Today's enterprises are moving to a model of security where secured networks aren't enough. A modern approach is required to truly protect a company's most secure assets and allow for your employees to be productive under the right circumstances.
BeyondCorp Enterprise is Google's tooling meant to empower organizations to enable this new approach. By tying together a user's information with device and location context, an enterprise can make rich access decisions and enforce security policy.
BeyondCorp Enterprise has two key goals:
- Threat and data protection brings security to your enterprise devices by working to protect users from exfiltration risks such as copy and paste, extending DLP protections into the browser, and helping to prevent malware from getting onto enterprise-managed devices.
- Richer access controls protect access to secure systems (applications, virtual machines, APIs, and so on) by using the context of an end-user's request to ensure each request is authenticated, authorized, and as safe as possible.
Benefits to users
BeyondCorp Enterprise presents a security model that allows for greater security posturing and policy for both applications and devices, while providing end users a better user experience no matter where they access from or what type of device they use to do so:
- For administrators:
- Strengthen security posture to account for dynamic changes in a user's context.
- Shrink the access perimeter to only those resources that an end user should be accessing.
- Enforce device security postures for employees, contractors, partners, and customers for access, no matter who manages the devices.
- Extend security standards with per-user session management and multifactor authentication.
- For end users:
- Allow all end users to be productive everywhere without compromising security.
- Allow the right level of access to work applications based on their context.
- Unlock access to personally-owned devices based on granular access policies.
- Access internal applications without being throttled by segmented networks.
Common use cases
As end users work outside of the office more often and from many different types of devices, enterprises have common security models they are looking to extend to all users, devices, and applications:
- Allow non-employees to access a single web application deployed on Google Cloud or other cloud services platforms without requiring the use of a VPN.
- Allow non-employees to access data from their personal or mobile devices as long as they meet a minimum security posture.
- Ensure employees are prevented from copying and pasting sensitive data into email or saving data into personal storage such as Google Drive.
- Only allow enterprise-managed devices to access certain key systems.
- Provide DLP protections for corporate data.
- Gate access based on a user's location.
- Protect applications in hybrid deployments that use a mix of Google Cloud, other cloud services platforms, or on-premises resources.
Common signals
BeyondCorp Enterprise offers common signals enterprises can take into account when making a policy decision, including:
- User or group information
- Location (IP or geographic region)
- Device
- Enterprise-managed devices
- Personally-owned devices
- Mobile devices
- Third-party device signals from partners in the BeyondCorp Alliance:
- Check Point
- CrowdStrike
- Lookout
- Tanium
- VMware
- Risk scores
How to get BeyondCorp Enterprise
Complete this form to get more information about upgrading to BeyondCorp Enterprise.
BeyondCorp Enterprise compared with Google Cloud
BeyondCorp Enterprise provides enterprise security features in addition to the basic protections, focused on protecting applications with authentication and authorization, that are baseline features of Google Cloud. BeyondCorp Enterprise extends those protections to applications and data running everywhere, with end-user protections and rich access policy protections.
The following table shows the differences between the baseline features available to Google Cloud customers and what is available with BeyondCorp Enterprise:| Application and VM access | Baseline features | Paid features |
|---|---|---|
| Application and VM protection with identity | ||
| Application and VM protection with IP and location rules | ||
| Default error messages and login flows | ||
| Capture device status (Endpoint Verification) | ||
| Application running on-premises or on other cloud services platforms | ||
| Applications deployed behind internal HTTP load balancing | ||
| Application and VM protection with device attributes and identity | ||
| Automatic SSO redirect and custom error messages | ||
| Advanced policy settings | Baseline features | Paid features |
| IP and location rules | ||
| Device-based rules | ||
| Custom rules | ||
| Partner signals in access policy | ||
| Platform features | Baseline features | Paid features |
| Restrict access to the Google Cloud Console and the Google Cloud APIs by organization users based on IP or location | ||
| Logging (via Cloud Logging) | ||
| Restrict access to the Cloud Console and the Google Cloud APIs by organization users based on device attributes | ||
| Threat and data protection | Baseline features | Paid features |
| Phishing, malware, and data loss protection |
What's next
- Learn more about access protection controls
- Learn more about threat and data protections