Google Adopts Zero Trust Network Model For Its Own Cloud
Currently, the way most companies secure themselves is through firewalls that protect the network and through other network level security tools. As we've seen with the Sony hack and many other recent hacks, this doesn't work so well. Malicious hackers can get into the network either through poorly secured and nonpatched devices, weak login credentials, or social engineering. Once they are in, they have access to everything and can wreak havoc on the network.
With a Zero Trust network, where the trust is put on every single device, if one device is hacked it doesn't immediately put the whole network in danger. Every user has access only to certain things; so to get access to everything, the attackers would have to attack multiple devices at once.
This makes the network much more resilient, because once devices start "falling" into the hackers' hands, the company can also start getting some feedback about what is happening and take measures against the hack early on.
On the other hand, with the perimeter security model, by the time the company finds out someone has access to its networks, it's already too late.
With its new Zero Trust network model that Google is calling the "BeyondCorp" (whitepaper) initiative, the company will treat its own networks just as it does the Internet. You can't trust the Internet; you can only trust the devices which you can secure and to which only you are authorized to access. Google now wants to apply that mentality to its own network.
Google got a cold wakeup itself two years ago when it found out from the Snowden revelations that the U.S. government not only hacked its network, but it actually tapped the unprotected cables from Google's own internal network. The company was caught by surprise, but it quickly began encrypting connections internally, as well as encrypting all the data at rest.
Since then, Google seems to have adopted a more holistic approach to how it deals with security internally, and that's how it came up with BeyondCorp.
The new security model is focused on devices and user credentials (likely backed by strong authentication methods, such as two-factor authentication or possibly even biometric authentication in the future). This way, users can log in from their offices, their homes or even coffee shops without putting a significant risk on the network.
In reality, these things have already been happening in many companies, but without the benefit of a Zero Trust network, which is one of the reasons why data breaches happen so often. With BeyondCorp, Google is only trying to adapt for the new world of users accessing their work networks from many places, just as they do with the Internet.
With the new model, encryption will also become mandatory for all types of access to the company's data. Before, encryption would have been optional within the network, as the network was considered secure and encryption unnecessary.
When an employee uses a device that is not up-to-date or is from a different location, that employee's access could also be restricted, just as credit card access can be automatically restricted if someone's card is used in a different country from where the owner is normally located.
Unfortunately, many companies still employ the firewall model. The global enterprise firewall market is expected to grow from $6.14 billion in 2014 to $8.14 billion in 2019 thanks to market inertia (established security companies keep pushing for such solutions) and perhaps a lack of understanding from enterprise customers that the firewall model is not good enough anymore.
The above video talk by two of Google's security engineers at a LISA system administration-related conference describes quite well the dangers of using only network perimeter security and how switching to a Zero Trust network model with a focus on device access could help drastically reduce the number of data breaches.
Toms It Pro
http://www.tomsitpro.com/articles/google-zerotrust-network-own-cloud,1-2608.html
