Google has announced general availability of BeyondCorp Enterprise, a new security service from Google Cloud based on the principle of designing networks with zero trust. Urging customers to keep trust on. Zero trust concept incorporation
Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location. Authentication and authorization are discrete functions performed before a session to an enterprise resource is established
BeyondCorp Enterprise replaces BeyondCorp Remote Access, a cloud service Google announced in April in response to remote working due to the COVID-19 pandemic and the heightened need for virtual private network (VPN) apps.
The service allowed employees to securely access their company’s internal web apps from any device and location. Google has been using BeyondCorp for several years internally to protect employee access to apps, data, and other users.
The three main attack vectors in the SolarWinds attack were compromised user accounts, compromised vendor accounts, and compromised vendor software. These can be significantly mitigated by zero trust principles, such as restricting privileged access to accounts on that need them and enabling multi-factor authentication. It’s encouraging organizations to use Azure Active Directory for identity and access management versus on-premise identity management systems.
Google is encouraging organizations to use the Google Identity-Aware Proxy (IAP) to manage access to apps running in Google Cloud.
BeyondCorp Enterprise service include threat protection to prevent data loss and exfiltration and malware infections from the network to the browser; phishing protection; continuous authorization; segmentation between users and apps and between apps and other apps; and management of digital certificates.
BeyondCorp Enterprise lets admins check URLs in real-time and scan files for malware; create rules for what types of data can be uploaded, downloaded or copied and pasted across sites; and track malicious downloads on company-issued devices and monitor whether employees enter passwords on known phishing sites.