written by Bastian Ike Security Division Lead
BeyondCorp: The secure solution for enterprise IT
BeyondCorp: The secure solution for enterprise IT
May 06, 2020 | Categories: Technologies & Open Source, Web Development
About the author Bastian Ike Bastian Ike Security Division Lead

IT security when accessing corporate applications remotely is a topic that is becoming increasingly relevant for companies in a wide range of industries and sectors. At AOE, we’ve been relying on BeyondCorp in the OM³ infrastructure since 2017 – a decision which benefits developers, testers and customers. This article illustrates the advantages the security model offers.

BeyondCorp was developed in 2009 as Google’s Zero Trust Enterprise Security Framework. The idea behind it: Access controls are transferred from the network environment to individual users or devices. Location-independent access is therefore possible without the need for a conventional VPN. On the one hand, this means more security for both sides as well as providing basis for individual certificates such as PCI DSS, on the other hand, a higher degree of freedom for the users.

Overview: The Advantages

1. Secure remote access without VPN

IT security has always played a major role at AOE, especially with regard to access to terminals, networks and applications. Today, most of our applications run online; access is sometimes via our own terminals, from remote locations or from the customer’s premises. VPN enables remote access, but also carries risks:

  • Compatibility: Due to different protocols and network layers, it is possible that VPN is not supported by private smartphones or the customer's infrastructure.
  • Flexibility: Access via VPN is never comparable to on-site access.
  • Security: If a security breach occurs via a VPN client, such as the laptop of an employee working from home, attackers can potentially gain access to the entire network, including other network participants – a risk for both the company and the employees.
  • Trust Inference: Via VPN, trust is granted based on an (IP) address. The categories “Allow access” or “Deny access” cannot be specified in more detail. However, since many tools use HTTP as the transport protocol, there are better ways to authenticate users and authorize them based on procedures such as RBAC (Role Based Access Control).

At BeyondCorp, users are treated equally regardless of device, network or origin and are classified as untrusted by default. Enterprise administrators can set detailed access controls based on attributes such as user identity, device security status and IP address, for example, for web applications or APIs. Access to services must be authenticated, authorized and encrypted.

2. Simple authentication

To simplify authentication via BeyondCorp, we use protocols such as OpenID Connect:

  • As an established protocol based on HTTP, it is compatible with any browser, even on mobile end devices.
  • In conjunction with client certificates, it is easy to distinguish between work devices and private end devices so that additional identity information can be provided for the authenticated device.
  • Authentication is transparent and allows proxies to check, authorize or block any connection – and provide upstream identity information if required.
  • A single source of truth including two-factor authentication can be established for identity management. This makes credentials alone worthless – the risk of phishing attacks is reduced.

3. Gradual Migration

The modernization of the company IT involves a risk, because: A bad VPN is better than no access at all. Therefore, companies are right to ask themselves when the time is right for a transition – and how best to approach it. The advantage of BeyondCorp is that the model allows for gradual adaptation, so endpoint migration can be done in stages. At AOE we use a zero-config approach and automatically secure each application without the need for additional configuration. If an application needs more information or specific authentication rules, we can provide them according to the specifications.

4. No additional costs for new applications

No additional costs ensue for new applications. This means that BeyondCorp makes it possible to offer security as standard equipment rather than as a paid feature.