Google is overhauling its security architecture, moving from traditional infrastructure to a more open model where all network traffic is treated with suspicion.
The BeyondCorp project shifts the company from a perimeter security model to one where access to services and tools are not gated according to a user's physical location or originating network, but instead deploys access policies based on information about a device, its state and associated user.
The model is similar to the approach being pursued by the Met Office, which analyses traffic and responds accordingly, rather than shutting out users based on rigid policies implemented at the firewall.
The architecture was disclosed in a detailed article published on Usenix (PDF). "BeyondCorp considers internal and external networks to be completely untrusted, and gates access to applications by dynamically asserting and enforcing levels, or 'tiers', of access," said the Google engineers behind BeyondCorp.
Access requirements are organised into "trust tiers" representing levels of sensitivity and resources categorised. Each resource is associated with a minimum trust tier required for access, according to Google.
"The 'Trust Inferer' is a system that continuously analyses and annotates device state. The system sets the maximum trust tier accessible by the device, and assigns the VLAN [virtual LAN] to be used by the device on the corporate network. This data is recorded in the Device Inventory Service. Re-evaluations are triggered by state changes or by a failure to receive updates from a device," the article said.
The Access Control Engine provides a central policy enforcement service referenced by each gateway on the network, which provides access control decisions (yes or no) based on the access policies, output from the Trust Inferer, the resources requested and the real-time credentials of the user making the request.
The Device Inventory Service is the heart of Google's security architecture. It continuously collects, processes and logs changes about the state of known devices, to which other elements of the security system can refer.
"Resources are accessed via gateways, such as SSH servers, web proxies or 802.1x-enabled networks. Gateways perform authorisation actions, such as enforcing a minimum trust tier or assigning a VLAN," the engineers said.
The model means that even Google-owned and identified devices are not entirely trusted. "A laptop that's centrally managed by the company but that hasn't been connected to a network for some period of time may be out of date," said the article.
"If the operating system is missing some non-critical patches, trust can be downgraded to an intermediate tier, allowing access to some business applications but denying access to others.
"If a device is missing a critical security patch, or its antivirus software reports an infection, it may only be allowed to contact remediation services. On the furthest end of the spectrum, a known lost or stolen device can be denied access to all corporate resources."
Such a security architecture requires the management of huge volumes of data, as well as its automated, real-time processing.
"Since implementing the initial phases of the Device Inventory Service, we've ingested billions of deltas from over 15 data sources, at a typical rate of about three million per day, totalling over 80TB," said the authors.
"Retaining historical data is essential in allowing us to understand the end-to-end lifecycle of a given device, track and analyse fleet-wide trends, and perform security audits and forensic investigations."
The paper was authored by engineering managers Barclay Osborn and Justin McWilliams, technical writer Betsy Beyer and programme manager Max Saltonstall.
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all