As enterprise applications migrate into borderless hybrid cloud environments, it is clear that we need different security controls. Massive data breaches in the last few years at Yahoo or JPMorgan Chase, have demonstrated that the current perimeter security model does not provide adequate security controls. These breaches could have been prevented had the organizations applied BeyondCorp or Zero Trust security principals.
In the days before the cloud, a firewall could be set up, and with some reasonable degree of certainty, assume users inside it had permission to be there. Malware and hackers changed that, and hence Zero Trust and BeyondCorp were developed to help provide a more modern security posture for hybrid cloud infrastructures. The new security paradigm is about more than protecting business applications ⎯it is about making sure that the entire system, from containers and virtual machines to APIs, are all similarly protected.
BeyondCorp, developed at Google, arose from an internal initiative to get rid of Google’s traditional perimeter VPNs and privileged networks after the Aurora attacks of 2009. BeyondCorp promotes three core principles:
- A particular network connection must not determine which services a user can access.
- Access to services is granted based on what we know (or context) about a user and the device.
- All user access to services must be authenticated, authorized, and encrypted.
On the other hand, Zero Trust Security, developed by Forrester, promotes replacing open network designs with one focused on network segmentation and the elimination of “chewy centers.” Zero Trust, as the name implies, means not trusting anyone interacting on the network, so it recommends segmenting the network into micro-perimeters and granularly restricts access based on the sensitivity of the systems and data within the micro-perimeter. Zero Trust recommendations include:
- Ensure that all resources are accessed securely regardless of location.
- Adopt a least-privileged strategy and strictly enforce access control.
- Continuously monitor the ecosystem.
Both of these modern security concepts mostly say the same thing. BeyondCorp seeks to replace the VPN while Zero Trust pushes for stronger network segmentation with next-generation firewalls. In essence:
- Do not rely on location and perimeter for security
- Enforce granular access controls based on context
- Continuously monitor and adapt the security policies
ASG can help you with a security audit, pen test or security assessment profiles. Contact us for details.