BeyondCorp Enterprise overview

Today's enterprises are moving to a model of security where secured networks aren't enough. A modern approach is required to truly protect a company's most secure assets and allow for your employees to be productive under the right circumstances.

BeyondCorp Enterprise is Google's tooling meant to empower organizations to enable this new approach. By tying together a user's information with device and location context, an enterprise can make rich access decisions and enforce security policy.

BeyondCorp Enterprise flow

BeyondCorp Enterprise has two key goals:

  • Threat and data protection brings security to your enterprise devices by working to protect users from exfiltration risks such as copy and paste, extending DLP protections into the browser, and helping to prevent malware from getting onto enterprise-managed devices.
  • Richer access controls protect access to secure systems (applications, virtual machines, APIs, and so on) by using the context of an end-user's request to ensure each request is authenticated, authorized, and as safe as possible.

Benefits to users

BeyondCorp Enterprise presents a security model that allows for greater security posturing and policy for both applications and devices, while providing end users a better user experience no matter where they access from or what type of device they use to do so:

  • For administrators:
    • Strengthen security posture to account for dynamic changes in a user's context.
    • Shrink the access perimeter to only those resources that an end user should be accessing.
    • Enforce device security postures for employees, contractors, partners, and customers for access, no matter who manages the devices.
    • Extend security standards with per-user session management and multifactor authentication.
  • For end users:
    • Allow all end users to be productive everywhere without compromising security.
    • Allow the right level of access to work applications based on their context.
    • Unlock access to personally-owned devices based on granular access policies.
    • Access internal applications without being throttled by segmented networks.

Common use cases

As end users work outside of the office more often and from many different types of devices, enterprises have common security models they are looking to extend to all users, devices, and applications:

  • Allow non-employees to access a single web application deployed on Google Cloud or other cloud services platforms without requiring the use of a VPN.
  • Allow non-employees to access data from their personal or mobile devices as long as they meet a minimum security posture.
  • Ensure employees are prevented from copying and pasting sensitive data into email or saving data into personal storage such as Google Drive.
  • Only allow enterprise-managed devices to access certain key systems.
  • Provide DLP protections for corporate data.
  • Gate access based on a user's location.
  • Protect applications in hybrid deployments that use a mix of Google Cloud, other cloud services platforms, or on-premises resources.

Common signals

BeyondCorp Enterprise offers common signals enterprises can take into account when making a policy decision, including:

  • User or group information
  • Location (IP or geographic region)
  • Device
    • Enterprise-managed devices
    • Personally-owned devices
    • Mobile devices
  • Third-party device signals from partners in the BeyondCorp Alliance.
    • Check Point
    • CrowdStrike
    • Lookout
    • Tanium
    • VMware
  • Risk scores

How to get BeyondCorp Enterprise

Complete this form to get more information about upgrading to BeyondCorp Enterprise.

BeyondCorp Enterprise compared with Google Cloud

BeyondCorp Enterprise provides enterprise security features in addition to the basic protections, focused on protecting applications with authentication and authorization, that are baseline features of Google Cloud. BeyondCorp Enterprise extends those protections to applications and data running everywhere, with end-user protections and rich access policy protections.

The following table shows the differences between the baseline features available to Google Cloud customers and what is available with BeyondCorp Enterprise:
Application and VM access Baseline features Paid features
Application and VM protection with identity
Application and VM protection with IP and location rules
Default error messages and login flows
Capture device status (Endpoint Verification)
Application running on-premises or on other cloud services platforms  
Applications deployed behind internal HTTP load balancing  
Application and VM protection with device attributes and identity  
Automatic SSO redirect and custom error messages  
Advanced policy settings Baseline features Paid features
IP and location rules
Device-based rules  
Custom rules  
Partner signals in access policy  
Platform features Baseline features Paid features
Restrict access to the Google Cloud Console and the Google Cloud APIs by organization users based on IP or location
Logging (via Cloud Logging)
Restrict access to the Cloud Console and the Google Cloud APIs by organization users based on device attributes  
Policy Troubleshooter for BeyondCorp Enterprise (Preview)  
Threat and data protection Baseline features Paid features
Phishing, malware, and data loss protection  

What's next