Google is moving all of its internal corporate applications to a cloud model, reports The Wall Street Journal. So far, 90 percent of Google’s corporate applications have migrated. With that shift to cloud comes a shift in the way the company approaches and thinks about security. Gone is the idea of the cordoned-off enterprise.
Called the BeyondCorp initiative, the new security model assumes that the internal network is as dangerous as the Internet. Traditionally, corporate security hinges on the idea that a trusted internal network secured by firewalls and other security measures is much safer than having to traverse the Internet for access.
The thinking not only addresses the changing nature of how we access applications, but the changing nature of attacks, as well as increasingly distributed, remote workforces.
“The perimeter security model works well enough when all employees work exclusively in buildings owned by an enterprise,” wrote Google reliability engineering manager Rory Ward and technical writer Betsy Beyer in a paper published in December. “However, with the advent of a mobile workforce, the surge in the variety of devices used by this workforce, and the growing use of cloud-based services, additional attack vectors have emerged that are stretching the traditional paradigm to the point of redundancy.”
In the initiative, Google is tuning its security practices with the assumption that everything will move to cloud. Overall, this means that trust is moving from the network to the device level. Fine-grained access is provided to employees, whose access depends on the employee’s device and user credentials. Authentication, authorization and encryption are employed. There are no virtual private networks and connections are encrypted the same whether an employee is at home or inside the office.
Because the trust has shifted from network to device, Google uses a device inventory database that keeps track of what devices are issued to employees, as well as changes made to those devices. After device authentication, the user is identified through a user database and a group database that is tied to the company’s human resources processes. The human resources tie-in ensures that an employees status, and access remains up to date.
Part of the apprehension on the part of enterprises when it comes to using SaaS is the fact the application traverses the Internet. However, it hasn’t stopped many from employing SaaS to varying degrees. The first applications to move were non-sensitive ones; however, Gartner noted that enterprises are getting comfortable with SaaS for more mission critical applications.
Regardless of a company’s mix of on-premises applications and SaaS, the security paradigm needs to shift to include the wider Internet. Once the model better addresses the Internet “X” factor, more wholesale moves will begin to occur en masse.
Wall Street Journal notes that Coca-Cola, Verizon and Madza are examples of big corporations taking a similar approach to security. As security shifts from network to user, security is performed through granular access and permissions rather than an internal network.
When Google does something, many follow. The move might stand to change the way many think and approach security, and in the process, better align corporate policies with the usage of SaaS and cloud.