Overview of Google’s BeyondCorp Approach to Security

May 22, 2017 Proprietary and Confidential - 1 -
BeyondCorp
Security without Wall
IGATE is now a part of Capgemini
Arnab Chattopadhayay, Senior Director
Date: 12th May, 2017

How your Enterprise is set today

Convergence breaks wall – it does not work

Need a different approach – Google BeyondCorp
Principles
 Connecting from a particular network must not
determine your trust level
 Access to service is granted based on what we
know about you and your device
 All access to services must be Authenticated,
Authorized and Encrypted
 Zero-Trust Model

Google’s Mission was
To have every Google employee work
successfully from untrusted networks
without use of a VPN

BeyondCorp Architecture (1)
Ref: Google
#RSAC
High Level
Access
Proxy
Single
Sign On
Access
Control
Engine
User
Inventory
Device
Inventory
Trust
Repository

BeyondCorp Architecture (2)

Components of BeyondCorp
 Device and Hosts
– Device: collection of physical and virtual components that acts as computer.
Example: PC, Servers, VMs
– Host: snapshot of a device state at a given point of time. Example: device
might be a mobile phone, while a host would be specifics of operating
system and software running on the device
 Device Inventory Service
– Contains information on devices, hosts, and their trust decisions
– Continuously updated pipeline that imports data from a broad range of
sources
 System management source: Active Directory, Puppet, Simian
 On-device agents, CMS, Corporate Asset Management
 Out-of-band data source: vulnerability scanners, Certificate Authorities, Network
Infrastructure Elements (e.g. ARP tables)
 Full or incremental data set
 Google’s Scale: initial phases ingested billions of deltas from 15+ data sources at 3 million
data per day totaling to 80 Terabytes
 Retaining historical data allowed Google to understand end-to-end lifecycle of a device,
track and analyze trends, perform security audits and forensic analysis

Components of BeyondCorp
 Tiered Access
– Trust levels are organized into tiers and assigned to each device by
the Trust Inferer
– Each resource is associated with minimum trust tier required for
access
– To get access, each device’s trust tier assignment must be >=
resource’s trust tier
– Trust Inferer also supports network segmentation effort by
dynamically assigning VLAN based on device state
 Example: a device without adequate OS patch level becomes untrustworthy and
hence assigned to a quarantine network

Device Inventory Service

Types of Data
 Observed Data
– The last time security scan was performed on the device and the
result of the scan
– The last-synced policies and timestamp from Active Directory
– OS version and Patch Level
– Installed Software
 Prescribed Data
– Manually maintained by IT Operations
– Assigned Owner of Device
– User and Groups allowed to access a device
– DNS and DHCP Assignment
– Explicit access to a particular VLAN

Data Processing Flow
Transform into
common data format
Correlation
Exceptions

Transformation
 All data must be transformed to a common data format
 Use Tooling where possible to push changes to system
 Poll where tooling is not possible

Correlation
 Device data coming from distinct data sources must be
reconciled into unique device specific records
 Complex: many data sources do not have overlapping
identifiers
– Example: Asset management system stores device serial
number but a disk encryption escrow service stores had disk
serial number, CA stores X.509 certificate fingerprint, ARP
database stores MAC id
 Challenge is: What exactly constitutes a device?
– What happens when a mother board is changed, Cases
replaced, NIC replaced or even swapped between devices?

Trust Evaluation
 Trust Inferer is notified to trigger re-evaluation once incoming records are
merged
 References a variety of fields and aggregates the results in order to assign
trust tier
 Trust Inferer refers dozens of both platform-specific and platform-agnostics
fields across various data sources
 Example: to qualify for a higher trust level, we might require a device must
meet all of the following requirements:
– Be encrypted
– Successfully execute all management and configuration agents
– Install the most recent OS security patch
– Have a consistent state of data from all inputs
 Pre-computation reduces the amount of data , allows to enforcement
gateways to work on consistent data set
– Allows to change trust for inactive devices
– Might be problematic for real-time 2FA or restricting access originating from known
malicious net-block

Exceptions
 Trust Evaluation considers pre-defined exceptions
 Exceptions are aimed at reducing delay in deploying policy
changes or new policies
 Example
– Block a device that’s vulnerable to zero-day exploit even before
security scanners have been updated
– Permit untrusted devices to connect to lab network
– Permit IoT devices since installing certificate in them may be
infeasible

Deployment
 Initial Phase
– Objective was to reduce user friction
– Subset of Gateways integrated with an interim meta-inventory service
 A small number of data sources with prescribed data
– Mirror IP based perimeter security model
– Apply new policies to untrusted device only
– Access enforcement for trusted device remain unchanged
– The strategy would allow to safely deploy various components of BeyondCorp
before it was fully complete and polished
– In parallel, scale up meta inventory solution
 As the meta-inventory model matures, gradually replace IP based policies with
trust tier assignments
 Once workflow is verified for lower-trust tier devices, apply fine-grained
restrictions to higher trust-tiered devices and enterprise resources
 Given the complexities of identifying a device, use X.509 as persistence device
identifier
– If certificate changes, device is considered different
– If certificate is installed on a different device, the correlation logic notice collision and
mismatch of other device information and degrades trust tier

Mobile
 Almost all communication from Mobile App is over HTTP
 Easier to deploy tiered trust model
 Mobile devices use certificates
– Cryptographically secured communications
 Native Apps subjected to same authorization enforcement as web
browser
– API end-points of services reside behind proxies integrated with Access
Control Engine

Legacy and 3rd Party Systems
 Requires broader sets of access methods
 Use multiple protocols
 Tunnel arbitrary TCP and UDP traffic via SSH tunnel and SSL/TLS proxies
 Gateways only allow tunneled traffic that conforms with policies of of Access
Control Engine
 RADIUS is integrated with device inventory
– Assigns VLAN dynamically via setting appropriate IETF Headers
– Use IEEE 802.1x authentication using X.509 certificate as artifact

Challenges
 Correlation accuracy depends on the data quality
 Data set is sparse
– Reasonably small set of heuristics can correlate majority of deltas from a subset of
data source
– But to have accuracy close to 100% requires extremely complex sets of heuristics to
cater to seemingly endless list of corner cases
– A tiny fraction of devices can potentially lock majority of the employees to be
productive
– Mitigation: monitor traffic and take manual action where necessary
 Latency introduced by Device Inventory Service
 Corporate Communication
 Disaster Recovery
– BeyondCorp is complex
– Failure can be catastrophic – may prevent support staff to access the system to
recover
– Must have a direct access route to the infrastructure for an extremely small set of
staff who would be able to bootstrap the system from last-known-good-state

THANK YOU

Overview of Google’s BeyondCorp Approach to Security

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Overview of Google’s BeyondCorp Approach to Security

Ähnlich wie Overview of Google’s BeyondCorp Approach to Security (20)

Mehr von Priyanka Aash

Mehr von Priyanka Aash (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Overview of Google’s BeyondCorp Approach to Security