A unified and proven Zero Trust system with BeyondCorp and BeyondProd
VP of Infrastructure & Google Fellow
VP, Chief Information Security Officer, Google Cloud
One of the most used buzzwords in cybersecurity today is undoubtedly “Zero Trust.” It’s been used to describe a wide range of approaches and products, leading to a fair bit of confusion about the term itself and to what it actually means. Some attempts to explain or simplify zero trust assert that “zero trust means trust nothing” or “zero trust is about delivering secure access without a VPN.” This conventional wisdom is mostly incorrect and limiting. At the core of a Zero Trust approach is the idea that implicit trust in any single component of a complex, interconnected system can create significant security risks. Instead, trust needs to be established via multiple mechanisms and continuously verified. While end-user access is a domain to which this model can be applied to gain significant security improvements, it can just as readily be applied to domains such as the end-to-end process of running production systems and protecting workloads on cloud-native infrastructure.
Google has applied a zero trust approach to most aspects of our operations. Early on in our security journey, we understood that despite our best efforts, user credentials would periodically fall into the hands of malicious actors. We needed additional layers of defense against unauthorized access that would not impede user productivity. This is why we implemented a successful Zero Trust access approach over a decade ago with our BeyondCorp framework, shared our use case with the world, and delivered BeyondCorp Enterprise, a productized version which includes integrated threat and data protection so that any organization can implement similar capabilities for their own applications.
Just as a user's credentials can be captured by bad actors, software that interacts with the larger world needs protection on many levels, so we also applied a Zero Trust approach to how we operate our production environment, encompassing the way software is conceived, produced, managed, and interacts with other software. Hence the name for our internal method for Zero Trust production, "BeyondProd."
Zero Trust prod with BeyondProd
In 2019, Google published a whitepaper on our BeyondProd model to explain how we protect our cloud-native architecture and to help organizations learn to apply the security principles that we established internally.
We developed and optimized for the following security principles:
Protection of network at the edge, so that workloads are isolated from network attacks and unauthorized traffic from the Internet.
No inherent mutual trust between services, so that only known, trusted, and specifically authorized callers can utilize a service. This stops attackers from using untrusted code to access a service. If a service does get compromised, it prevents the attacker from performing actions that allow them to expand their reach. This mutual distrust helps to limit the blast radius of a compromise.
Trusted machines — designed with Titan to be secure from boot on up — running code with known provenance, so that service identities are constrained to use only authorized code and configurations, and run only in authorized, verified environments.
Choke points for consistent policy enforcement across services. For example, a choke point to verify requests for access to user data, such that a service’s access is derived from a validated request from an authorized end user, and an administrator’s access requires business justification.
Simple, automated, and standardized change rollout, so that infrastructure changes can be easily reviewed for their impact on security, and security patches can be rolled out with little impact on production.
Isolation between workloads sharing an operating system, so that if a service is compromised, it can’t affect the security of another workload running on the same host. This limits the "blast radius" of a potential compromise.
BeyondCorp was a response to a change in the way the modern corporate user works. Today, users commonly operate outside an organization's traditional security perimeter such as from a coffee shop, from an airplane, or anywhere in between. In BeyondCorp, we dispensed with the idea of a privileged corporate network and authorized access based solely on device and user credentials and attributes regardless of a user’s network location.
BeyondProd takes a similar zero trust approach to protecting services. In the same way that users aren't all using the same physical location or device, developers are not all deploying code to the same environment. With BeyondProd, microservices may be running not only within a firewalled data center, but in public clouds, private clouds, or third-party hosted services, and they need to be secure everywhere.
Just like users move, use different devices, and connect from different locations; microservices also move and are deployed in different environments, across heterogeneous hosts. Where BeyondCorp states that "user trust should be dependent on characteristics like the context-aware state of devices and not the ability to connect to the corp network", BeyondProd states that "service trust should be dependent on characteristics like code provenance and service identity, not the location in the production network, such as IP or hostname identity".
Applying BeyondProd principles to your cloud-native architecture
For many years after we created BeyondProd, the scale of complexity at Google seemed relatively unique. Slowly this has changed, as online services, apps, and cloud computing continue to take hold.
As the kind of production challenges we'd solved arose for others, we've offered the tools and techniques of BeyondProd to customers of Google Cloud. Many of the capabilities of BeyondProd are embedded in Anthos, Google Cloud’s managed application platform, in features like Binary Authorization and Anthos Service Mesh.
By applying the security principles in the BeyondProd model to your own cloud-native infrastructure, you can benefit from our experience to strengthen the deployment of your workloads, including how your communications are secured and how they affect other workloads.
If you are looking to apply the principles of BeyondProd in your own environment, there are many components through Anthos, Google Kubernetes Engine (GKE) and open source that you can leverage to achieve a similar architecture:
- Envoy or Traffic Director, for managing TLS termination and policies for incoming traffic;
- Anthos Service Mesh for a zero-trust security model toolset to automatically and declaratively secure services and their communication;
- Mutual TLS, as part of ASM or Istio for RPC authentication, integrity, encryption, and service identities;
- Anthos Identity Services to support identity federation across environments;
- Binary Authorization for deploy-time enforcement checks such as code provenance;
- Anthos Config Management Policy Controller, to enforce programmable policies for clusters and prevent configuration changes from violating security, operational, or compliance controls;
- Shielded GKE Nodes, for secure boot and integrity verification; and
- gVisor or GKE Sandbox, for workload isolation.
Extending Zero Trust approaches to the software ecosystem
With BeyondCorp we secured who has access to which resources. With BeyondProd we extended this to service to service access. With the SLSA framework we extend this to the software ecosystem.
Software deployed in production often incorporates artifacts from many different sources.
The global software supply chain has organically evolved into a dauntingly complex combination of code, binaries, networked APIs and their config files. How do we extend Zero Trust to this software layer? Internally at Google we have developed and implemented strong, proven mechanisms for our own internal development and deployment workflows like Binary Authorization for Borg. We want to extend this approach to the broader industry efforts to further the adoption of supply chain integrity best practices. In collaboration with the OpenSSF, we have proposed Supply-chain Levels for Software Artifacts (SLSA) to formalize criteria around software supply chain integrity.
We see BeyondCorp and BeyondProd as a unified zero trust system applicable to much of the industry today and as frameworks to protect against common security threats like credential theft and software supply chain attacks. We continue to participate in a number of forums, industry groups, and educational endeavors to improve the state of security rooted in zero trust access and prod principles.
It's critical that we update the tools and methods to fit our digital age versus a time when people thought in terms of firewalls, perimeters, and isolation in order to empower the millions of engineers around the globe to build natively and securely in the cloud.
The solution to implementing a successful Zero Trust environment within your organization, we believe, can benefit from drawing on the years of proven experience from Google, our partners, and third parties in software security. Software production and user access design principles that are created with security from the start can help your cloud-native architecture stay strong and resilient both today and in the challenges yet to come.
*This post was updated with our latest guidance for Mutual TLS to use the Isitio or ASM services