IT security when accessing corporate applications remotely is a topic that is becoming increasingly relevant for companies in a wide range of industries and sectors. At AOE, we’ve been relying on BeyondCorp in the OM³ infrastructure since 2017 – a decision which benefits developers, testers and customers. This article illustrates the advantages the security model offers.
BeyondCorp was developed in 2009 as Google’s Zero Trust Enterprise Security Framework. The idea behind it: Access controls are transferred from the network environment to individual users or devices. Location-independent access is therefore possible without the need for a conventional VPN. On the one hand, this means more security for both sides as well as providing basis for individual certificates such as PCI DSS, on the other hand, a higher degree of freedom for the users.
IT security has always played a major role at AOE, especially with regard to access to terminals, networks and applications. Today, most of our applications run online; access is sometimes via our own terminals, from remote locations or from the customer’s premises. VPN enables remote access, but also carries risks:
At BeyondCorp, users are treated equally regardless of device, network or origin and are classified as untrusted by default. Enterprise administrators can set detailed access controls based on attributes such as user identity, device security status and IP address, for example, for web applications or APIs. Access to services must be authenticated, authorized and encrypted.
To simplify authentication via BeyondCorp, we use protocols such as OpenID Connect:
The modernization of the company IT involves a risk, because: A bad VPN is better than no access at all. Therefore, companies are right to ask themselves when the time is right for a transition – and how best to approach it. The advantage of BeyondCorp is that the model allows for gradual adaptation, so endpoint migration can be done in stages. At AOE we use a zero-config approach and automatically secure each application without the need for additional configuration. If an application needs more information or specific authentication rules, we can provide them according to the specifications.
No additional costs ensue for new applications. This means that BeyondCorp makes it possible to offer security as standard equipment rather than as a paid feature.