In 2014, Google unveiled BeyondCorp, its zero-trust approach to user access and authentication.
This week, Google expanded the same philosophy to machines, workloads, and services. In a paper outlining what it calls BeyondProd, Google explained how it is securing its own infrastructure, so that other security teams can consider taking a similar approach.
"We’re demonstrating how our microservices architecture and development process allowed Google to address security issues as early in the development and deployment lifecycle as possible," Maya Kaczorowski, Google's product manager in container security, told Data Center Knowledge.
It is a general model for cloud-native security "that can be applied to any environment using containerized microservices,” she said. “The end result is that developers at any enterprise can spend less time on security while still achieving more secure outcomes.”
Although Google has its own internal implementation of these principles, other companies can do something similar using components and services available to the public, she said.
Those include the Google Kubernetes Engine for containers, Google Cloud's Anthos application modernization platform, as well as open source components, she said.
Widely Applicable But Not Easy
Google's BeyondProd approach to security is just more evidence that the traditional perimeter-based approach to security needs to be put to rest as soon as possible.
"Google may be on the leading edge, but this problem applies to organizations of all sizes and industries," said Brendan O'Connor, CEO and co-founder at AppOmni, a San Francisco-based cloud security vendor. "BeyondProd is predictive of a fundamental shift in security strategy."
The idea behind “zero trust” is that enterprises shouldn't trust anything, whether users, machines, or other assets or communications, even those inside corporate networks.
Any type of company can adopt this approach, said Ali Golshan, cofounder and CTO at StackRox, a cloud security company. "This kind of security architecture is not a sector-specific approach."
The challenge for data center security managers is that there's no one tool that does everything, he added. "Different tech stacks will require different security solutions."
And enterprise solutions that are on the market do not interoperate easily, said Thomas Hatch, CTO and co-founder at SaltStack, a Utah-based cybersecurity company.
While large enterprises will already have many of the needed security tools, copying Google's approach can be very complicated, Hatch said. "The complexities of large-scale infrastructure and applications can't be resolved with a magic Band-Aid in short order." A unified platform is needed to bring all the pieces together.
"This is what Google seems to be attempting," Hatch added. "But BeyondProd still leaves out the ability to migrate classic infrastructure into new models, which might ultimately limit the effectiveness of this approach."
In addition, the BeyondProd approach to infrastructure and security assumes that the two areas blend together, he said. But current solutions are only beginning to tackle this issue.
Data centers don't have a choice, though, since a security approach based on a firewall around the data center network perimeter simply does not apply in the new hybrid and cloud environments.
"Any company acting like the firewall actually gives them a lot of protection is just ignoring reality," said Roger Grimes, data-driven defense evangelist at KnowBe4, security awareness training company. "So, whether you believe in zero trust or not, it’s what you are dealing with."
According to a survey conducted by Data Center Knowledge earlier this year, only 16 percent of data centers had zero-trust architectures.
Data centers are moving in that direction, however. For example, 50 percent have network segmentation in place, which is one of the components of the zero-trust strategy.
And a survey by security vendor Okta released earlier this year showed that 60 percent of large companies are working on zero trust strategies, either beginning to formalize a plan or already actively working on executing against one.
Similarly, a survey by Cybersecurity Insiders showed that while only 15 percent of companies had a zero-trust strategy in place, another 63 percent were either planning to move in that direction or had already begun doing so.
Nothing New Here
Experts say that they've seen zero trust deployed before, and the only difference with Beyond Prod is that it's rolled out using Google Cloud products instead of those from traditional security vendors.
"I first heard of the same prescription at Microsoft fifteen years ago," said KnowBe4's Grimes.
"I do not see BeyondCorp as being that different than any other Cisco, AWS, Azure security reference architecture," said Matt Keil, director of product marketing at Cequence Security.
Similarly, the ideas behind BeyondProd have been around for several years, he said, and can be applied to any cloud platform.
However, data centers that are using Google Cloud Platform as their primary cloud service provider would be ideal candidates for embracing Google's BeyondProd approach, he said.