How Google reinvented security and eliminated the need for firewalls



How Google reinvented security and eliminated the need for firewalls

In some ways, Google is like every other large enterprise. It had the typical defensive security posture based on the concept that the enterprise is your castle and security involves building moats and walls to protect the perimeter.


By Neal Weinberg
Executive Features Editor, Network World | Feb 15, 2017 10:48 AM
bodium castle fortress
SAN FRANCISCO -- In some ways, Google is like every other large enterprise. It had the typical defensive security posture based on the concept that the enterprise is your castle and security involves building moats and walls to protect the perimeter.

Over time, however, that perimeter developed holes as Google’s increasingly mobile workforce, scattered around the world, demanded access to the network. And employees complained about having to go through a sometimes slow, unreliable VPN. On top of that, Google, like everyone else, was moving to the cloud, which was also outside of the castle.

In other ways, Google is unlike any other company. Without much of a detailed business plan or cost/benefit analysis, Google execs gave the green light to an ambitious project aimed at totally reinventing the company’s security infrastructure.

The basic premise was simple: “Walls don’t work,” said Heather Adkins, Google’s director of security. Speaking at RSAC, Adkins said the goal was to de-emphasize firewalls and other perimeter defenses and to move to a “zero trust” model.



That means every device – whether it’s inside corporate headquarters or in a Starbucks somewhere -- starts out as untrusted. Under the new model, it’s all about users and devices. Access is granted based on what Google knows about the end user and their device. And all access to services must be authenticated, authorized and encrypted.

The ultimate goal of the multi-year project, dubbed BeyondCorp, was that every employee be able to work successfully from an untrusted network without the use of a VPN, she added. That meant single sign-on or other type of access proxy.
There were multiple steps to the project. First, they had to build a user inventory that detailed every employee’s job classification and what services that employee should have access to. The next step was to build a similar inventory for devices, including tracking each device from procurement to end of life.



Next, Google built its own access control engine capable of checking every network access from any employee and any device anywhere in the world. In order to create access control policies, Google needed to pull data from 20 different sources.
It took two to three years to build everything, according to Rory Ward, site reliability engineering manager at Google. And that wasn’t even the hard part.
Now, they had to migrate people off the old network and onto the new “zero trust” network without “breaking anybody,” said Ward. In other words, without denying anyone access to applications or services that they need to do their job.

The migration itself took another two years, according to Ward. The team installed the new system in 200 Google buildings around the world, but didn’t turn it on right away. They used sniffers to capture all of the real traffic associated with the privileged network at that location and re-ran that traffic through the new, unprivileged system, which remained offline for the time being.
Little by little, Ward and his team gained confidence in the new system and began moving people over. Over time, Ward said, his team accumulated “a giant database of stuff that wouldn’t work on the new network.”

But they kept plugging away. “We kept doing it until it worked,” he said. “We managed to reinvent the world and not break anybody in the process.”
Adkins said the team learned several valuable lessons that could be helpful to other companies that might want to try this. In fact, Google has publicly posted information on BeyondCorp.

The key takeaways are that you need unwavering executive support, you need to have accurate data and the migration has to be painless. Also, there has to be clear user communication and the underlying systems need to be highly reliable.

The result, Adkins said, is that Google employees are happier and more productive. And the new system makes IT simpler, which helps cut costs.
This story, "How Google reinvented security and eliminated the need for firewalls" was originally published by Network World.

Courtesy :- http://www.cio.com/article/3170121/security/how-google-reinvented-security-and-eliminated-the-need-for-firewalls.html

Comments

  1. Unknown12 March 2018 at 03:49

    Informative article!!

    ReplyDelete
  2. sandeep saxena13 February 2019 at 03:53



    its very nice to read your blog and im really appreciate to read that.thanks to you for giving wonderfull ideas.thankyou.
    DevOps certification in Chennai
    DevOps Training in Chennai
    DevOps course in Chennai
    Data science course in chennai
    AWS training in chennai
    AWS certification in chennai

    ReplyDelete
  3. Foxpass6 October 2022 at 00:32

    Thanks for sharing such a wonderful blog. All things were explained in such a way that they are easy to understand. We as Foxpass providing you Best Zero Trust Model. Give us chance.

    ReplyDelete

Post a Comment

Popular posts from this blog

7 free alternatives to Microsoft Office you can consider

Image
  7 free alternatives to Microsoft Office you can consider Microsoft Office is one of the most-popular productivity suites globally. It is used by companies worldwide for spreadsheets, Word, PowerPoint and more. However, it really does not come cheap. if you are are looking for some more affordable/free alternatives, here are seven that you can look at:   Google Workspace Google Workspace is one of the most popular alternatives to Microsoft Office. It is free and offers users 15GB of cloud storage for storing files, mails, attachments and more. Workspace includes several Google apps and services including Google Docs, Sheets, Slides as an alternative to Word, Excel and Powerpoint. It also includes Google Drive, alternative for Microsoft OneDrive.   iWork is another good free alternative to Microsoft Office, but it is best suited for Apple users (Mac, iPhone and iPad). There’s a web-version too, but it has limited functionality. In terms of Apple iWork offers Pages, Numbers and Keynote
Read more

How to back up Android devices: The complete guide

Image
How to back up Android devices: The complete guide Make sure all your important data is always synced and protected with this easy-to-follow Android backup guide. Thinkstock 'Twas a time not so long ago when backing up an Android phone was a massive, migraine-inducing undertaking. It's true: A mere matter of years back in our mobile device saga, a proper Android backup required physical computer connections , complicated third-party software and more than a few adult beverages. But my, what a difference a few years makes. These days, backing up an Android device and keeping your data synced takes little to no actual effort. Most of the work happens seamlessly and automatically, behind the scenes — either without any involvement on your behalf or with a one-time opt-in when you first set your phone up. And restoring your data is typically as simple as signing into a device and letting Google's systems work their magic. Still, your data is i
Read more