Google warns of the death of the firewall

13 May 2015

In a new approach to enterprise security, Google is jettisoning the traditional firewall in favour of a model where the data exists in the cloud but can only be accessed by the right devices with the right credentials.

The new cloud-based security strategy makes the assumption that even with firewalls and other perimeter defences, the internal corporate network is as dangerous as the internet itself.

Fine-grained access to enterprise resources like folders and databases will be made possible only through devices that have the right authentication, authorisation and encryption, according to the Wall Street Journal.

As such, Google is prepared to put all of its corporate data onto the internet but will protect it using fine-grained security methods that omit the old firewall defence.

The new approach to security was devised by Dublin-based Googler Rory Ward and Betsy Beyer, a New York-based Googler. Ward is a site reliablity engineering manager at Google in Ireland while Beyer is a technical writer specialising in virtualisation software.

In a paper entitled ‘BeyondCorp’ they describe a new approach to enterprise security.

“Since the early days of IT infrastructure, enterprises have used perimeter security to protect and gate access to internal resources. The perimeter security model is often compared to a medieval castle: a fortress with thick walls, surrounded by a moat, with a heavily-guarded single point of entry and exit. Anything located outside the wall is considered dangerous, while anything located inside the wall is trusted. Anyone who makes it past the drawbridge has ready access to the resources of the castle.”

Google’s new security strategy – mobile rather than static

Google’s BeyondCorp initiative is moving to a new model that dispenses with a privileged corporate network.

Instead, access depends solely on device and user credentials, regardless of a user’s network location—be it an enterprise location, a home network, or a hotel or coffee shop.

All access to enterprise resources is fully authenticated, fully authorised, and fully encrypted based upon device state and user credentials. We can enforce fine-grained access to different parts of enterprise resources.

“As a result, all Google employees can work successfully from any network, and without the need for a traditional VPN connection into the privileged network. The user experience between local and remote access to enterprise resources is effectively identical, apart from potential differences in latency.”

To access enterprise applications Google is building components that securely identify the device via databases and device identity as well as components that securely identify the user via a single sign-on system.

Google will use RADIUS servers that use 802.1x authentication and uses dynamic rather than static VLAN to enable access.

The new authentication and encryption rules will apply to every notebook, smartphone and tablet and will work in such a way that there will be no requirement to set up a VPN to access the enterprise network.

“Like virtually every other enterprise in the world, Google maintained a privileged network for its clients and applications for many years. This paradigm gave rise to significant infrastructure that is critical to the day-to-day workings of the company.

“While all components of the company will migrate to BeyondCorp, moving every network user and every application to the BeyondCorp environment in one fell swoop would be incredibly risky to business continuity.

“For that reason, Google has invested heavily in a phased migration that has successfully moved large groups of network users to BeyondCorp with zero effect on their productivity.”

Mobile device security image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years