Full Report
The need to quickly provide secure access for a newly remote workforce during the early days of COVID-19 drove many organizations to explore new technologies and start down a path towards a Zero Trust model. As time has passed, it’s become clear that remote work will be a defining characteristic of the new normal, and modernizing security by fully embracing zero trust models is an imperative, not an option. We need to work to further democratize this technology, accelerate and ease its adoption to help organizations stay secure, agile, and productive.We’ve been working on Zero Trust for more than a decade at Google, and earlier this year, we introduced BeyondCorp Remote Access, our cloud-based solution that helps make access to internal applications easier and more secure. We offer similar context-aware access controls for apps in Google Workspace and Cloud Identity. Last year, we assembled a group of partners that share our Zero Trust vision and who are committed to help our joint customers make it a reality: the BeyondCorp Alliance. These partners are key to our effort to further promote and democratize this technology. They allow customers to leverage existing controls to make adoption easier while adding key functionality and intelligence that enable customers to make better access decisions. We’re now pleased to announce that Citrix, CrowdStrike, Jamf, and Tanium are joining Check Point, Lookout, Palo Alto Networks, Symantec (a division of Broadcom), and VMware as BeyondCorp Alliance members. As Sunil Potti, VP and GM Google Cloud Security, puts it, BeyondCorp delivers world-class security for the reimagined workplace. Partners who share our vision are an essential part of how we help our customers modernize their security approaches in-place to deliver a better, safer normal.Our BeyondCorp Alliance Partners add capabilities in the following areas:Device Management: Enterprise Mobility Management (EMM) vendors can provide device context and telemetry such as whether a device is managed or corporate-owned to aid in policy evaluation.Endpoint Security: Endpoint Detection and Response Vendors (EDR) or Mobile Threat Defense (MTD) vendors can provide device posture information, such as whether a device is compromised to aid in policy evaluation.Gateways: Infrastructure vendors can provide more secure access to hosted infrastructure (e.g., virtual desktops, etc.) via BeyondCorp. Keep reading to learn more about updates to our existing BeyondCorp Alliance partnerships and new solutions with leading security partners that we are excited to announce today: Check Point SandBlast Mobile is a mobile threat defense solution that detects and stops attacks on iOS and Android devices before they start. Integration with the Google Admin console can be used to selectively prevent compromised devices from accessing applications and resources, helping to keep sensitive data secure. The integration is now available to customers in preview in the Google Admin console.Citrix and Google Cloud are extending our deep collaboration to include BeyondCorp. Google Cloud has always been one of the best places to run Citrix Workspace, and the first step, bringing together Citrix Workspace and BeyondCorp, is coming soon. It will allow customer applications, whether they are deployed on-premises, on GCP, or delivered as a service (SaaS), to be exposed through Citrix Workspace with BeyondCorp’s access controls and policy enforcement. Users get a single pane of glass for all of their applications, which can now be accessed from BYOD and non-corporate devices without the need for a VPN. We’re also exploring the sharing of endpoint signals and further extending policy enforcement to virtual desktops. For more information, check out the Citrix blog on our joint zero trust security solutions.CrowdStrike will deliver real-time endpoint posture assessments from endpoints regardless of location, network, or user so that BeyondCorp adopters can prohibit access from untrusted or compromised hosts as part of conditional access policies, reducing risk for users and the organization. This integration is coming soon. To learn more about how CrowdStrike and Google Cloud are collaborating on Zero Trust, register for CrowdStrike’s Cybersecurity Conference Fal.Con 2020, taking place on October 15, 2020.Jamf is working to extend its device compliance capabilities for organizations leveraging Google Cloud and BeyondCorp. In the past, organizations have expressed concerns about unprotected Mac devices accessing cloud and on-premises resources. Now, through a unique Jamf preview, customers can ensure that only trusted users, from managed devices, using approved apps, are accessing company data. Read Jamf’s blog on our collaboration and contact the Jamf team to learn more about this preview.Lookout continuously assesses a smartphone, tablet or Chromebook’s risk level and provides it to Cloud Identity and BeyondCorp from the Lookout Security Graph. Device risk levels of “high, moderate or low” are set based on the organization’s security policies. When Lookout detects a threat on a mobile device, the risk level is changed accordingly and delivered in real-time to Cloud Identity via API. This integration enables Google Workspace to block risky or non-compliant devices from accessing applications and data. This functionality is now available in preview via the Google Admin console. Learn more by reading Lookout’s blog.Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Mobile (SEP Mobile) report on the security posture of an organization’s traditional and mobile endpoints, including both managed and unmanaged devices. With the upcoming integration, customers can leverage Symantec’s endpoint signals such as indications of compromise, operating system configuration risks, app risks, anomalous network behavior, and more, to create more granular and customized access policies for Google Workspace, web apps, and Google Cloud infrastructure.Tanium and Google Cloud recently announced a strategic partnership with the goal of delivering security transformation for the distributed IT era. As part of the BeyondCorp Alliance, Tanium will be providing device identity information through Tanium Endpoint Identity, which is available today. Tanium monitors and evaluates the health of endpoints in real-time, providing comprehensive visibility and control from a single platform no matter where the device is located. Through the combined solution, coming soon, organizations will be able to ensure that devices connecting to network resources and applications are authorized, secured, and up-to-date. To learn more about Tanium’s partnership with Google Cloud and BeyondCorp integration, register to attend their upcoming virtual user conference, Converge.VMware is working to bring Workspace ONE and Google Cloud's BeyondCorp solution together to keep devices under control and compliant with policies that protect corporate data. Workspace ONE will continually feed device compliance status information to Google Cloud’s context-aware access engine, allowing access to be revoked at any time if a device becomes non-compliant. This integration is coming soon.To learn more about how you can take advantage of our joint capabilities to advance your own Zero Trust strategy, visit the BeyondCorp Alliance partner links above or reach out to our team. Also be sure to check out our BeyondCorp product home, browse BeyondCorp educational resources in our Security Best Practices Center, and view BeyondCorp use case videos in our Cloud Security Showcase. Related Article Keep your teams working safely with BeyondCorp Remote Access Enabling remote access to internal apps with a simpler and more secure approach without a remote-access VPN Read Article
Analysis Summary
# Best Practices: Implementing Zero Trust and Context-Aware Access (BeyondCorp Model)
## Overview
These practices focus on modernizing security architecture by fully embracing Zero Trust models, specifically leveraging context-aware access controls (like Google Cloud's BeyondCorp model) to secure access for a remote and distributed workforce, replacing traditional perimeter-based security like VPNs.
## Key Recommendations
### Immediate Actions
1. **Assess Current State for Remote Access Security:** Review existing remote access solutions, specifically identifying reliance on traditional VPNs, and confirm the imperative to transition toward Zero Trust.
2. **Initiate Zero Trust Evaluation:** Begin evaluating Zero Trust capabilities provided by cloud-based solutions such as BeyondCorp Remote Access to facilitate easier and more secure access to internal applications.
3. **Review Partner Ecosystem Capabilities:** Identify and begin vetting security partners (EMM, EDR/MTD, Gateway vendors) that can provide necessary device context and telemetry to support granular access policy evaluation. (Partners mentioned include Check Point, Citrix, CrowdStrike, Jamf, Lookout, Tanium, Symantec, VMware).
### Short-term Improvements (1-3 months)
1. **Integrate Device Posture Signals:** Integrate Endpoint Detection and Response (EDR) or Mobile Threat Defense (MTD) solutions to feed real-time device posture information (e.g., compromised status) directly into the access control engine to inform conditional access decisions.
2. **Implement Device Management Telemetry:** Integrate Enterprise Mobility Management (EMM) or Device Management solutions (e.g., Jamf for Mac devices) to provide critical device context, such as management status and corporate ownership, into policy evaluation.
3. **Block Access from Compromised Devices:** Configure Conditional Access policies to immediately prohibit access to sensitive applications and resources if endpoint security solutions report a device as compromised or untrusted (e.g., leveraging Check Point SandBlast Mobile integration for mobile devices).
4. **Establish Real-Time Compliance Checks:** Deploy solutions that continuously feed device compliance status (e.g., VMware Workspace ONE) to the access engine, enabling immediate revocation of access if compliance is breached.
### Long-term Strategy (3+ months)
1. **Adopt Cloud-Native Context-Aware Access:** Fully transition away from VPN-centric access by deploying and configuring a comprehensive context-aware access platform (like BeyondCorp) for all internal applications, whether hosted on-premises, in the cloud (GCP), or delivered as SaaS.
2. **Establish Comprehensive Device Identity Baseline:** Implement solutions (e.g., Tanium Endpoint Identity) to ensure all connecting devices have verified, continuously monitored identity and health status before authorization is granted to any network resource.
3. **Unify Application Access Layer:** Implement infrastructure gateways (e.g., via Citrix Workspace integration) to act as a unified access point, enforcing BeyondCorp policy controls across all application types (SaaS, on-premises, virtual desktops) while providing users a single pane of glass experience.
4. **Granular Policy Development:** Develop sophisticated, granular access policies leveraging a rich set of signals, including device posture, user identity, location, application risk, and anomalous behavior (e.g., leveraging Symantec signals).
## Implementation Guidance
### For Small Organizations
- Focus on leveraging cloud-native Zero Trust services (like BeyondCorp Remote Access) that reduce on-premises infrastructure management overhead.
- Prioritize solutions that offer easy integration previews via the Admin console (e.g., Lookout, Check Point preview status).
- Start by replacing VPN access for a pilot group of users accessing critical cloud applications using only device management context signals.
### For Medium Organizations
- Begin formal integration projects with selected EDR/MTD partners to ensure endpoint security posture feeds directly into access decisions.
- Explore unifying access for workloads spanning both cloud and initial on-premises infrastructure using integrated Gateway partners (like Citrix integration).
- Focus on policy maturity: moving beyond simple "managed/unmanaged" checks to include compliance configuration risks.
### For Large Enterprises
- Accelerate the adoption by leveraging the full breadth of the BeyondCorp Alliance to address diverse ecosystem needs (e.g., specific support for extensive Mac fleets via Jamf, deep infrastructure needs via Tanium/Citrix).
- Focus on extending policy enforcement to advanced environments, such as virtual desktops (VDI).
- Develop complex, customized access policies using signals from multiple vendors (e.g., risk scores from Lookout combined with configuration health from Symantec).
## Configuration Examples
*While the article highlights integrations rather than specific configuration syntax, the core mechanism involves:*
1. **Device Risk Signal Integration:** Configure Lookout or Check Point integration via the Google Admin console (or API) to establish a real-time risk score threshold for device access.
* **Actionable Step:** Set policy to `IF (Device_Risk_Level > Moderate) THEN DENY Access to Sensitive Apps`.
2. **Compliance-Based Access Revocation:** Configure VMware Workspace ONE to continuously report Workspace ONE compliance status to the context-aware access engine.
* **Actionable Step:** Configure access engine to `REVOKE Session IF WorkspaceONE_Compliance_Status = NonCompliant`.
3. **VPN Elimination via Unified Gateway:** Configure Citrix Workspace to expose applications secured via BeyondCorp access controls.
* **Actionable Step:** Ensure users access all required applications through the Citrix Workspace layer, enabling access for BYOD devices without requiring traditional VPN.
## Compliance Alignment
*The adoption of these Zero Trust principles inherently aligns with modern security frameworks:*
- **NIST SP 800-207 (Zero Trust Architecture):** Directly supports core principles of continuous verification, least privilege access, and micro-segmentation of trust.
- **ISO/IEC 27001/27002:** Supports requirements related to Access Control (A.9) and System Acquisition, Development, and Maintenance (A.14) by enforcing policy based on verified asset integrity.
- **CIS Critical Security Controls:** Supports controls related to Inventory and Control of Enterprise Assets (Control 1) and Access Control Management (Control 4) by verifying the continuous trustworthiness of devices accessing resources.
## Common Pitfalls to Avoid
1. **"Lift and Shift" Mentality:** Assuming Zero Trust implementation is just a software upgrade; it requires rethinking network identity and access flows entirely.
2. **Ignoring Non-Corporate Devices:** Failing to implement robust context checks for BYOD users; Zero Trust must secure access regardless of device ownership.
3. **Incomplete Telemetry Coverage:** Implementing Zero Trust access without integrating rich endpoint signals (posture, threat detection); access decisions become brittle if based only on identity.
4. **Delayed VPN Retirement:** Keeping VPNs active as a fallback without a clear timeline for deprecation prevents the organization from achieving true Zero Trust benefits and agility.
## Resources
- BeyondCorp product home documentation (Search for BeyondCorp product home)
- BeyondCorp educational resources in the Security Best Practices Center (Search for Security Best Practices Center)
- BeyondCorp use case videos in the Cloud Security Showcase (Search for Cloud Security Showcase)
- Reach out to the BeyondCorp Alliance team for joint capability exploration ([email protected] - *defanged for readability*)