Jump to Content
Security & Identity

How Wayfair uses BeyondCorp Enterprise with Microsoft Intune to build a Zero Trust environment

July 28, 2023
Prashant Jain

Product Manager, Google Cloud Security

Cristian Rodriguez

Security Engineer, Wayfair

A Zero Trust approach to security can help you safeguard your users, devices, apps and data. Using Google Cloud’s BeyondCorp Enterprise, organizations can enforce strict, context-aware access controls with authentication and authorization for a variety of devices, anywhere to help strengthen their security posture. 

The ability to craft rich, contextual access policies depends on the availability of signals about users, their devices, and their current access context, such as location. We designed BeyondCorp Enterprise to be an extensible solution where customers can integrate and incorporate signals from their other technology vendors into their own Zero Trust access policies. 

One of our customers, Wayfair, used BeyondCorp Enterprise with Microsoft Intune integration to scale their Zero Trust implementation. Let’s look at how Wayfair implemented this.

The benefits of Intune integration

BeyondCorp Enterprise is able to further enhance their threat and data protection along with context-aware access controls across devices because of its agentless, browser-based approach. This allowed Wayfair to increase control for bring-your-own-device and third-party contractor connections to Wayfair servers. 

Microsoft Intune is an endpoint management solution tool. By integrating Intune with BeyondCorp Enterprise, organizations can craft Zero Trust access policies across Intune-managed end-user devices, no matter where they are located to better protect their private and SaaS applications. The ability to leverage device information to make access decisions is a critical component of a Zero Trust approach, and BeyondCorp Enterprise provides Wayfair’s with native device information from Chrome and multiple BeyondCorp Alliance (BCA) partners in their security stack including Intune. 

How the Microsoft Intune integration works

The BeyondCorp Alliance Connector collects data from Intune using Graph API and sends it to the BCE Access Context Manager, which admins can use for Context Aware policies to gate access to resources. This allows customers to enforce the policy in a consistent fashion across BCE and Google Workspace.  The integration with BCE alleviates the need to create and manage custom code and helps make onboarding easy, performant and able to support scalable access to resources.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Wayfair_uses_BeyondCorp_Enterprise.max-2000x2000.png
Data and signal flow for integrating Microsoft Intune with BCE

Wayfair’s implementation

Wayfair wanted to ensure that any device accessing sensitive apps met a certain predefined security posture. The relevant information about device posture for their organization is available in BCE including all the relevant device metadata from Intune in addition to other BCA partners. As a result of the integration, Wayfair was able to quickly and easily configure and enforce a policy that devices must be company-owned  and in compliance to access specific applications. 

With the policy in place, Wayfair is able to reduce the risk of unauthorized access or data exfiltration. They not only have deep visibility into managed and unmanaged devices accessing applications, but also strict enforcement of security controls for access. For example, only corporate devices with disk encryption turned on have access to critical apps.

The integration has also bolstered Wayfair’s security measures. By centralizing device posture information in BCE from multiple security and management systems, Wayfair can implement consistent access policies and proactively address devices that fall out of compliance. 

Previously, Wayfair needed to set up a custom integration to manage the code and the infrastructure where the code was running. BCE’s turnkey Intune integration alleviates the need to create custom code. Wayfair also told Google that the integration reduced the time it took to onboard new devices and build policies. 

More importantly, the process of setting up integrations is the same for a new BeyondCorp alliance partner. This means that if Wayfair wants to integrate new signals (e.g., the EDR signals) that will allow them to create even more granular access policies, their team will not be burdened with a new process. 

Implementation best practices

Implementing Intune for your BCE deployment is a straightforward process. To further ease the experience, Wayfair recommends working with application owners to review the list of available signals, as well as to design access policies for their apps, based on those signals. With this information and shared understanding, the implementation process can be completed in a swift manner.

To ensure the data is being populated for all Intune devices, Wayfair strongly recommends a 24-hour waiting period before applying access policies that use Intune signals to the entire organization.   

One of the significant advantages of the Intune integration is its seamless nature, which allows data to be pulled before any policies are enforced. This facilitates policy creation and testing, minimizing production deployment issues.

Next steps

If you’d like to learn more, visit our BeyondCorp Enterprise webpage. You can also follow the steps for integrating Microsoft Intune with BeyondCorp Enterprise here.

Posted in