Zero trust 2.0: Google unveils BeyondCorp Enterprise

Google is taking another shot at bringing zero trust to the masses, and this time the company is incorporating its Chrome Web browser to deliver the goods.

Google launched BeyondCorp Enterprise on Tuesday, which is the newest incarnation of the company's zero-trust network offering and which replaces BeyondCorp Remote Access, which was released last spring during the early stages of the COVID-19 pandemic. Instead of traditional username and password authentication schemes at the network perimeter, zero-trust models require continuous authorization of users and devices by analyzing behavior, geolocations and other authentication signals.

BeyondCorp Remote Access aims to displace conventional VPNs with a zero-trust access platform that enforced granular authentication policies. The platform allowed remote employees, business partners and contractors to securely access internal resources or cloud apps and data through internet-facing proxies on Google Cloud Infrastructure that apply encryption as well as access controls and context-aware authentication.

BeyondCorp Enterprise expands Google's zero-trust model by adding Chrome to the equation; rather than deploying agents on endpoint devices, the platform's architecture is extended through the browser. Chrome was also updated with embedded data and threat protection features that are designed to prevent malicious or unintentional data exposure and malware infections not just on the device but throughout the connected network.

During a conference call with reporters, Sunil Potti, general manager and vice president at Google Cloud Security, said Chrome essentially acts as a DLP engine within the platform by providing more data and intelligence from the browser's ecosystem to the authentication process.

"Chrome has evolved as part of BeyondCorp Enterprise, which didn't exist in BeyondCorp Remote Access, to become a principle player in zero trust," Potti said.

In addition, Potti said extending BeyondCorp through Chrome gives Google a simple way to bring the platform to more than 2 billion browser users. "Even if you're not a Google customer, and you have assets only inside your data center or only in Amazon or Azure, this offering would equally work the same level of fidelity," he said.

Another feature of BeyondCorp Enterprise is continuous authentication.  

Rick Caccia, head of cloud security marketing for Google Cloud, said the idea behind the platform is to authenticate every interaction between users, devices and applications on an ongoing basis. Enterprises can craft and implement access control policies that constantly check user identity, IP addresses, device information and other authentication signals in real time and revoke access at any point if there's a violation.

"Basically, many of the zero-trust options that customers have seen elsewhere focus on connections from the user to the app or the user to network," he said. "BeyondCorp Enterprise is the only system where every single interaction all the way through -- user to app, app to app, app to other infrastructure components all the way through -- is reauthorized."

Google also said third-party security vendors can develop complementary products for new platform through the BeyondCorp Alliance partner program, which was unveiled in October. For example, endpoint security vendor Tanium integrated its platform with BeyondCorp Enterprise so that the two products can exchange security signals and provide more visibility in an organization's environment.

Orion Hindawi, co-founder and CEO of Tanium, said during the press conference that enhanced visibility and increased focus on authentication are crucial in light of the recent SolarWinds supply chain attacks. Security experts have said account monitoring and zero-trust models are effective defenses against skilled nation-state actors like the ones behind the SolarWinds attacks, who relied on legitimate account credentials to move laterally through victims' environments.

"Many of our customers, after SolarWinds, are realizing that the number of little companies that have really, really deep visibility and control over their environment and who may not have great security may end up being the biggest security risk they have in their companies," Hindawi said, adding that many third parties have root access to companies but have weak security postures themselves.

The launch of BeyondCorp Enterprise comes a decade after Google first began developing its zero-trust network model for internal usage in 2011. As more data, applications and workloads were moved to cloud services, the company sought to shift access control and authentication away from the conventional network perimeter to individual users and their devices. In 2017, Google launched a commercial version of its internal zero-trust network model, calling it BeyondCorp.