionage campaign of Chinese origin known as Operation Aurora. The hackers, who started by targeting the company's employees, sought access to the Gmail accounts of human rights activists.

Other security vendors are embracing BeyondCorp too, and, while there are differences in the implementation, the general goal is the same: moving security beyond a strictly defined network perimeter.

Duo Beyond works only for web-based applications and its device insight technology is agentless. The information about a laptop's OS, browser and plug-ins is obtained through the browser itself.

This approach limits what kind of information can be gathered, but Duo believes that it strikes the right balance between security and usability, since convincing users to install company-mandated software on their personal devices can be problematic.

By comparison, another company called ScaleFT provides a BeyondCorp-inspired solution called Dynamic Access Management that works for SSH (Secure Shell) and RDP (Remote Desktop Protocol), remote access protocols for Linux and Windows servers. ScaleFT's service does requires the installation of client software that synchronizes short-lived access certificates and handles device enrolment and local account creation.

Pushed by the need to address the issue of roaming employees, BYOD and software-as-a-service, some networking vendors have even started to move security appliances outside the network perimeter and into the cloud.

On Monday, Cisco Systems announced what it calls the first Secure Internet Gateway (SIG), which is based on the cloud-based OpenDNS Umbrella service that the company acquired in 2015.

"A SIG provides safe access to the internet anywhere users go, even when they are off the VPN," Cisco said in a blog post. "Before you connect to any destination, a SIG acts as your secure onramp to the internet and provides the first line of defense and inspection. Regardless of where users are located or what they’re trying to connect to, traffic goes through the SIG first."

If this new way of thinking of enterprise security catches on it might even help speed up the adoption of IPv6, which is held back partly by fears that it could punch holes through network perimeters and because many companies still have old firewalls and equipment that don't have proper support for it.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?