What if all your company’s computers and applications were connected directly to the Internet? That was the assumption behind BeyondCorp, a new model for network security that Google proposed back in 2014, and it’s one that’s starting to get some attention from networking and security vendors.
Enterprises have moved beyond the traditional workspace in recent years, allowing employees to work remotely by using their personal devices and accessing apps in private or public clouds. To bring roaming workers back into the fold, under the security blanket of their local networks, companies rely on VPNs and endpoint software to enforce network access controls.
Google's BeyondCorp approach to enterprise security takes the focus away from the network perimeter and puts it on devices and users. It doesn't assign higher or lower levels of trust to devices based on whether they're inside the internal network or not.
Some security vendors have already started to embrace this no-trust-by-default security model. Duo Security, a two-factor authentication provider launched its own BeyondCorp-inspired offering last week, and enterprise software startup ScaleFT has had dynamic access management service based on the same principles for a while.
Even networking and security appliance manufacturers like Cisco Systems have begun moving what were traditionally perimeter security gateways into the cloud to better serve roaming employees.
Duo Security's new Duo Beyond service consists of a software package that serves as an authentication gateway for all of a company's web-based applications, whether they're hosted inside the local network or in the cloud. It can be deployed in the company network's demilitarized zone (DMZ) and provides a single sign-on service that enforces device and user-based access policies.
Duo Beyond assumes a zero-trust environment for all devices by default, regardless of whether they're connecting from within the enterprise network or from the outside. That said, it does provide administrators with the ability to differentiate between corporate devices and personal devices by deploying Duo certificates to those that are managed by the company.
This device identification process has several benefits. It allows for the easy discovery of new devices that are used to access corporate applications, which helps companies create and maintain accurate inventories that include employees' personal devices. It also allows restricting access to certain applications or accounts to company-managed devices where a certain degree of security can be guaranteed.
The service can also check the security state of a connecting device by looking at whether it's running the latest OS and browser version, whether the browser plug-ins are up to date and, in the case of mobile devices, whether encryption and passcode enforcement are turned on. This allows administrators to create fine-grained access rules based on device "health" and ensure that only reasonably secure devices can access company applications, even if those devices are owned and managed by the employees themselves.
Sign up for Computerworld eNewsletters.