A zero trust network is one in which no person, device, or network enjoys inherent trust. All trust, which allows access to information, must be earned, and the first step of that is demonstrating valid identity. A system needs to know who you are, confidently, before it can determine what you should have access to. Add to that the understanding of what you can access–authorization–and you’ve got the core foundation of zero trust security.
At Google we rely on a zero trust system known as BeyondCorp, to move beyond the idea of a privileged corporate network.In this issue of GCP Comics we discuss ways of acquiring trust, as our friend attempts to visit some distant relatives.
Why set up a zero trust model?
Here are a few compelling reasons for setting up a zero trust system:
Preserve the productivity of your employees working from home, from the office, from a coffee shop, or from anywhere else
- Deploy quickly, faster than a traditional VPN system, for rapid onboarding
- Spin up new device access quickly in case of unexpected latté-applied-to-laptop and similar incidents
- Give each web application its own access control, for precise security and lower risk
- Decide access based on identity, device health, location, time of day, or other factors
Google zero trust tools can protect your workloads on any public cloud, or on-premises, so you don’t need to move your applications to improve their security
Benefits of zero trust
Zero trust systems can be invisible to the employees at your company. They sign in, they use a strong second factor, and they are ready to go.
The authentication and authorization aren’t tied to your location. Previous methods of access control relied on trusted networks, giving privileged access to anyone inside the established corporate network. With a zero trust model it’s easy to work from home and access all the same systems and tools.
Switching to a zero trust system has helped Google, and many other enterprises, reduce their exposure and minimize security incidents, proactively stopping phishing-based attacks and lateral movement after a compromise.
- BeyondCorp Remote Access, our enterprise grade security offering for protecting workloads on Google Cloud, other clouds, or on-premises
- BeyondCorp at Google, our own zero trust implementation
- Published research papers on how Google created, deployed, and evolved the BeyondCorp model.
- Identity-Aware Proxy, The Google Cloud protective layer used to create context-based access to apps, VMs, and services.
By Priyanka Vergadia and Max Saltonstall. Source: Google Cloud Blog.