When we think of corporate security, we normally tend to think about firewalls and other tools as means to protect the network. It seems however, that for every person working to ensure that the firewalls hold back threats, there are at least two hackers who have already figured out how to get through.
This is evident from the fact that over the past year and a half many retail chains and financial institutions have been hacked, with the latest attack hitting Sony. The problem with a perimeter security model, such as a firewall, is that by the time the hole has been discovered, the hacker has already been able to access a great deal of information.
We live in an age where everyone is always connected to everything and employees work from where ever they happen to be at the time. That means accessing the enterprise network from a smartphone, tablet, laptop or cafe terminal. While the perimeter model is supposed to authenticate user access, cloud and mobile technology is making it more difficult to enforce.
That is why Google (News - Alert) is trying a new approach to the problem of network security. As Google describes it, the company is essentially removing the requirements for a privileged intranet and moving all of their corporate applications to the Internet. Google’s BeyondCorp initiative is moving to a new model that eliminates the privileged corporate network. In this model, access will depend solely on device and user credentials.
This means that an employee can work from any location such as a home network, or a hotel. All access to enterprise resources is fully authenticated, fully authorized and fully encrypted based upon device state and user credentials. It is described as being able to enforce fine-grained access to different parts of enterprise resources.
This approach means that companies will have to purchase, as well as actively manage all devices. Following this model, several databases will need to be created, such as a device inventory database necessary to keep track of all devices issued to employees. I wonder what affect this will have on the idea of bringing your own devices (BYOD) to work. Will companies add these devices to the database, or will they no longer be allowed?
Google’s BeyondCorp initiative is a two-step process. Once the device has been authenticated, the user also needs to be identified. That, of course requires another database that includes users, groups and any other configuration that would identify a user. In this way, rather than simply having a user ID and password, both device and user need to be registered and maintained in these databases.
The databases will need constant monitoring, as employees move from one division or group to another, enter and leave the company, or use a different device, the information will need to be immediately updated in the database or the employee will not have access to the information and applications that they need.
With this new zero trust network model Google ends up treating its own networks just as it does the Internet, where it feels that you cannot trust the Internet, you can only trust the devices which you can secure and to which only you are authorized to access. Google will now be applying that mentality to its own network.
How will this model affect the global enterprise firewall market? It was mentioned last year that this market was forecasted to grow over the next couple of years. Several companies including Coca-Cola and Verizon (News - Alert) are also experimenting with a BeyondCorp-type model of authenticating first the device and then the user.