4. SACON 2017
Need a different approach – Google BeyondCorp Principles
• Connecting from a particular network must not determine your trust
level
• Access to service is granted based on what we know about you and
your device
• All access to services must be Authenticated, Authorized and
Encrypted
• Zero-Trust Model
6. SACON 2017
• Methodology for Building Security Architecture:
• Business-driven
• Risk and opportunity focused
• Includes security service management
• Comprised of a number of integrated frameworks, models, methods
and processes
BeyondCorp Architecture contd.
8. SACON 2017
BeyondCorp Architecture Contd.
SECURIT
BeyondCorp: Design to Deployment at Goog
Components of BeyondCorp
Using the components described below, BeyondCorp integrated
so they don’t need to access more sensitive services like billin
systems.
Figure 1: Architecture of the BeyondCorp Infrastructure Components
9. SACON 2017
Components of BeyondCorp
• Device and Hosts
• Device: collection of physical and virtual components that acts as computer. Example: PC, Servers, VMs
• Host: snapshot of a device state at a given point of time. Example: device might be a mobile phone,
while a host would be specifics of operating system and software running on the device
• Device Inventory Service
• Contains information on devices, hosts, and their trust decisions
• Continuously updated pipeline that imports data from a broad range of sources
• System management source: Active Directory, Puppet, Simian
• On-device agents, CMS, Corporate Asset Management
• Out-of-band data source: vulnerability scanners, Certificate Authorities, Network Infrastructure Elements (e.g. ARP tables)
• Full or incremental data set
• Google’s Scale: initial phases ingested billions of deltas from 15+ data sources at 3 million data per day totaling to 80
Terabytes
• Retaining historical data allowed Google to understand end-to-end lifecycle of a device, track and analyze trends, perform
security audits and forensic analysis
10. SACON 2017
Components of BeyondCorp
• Tiered Access
• Trust levels are organized into tiers and assigned to each device by the Trust Inferer
• Each resource is associated with minimum trust tier required for access
• To get access, each device’s trust tier assignment must be >= resource’s trust tier
• Trust Inferer also supports network segmentation effort by dynamically assigning VLAN based
on device state
• Example: a device without adequate OS patch level becomes untrustworthy and hence assigned to a
quarantine network
12. SACON 2017
Types of Data
• Observed Data
• The last time security scan was performed on the device and the result of the scan
• The last-synced policies and timestamp from Active Directory
• OS version and Patch Level
• Installed Software
• Prescribed Data
• Manually maintained by IT Operations
• Assigned Owner of Device
• User and Groups allowed to access a device
• DNS and DHCP Assignment
• Explicit access to a particular VLAN
13. SACON 2017
Data Processing Flow BeyondCorp: Design
that must be expended at acce
allows us to be confident that
are using a consistent data se
even for inactive devices at th
we denied access for any devi
Stagefright [2] before such de
request. Precomputation also
framework in which we can w
changes and canary small-pe
Trust Inferer without impact
Of course, precomputation al
relied on completely. For exam
real-time two-factor authenti
from known-malicious netblo
surprisingly, latency between
and the ability of gateways to
problematic. Our update laten
The fact that not all informat
more substantial concern.
Figure 3: The data processing pipeline
Transform into common
data format
Correlation
Exceptions
15. SACON 2017
Correlation
• Device data coming from distinct data sources must be reconciled into unique
device specific records
• Complex: many data sources do not have overlapping identifiers
• Example: Asset management system stores device serial number but a disk
encryption escrow service stores had disk serial number, CA stores X.509 certificate
fingerprint, ARP database stores MAC id
• Challenge is: What exactly constitutes a device?
• What happens when a mother board is changed, Cases replaced, NIC replaced or
even swapped between devices?
16. SACON 2017
Trust Evaluation
• Trust Inferer is notified to trigger re-evaluation once incoming records are merged
• References a variety of fields and aggregates the results in order to assign trust
tier
• Trust Inferer refers dozens of both platform-specific and platform-agnostics fields
across various data sources
• Example: to qualify for a higher trust level, we might require a device must meet
all of the following requirements:
• Be encrypted
• Successfully execute all management and configuration agents
• Install the most recent OS security patch
• Have a consistent state of data from all inputs
• Pre-computation reduces the amount of data , allows to enforcement gateways
to work on consistent data set
• Allows to change trust for inactive devices
• Might be problematic for real-time 2FA or restricting access originating from known malicious
net-block
17. SACON 2017
Exceptions
• Trust Evaluation considers pre-defined exceptions
• Exceptions are aimed at reducing delay in deploying policy changes or new
policies
• Example
• Block a device that’s vulnerable to zero-day exploit even before security scanners have been
updated
• Permit untrusted devices to connect to lab network
• Permit IoT devices since installing certificate in them may be infeasible
18. SACON 2017
Deployment
• Initial Phase
• Objective was to reduce user friction
• Subset of Gateways integrated with an interim meta-inventory service
• A small number of data sources with prescribed data
• Mirror IP based perimeter security model
• Apply new policies to untrusted device only
• Access enforcement for trusted device remain unchanged
• The strategy would allow to safely deploy various components of BeyondCorp before it was fully
complete and polished
• In parallel, scale up meta inventory solution
• As the meta-inventory model matures, gradually replace IP based policies with trust tier
assignments
• Once workflow is verified for lower-trust tier devices, apply fine-grained restrictions to
higher trust-tiered devices and enterprise resources
• Given the complexities of identifying a device, use X.509 as persistence device identifier
• If certificate changes, device is considered different
• If certificate is installed on a different device, the correlation logic notice collision and mismatch of
other device information and degrades trust tier
19. SACON 2017
Mobile
• Almost all communication from Mobile App is over HTTP
• Easier to deploy tiered trust model
• Mobile devices use certificates
• Cryptographically secured communications
• Native Apps subjected to same authorization enforcement as web browser
• API end-points of services reside behind proxies integrated with Access Control Engine
20. SACON 2017
Legacy and 3rd Party Systems
• Use multiple protocols
• Tunnel arbitrary TCP and UDP traffic via SSH tunnel and SSL/TLS
proxies
• Gateways only allow tunneled traffic that conforms with policies of of
Access Control Engine
• RADIUS is integrated with device inventory
• Assigns VLAN dynamically via setting appropriate IETF Headers
• Use IEEE 802.1x authentication using X.509 certificate as artifact
21. SACON 2017
Challenges
• Correlation accuracy depends on the data quality
• Data set is sparse
• Reasonably small set of heuristics can correlate majority of deltas from a subset of data
source
• But to have accuracy close to 100% requires extremely complex sets of heuristics to cater to
seemingly endless list of corner cases
• A tiny fraction of devices can potentially lock majority of the employees to be productive
• Mitigation: monitor traffic and take manual action where necessary
• Latency introduced by Device Inventory Service
• Corporate Communication
• Disaster Recovery
• BeyondCorp is complex
• Failure can be catastrophic – may prevent support staff to access the system to recover
• Must have a direct access route to the infrastructure for an extremely small set of staff who
would be able to bootstrap the system from last-known-good-state