Need a different approach – Google BeyondCorp Principles:
- Connecting from a particular network must not determine your trust level
- Access to service is granted based on what we know about you and your device
- All access to services must be Authenticated, Authorized and Encrypted
- Zero-Trust Model
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
Overview of Google’s BeyondCorp Approach to Security
1. May 22, 2017 Proprietary and Confidential - 1 -
BeyondCorp
Security without Wall
IGATE is now a part of Capgemini
Arnab Chattopadhayay, Senior Director
Date: 12th May, 2017
2. May 22, 2017 Proprietary and Confidential - 2 -
How your Enterprise is set today
3. May 22, 2017 Proprietary and Confidential - 3 -
Convergence breaks wall – it does not work
4. May 22, 2017 Proprietary and Confidential - 4 -
Need a different approach – Google BeyondCorp
Principles
Connecting from a particular network must not
determine your trust level
Access to service is granted based on what we
know about you and your device
All access to services must be Authenticated,
Authorized and Encrypted
Zero-Trust Model
5. May 22, 2017 Proprietary and Confidential - 5 -
Google’s Mission was
To have every Google employee work
successfully from untrusted networks
without use of a VPN
6. May 22, 2017 Proprietary and Confidential - 6 -
BeyondCorp Architecture (1)
Ref: Google
#RSAC
High Level
Access
Proxy
Single
Sign On
Access
Control
Engine
User
Inventory
Device
Inventory
Trust
Repository
7. May 22, 2017 Proprietary and Confidential - 7 -
BeyondCorp Architecture (2)
8. May 22, 2017 Proprietary and Confidential - 8 -
Components of BeyondCorp
Device and Hosts
– Device: collection of physical and virtual components that acts as computer.
Example: PC, Servers, VMs
– Host: snapshot of a device state at a given point of time. Example: device
might be a mobile phone, while a host would be specifics of operating
system and software running on the device
Device Inventory Service
– Contains information on devices, hosts, and their trust decisions
– Continuously updated pipeline that imports data from a broad range of
sources
System management source: Active Directory, Puppet, Simian
On-device agents, CMS, Corporate Asset Management
Out-of-band data source: vulnerability scanners, Certificate Authorities, Network
Infrastructure Elements (e.g. ARP tables)
Full or incremental data set
Google’s Scale: initial phases ingested billions of deltas from 15+ data sources at 3 million
data per day totaling to 80 Terabytes
Retaining historical data allowed Google to understand end-to-end lifecycle of a device,
track and analyze trends, perform security audits and forensic analysis
9. May 22, 2017 Proprietary and Confidential - 9 -
Components of BeyondCorp
Tiered Access
– Trust levels are organized into tiers and assigned to each device by
the Trust Inferer
– Each resource is associated with minimum trust tier required for
access
– To get access, each device’s trust tier assignment must be >=
resource’s trust tier
– Trust Inferer also supports network segmentation effort by
dynamically assigning VLAN based on device state
Example: a device without adequate OS patch level becomes untrustworthy and
hence assigned to a quarantine network
10. May 22, 2017 Proprietary and Confidential - 10 -
Device Inventory Service
11. May 22, 2017 Proprietary and Confidential - 11 -
Types of Data
Observed Data
– The last time security scan was performed on the device and the
result of the scan
– The last-synced policies and timestamp from Active Directory
– OS version and Patch Level
– Installed Software
Prescribed Data
– Manually maintained by IT Operations
– Assigned Owner of Device
– User and Groups allowed to access a device
– DNS and DHCP Assignment
– Explicit access to a particular VLAN
12. May 22, 2017 Proprietary and Confidential - 12 -
Data Processing Flow
Transform into
common data format
Correlation
Exceptions
13. May 22, 2017 Proprietary and Confidential - 13 -
Transformation
All data must be transformed to a common data format
Use Tooling where possible to push changes to system
Poll where tooling is not possible
14. May 22, 2017 Proprietary and Confidential - 14 -
Correlation
Device data coming from distinct data sources must be
reconciled into unique device specific records
Complex: many data sources do not have overlapping
identifiers
– Example: Asset management system stores device serial
number but a disk encryption escrow service stores had disk
serial number, CA stores X.509 certificate fingerprint, ARP
database stores MAC id
Challenge is: What exactly constitutes a device?
– What happens when a mother board is changed, Cases
replaced, NIC replaced or even swapped between devices?
15. May 22, 2017 Proprietary and Confidential - 15 -
Trust Evaluation
Trust Inferer is notified to trigger re-evaluation once incoming records are
merged
References a variety of fields and aggregates the results in order to assign
trust tier
Trust Inferer refers dozens of both platform-specific and platform-agnostics
fields across various data sources
Example: to qualify for a higher trust level, we might require a device must
meet all of the following requirements:
– Be encrypted
– Successfully execute all management and configuration agents
– Install the most recent OS security patch
– Have a consistent state of data from all inputs
Pre-computation reduces the amount of data , allows to enforcement
gateways to work on consistent data set
– Allows to change trust for inactive devices
– Might be problematic for real-time 2FA or restricting access originating from known
malicious net-block
16. May 22, 2017 Proprietary and Confidential - 16 -
Exceptions
Trust Evaluation considers pre-defined exceptions
Exceptions are aimed at reducing delay in deploying policy
changes or new policies
Example
– Block a device that’s vulnerable to zero-day exploit even before
security scanners have been updated
– Permit untrusted devices to connect to lab network
– Permit IoT devices since installing certificate in them may be
infeasible
17. May 22, 2017 Proprietary and Confidential - 17 -
Deployment
Initial Phase
– Objective was to reduce user friction
– Subset of Gateways integrated with an interim meta-inventory service
A small number of data sources with prescribed data
– Mirror IP based perimeter security model
– Apply new policies to untrusted device only
– Access enforcement for trusted device remain unchanged
– The strategy would allow to safely deploy various components of BeyondCorp
before it was fully complete and polished
– In parallel, scale up meta inventory solution
As the meta-inventory model matures, gradually replace IP based policies with
trust tier assignments
Once workflow is verified for lower-trust tier devices, apply fine-grained
restrictions to higher trust-tiered devices and enterprise resources
Given the complexities of identifying a device, use X.509 as persistence device
identifier
– If certificate changes, device is considered different
– If certificate is installed on a different device, the correlation logic notice collision and
mismatch of other device information and degrades trust tier
18. May 22, 2017 Proprietary and Confidential - 18 -
Mobile
Almost all communication from Mobile App is over HTTP
Easier to deploy tiered trust model
Mobile devices use certificates
– Cryptographically secured communications
Native Apps subjected to same authorization enforcement as web
browser
– API end-points of services reside behind proxies integrated with Access
Control Engine
19. May 22, 2017 Proprietary and Confidential - 19 -
Legacy and 3rd Party Systems
Requires broader sets of access methods
Use multiple protocols
Tunnel arbitrary TCP and UDP traffic via SSH tunnel and SSL/TLS proxies
Gateways only allow tunneled traffic that conforms with policies of of Access
Control Engine
RADIUS is integrated with device inventory
– Assigns VLAN dynamically via setting appropriate IETF Headers
– Use IEEE 802.1x authentication using X.509 certificate as artifact
20. May 22, 2017 Proprietary and Confidential - 20 -
Challenges
Correlation accuracy depends on the data quality
Data set is sparse
– Reasonably small set of heuristics can correlate majority of deltas from a subset of
data source
– But to have accuracy close to 100% requires extremely complex sets of heuristics to
cater to seemingly endless list of corner cases
– A tiny fraction of devices can potentially lock majority of the employees to be
productive
– Mitigation: monitor traffic and take manual action where necessary
Latency introduced by Device Inventory Service
Corporate Communication
Disaster Recovery
– BeyondCorp is complex
– Failure can be catastrophic – may prevent support staff to access the system to
recover
– Must have a direct access route to the infrastructure for an extremely small set of
staff who would be able to bootstrap the system from last-known-good-state
21. May 22, 2017 Proprietary and Confidential - 21 -
THANK YOU