BeyondCorp: Beyond "fortress" security

and without further ado I'd like to introduce you to Jeff Neil hi guys my name is Neil by a show of hands who here has heard of beyond corp who here is doing beyond corp in their company and is not Netflix okay keep your hands up that's great okay good so we're here to talk to you about beyond Corp which many of you guys have heard of we're gonna separate our talk into two sections I'll talk for 10 minutes about what is beyond Corp and Jeff who helped deploy beyond Corp at Google will tell you how he did it so in 2011 we wrote a research paper called beyond Corp this talk in many ways will go into more detail than that

paper we've since written two other papers and have a fourth paper coming out soon that goes into detail about what beyond Corp is and how we deployed it at Google it comes as part of a long legacy of taking our internal tools and offering it up to anybody so if any of you guys have used big query which is part of GCP it began its life as Dremel inside of Google if you've used kubernetes which is the number three DevOps tool and github it began its life as bork if you've used tensorflow which is relatively new and already number one on github it's a machine learning framework it began its life is brain if you've used this one's a little bit

different cuz we didn't really invent it we just use it a lot within Google if you used a security key then its internal name within Google is called nubby and I'll talk a bit more about those in a few minutes if you've used GPR see that's stubby and we're here to talk to you about yawn Corp as Googlers we use it and it's called uber proxy

okay so what is beyond corp well I can tell you about what it isn't what it isn't is what many of you guys are using for enterprise security right now which is a castle approach you have a moat you probably up multiple walls the baddies are out the goodies are in network segmentation VPNs to get across that moat and through the walls this is how most enterprise security frameworks are done and we believe for a variety of reasons that it's a it's not something that we could maintain and so 20 in 2011 we began to follow a different approach so what are the issues with this Castle approach well there's four main issues one you've got mobile workforces lots of

contractors Google certainly does we've got 57,000 employees and lots more contractors than that who shouldn't have access to everything also Googlers shouldn't have access to everything you've got lots of breaches in the news you've got cloud services from us and other guys and you've got a plethora of devices not just laptops but iPads and smartphones

okay so what is the what is the mission well it's essentially to get rid of VPNs VPNs because network segmentation doesn't work VPNs are out also because they're really hard for admins to set up we've estimated that it takes somewhere like like five full days to deploy Oracle e-business suite using firewall site-to-site VPN s if you want Oracle e-business suite to be in the cloud whereas if yon Corp approach would take much much less much much fewer firewalls much for a load balancer rules just a lot less work lot less opportunity for error or big on that at Google introduced less error and so our objective is to have every Google employee work successfully from

untrusted networks without the use of the VPN node network segmentation and have all applications be publicly addressable that's the really alarming part you may have heard of this before there's other companies that have similar visions has anybody heard of the zero trust model anybody know what company talks about that a lot yep yep and also Palo Alto Networks software-defined perimeter anybody heard of that who talks about that a lot yeah cloud security alliance exactly encrypt a zone and vitter and a couple other really interesting startups so yeah it's a it's a vision that many of us have it's just a vision that Google happens to call beyond Corp what's unique about Google is we really don't have a product

in the space Palo Alto Networks and crypto zone and vitter will happily send duo security will happily sell you software's in this space we have three research papers that you're welcome to to read but no no software yet

okay so what does this look like in an architecture well I can tell you what it looks like today so today unless you guys have moved to the cloud you probably have ERP systems and CRM systems and your identity all located on Prem at a Colo or maybe even a wiring closet if you're small and you've got your employees over there on the left now this introduces a couple of small problems if you have a contractor that you hire and then all of a sudden that contractor has unintended access to the CRM because you've given them access to the ERP because once they VPN into your walled castle they all of a sudden have access to everything including the CRM

if you're running that on Prem now what does it look like if you were to put some workloads up into the cloud like maybe our cloud or somebody else's cloud well of a sudden the infrastructure has left the building and all of a sudden now you need to have site-to-site VPN s for your users to VPN into your Prem and then you need to have another Prem another VPN to go from your on-prem into the cloud so you've got multiple VPNs load balancer settings and firewall settings on both sides this introduces a lot of manual labor for those of us on the room here for all the end-users that are our customers it introduces a lot of

burden they have to log into one sometimes two VPNs takes a lot of time up to a minute for each connection it slows their connections down it's really not the way that we want to run infrastructure and it doesn't get rid if you bring the identity into the cloud for example like using octo or something like that what problems are there with this so for one now all of a sudden that your applications are up there in the cloud you're even more open to fishing than you were before phishing is the number one cause of vulnerabilities more than 80% of hacks begin with phishing sometimes higher depending on which a vendor you talk to and the second big problem is malware

like Zeus which sends the applications the ERP and CRM have no idea about the user at the other side they're just opening up a VPN connection and then giving them unbridled access to those applications the where can run rampant also and can act on behalf of that user without the knowledge of the user like Zeus does you've got man-in-the-middle attacks which is Zeus also we've got no choke point to enforce access control for onboarding or off boarding or anything like that and then of course you have sequel injection so these are all risks of putting applications up into the cloud there's lots of benefits of putting them up into cloud but these are the these are the risks so what would

Google do well this is what we do in the space so we have security keys that are a very good form of phishing control does anybody use security keys okay cool so I brought one here this is what Google uses mine's really tiny it's gonna be hard for you guys to see it's this so this confirms a number of things it confirms that I'm a human because I touch it it also confirms it's less difficult to fish then a phone number is because this is harder to take control of than my phone number is so it's a little better well a lot better in some ways a little better other than text messaging as two-factor authentication

that's what we use for device based authentication for device management we maintain inventories Jeff is gonna tell you all about that the inventory is push a certificate to my laptop which connects this to my laptop so that Google knows that it's actually me touching that button on this laptop we TLS everywhere we have internally something called an access proxy that we haven't made a product there is a company called duo security I think I saw somebody with a backpack from duo they just launched a product last week called beyond duo which is an access proxy in this same kind of vein you might want to take a look at it and then on the app side to prevent sequel

injection across side scripting we've got app security scans available within our cloud there's other products too so these are the solutions that Google would use what would the ideal world look like in a beyond corp world just gonna tell you how we do it this is sort of like theoretically how we think of it before Jeff built it so you'd wanted er applicate ERP application service to be accessed only by Finance employees not by contractors from well-managed client devices for example you've got a device inventory and you've got this to confirm that it's a human being operating this laptop not not zeus botnet for example in my home country so it could figure out what IP address i'm accessing it

from using strong user authentication that's security key proper transport encryption TLS and hardened against application attacks a security scanner okay so that was a bit about what beyond corp can offer for you i'm just gonna tell you what it offers for google oh good to see you everybody here let me get onto the slides here basically what he told you in so many words is what we discovered is that walls don't work and you can protect yourself with a firewall and all this you know inbound security the problem is that once somebody gets inside that they typically have access to your entire network and getting inside of it yes and getting inside of it is even easier nowadays with all the

mobile devices that was the point of all these devices they're coming in on wired on wireless networks they've been out to the rest of the world they've been plugged into some isp at the airport or at a hotel and you don't know what they've injected on they're on their machine it's hard to trust all these things coming into your previously secure network so we're doing a different approach we're saying let them come in let the device is on our network well yeah our network could do this segmented network there's basically in the old days we had a client machine network and a server machine network and the client machines once you got on there you could talk to the servers you

could run whatever application you had to run you could talk to their back-end you could SSH into things you could run our DP you can run NFS to pull things off all those things you could go we trusted you because your our network you must be a good guy you can go do it do your job make money for the corporation by talking to the back end the big thing we did here is saying alright well have a different client Network and it can only talk to specified access gateways so even though you get into the city like this you can't do a transaction you can't go take the money out of the bank unless you go

to the ATM and prove you have the right to do that so we don't protect the street and the city we protect the application and the data now the keys to this whole beyond Corp are three one we don't use the IP address of where you're coming from to prove anything it's way too easy to go on the wireless network it's way too easier for me to walk in and just plug something into your network you may have a flash drive on your on your workstation that is actually driving application code so being on the network is considered nothing at all secondly we do control the access to the services and the data and all the

backends based on what we the network and the security operations know about who's asking about the computer is asking and about the user that's asking knowing about the device is important that way random people who have stolen credentials if they don't have a in our case Google managed device they can't get anywhere and this is the key to number three that all the access each data flow each connection each session each socket setup must be shown to be authenticated to the user and the device authorized you have a reason to get from here to there and then we make sure it's all the data are encrypted so if anybody's watching on the sidelines they can't steal the data from the network or

from the Wi-Fi or from the ISP you're going through wherever it is we have Indian encryption and who's you're saying anybody know how to do that but maintaining TLS through credentials certificates tours and all these things is tricky so embedding that in the system and all the tools is kind of critical to the whole thing so this is the kind of a high level picture like some of the components we have here I'll go into bits and pieces of go on but you can see on the on the left we have lots of different application or user access modes we have these access proxy proxy access proxy coordinated with our single sign-on process so that

wherever you come from you have to go get through those and then we have a universal access control engine that makes all the policy decisions based on device inventory user infant Ori and other things like that and we'll just go into those ago so first thing is know your users who works for the company who has the right to do what how do you know can you get people into your company into your database can you tick them out when they get fired or leave the company whatever else having a complete user inventory and groups of users who are in well you have this job code therefore you have a right to look at the finance

data if you have this job code you can look at the HR data and keep those things separate so each application user flow can be authorized individually authentic and this this was tricky miss this was development inside Google team even an even at Google it's tricky to get all this information coordinated on the other side is know your devices it's hard for a you know out of country actor to infiltrate your thing if they must have one of your devices under their control if they're allowed to use any device on the planet then it's that's just one more barrier so we have certificate authorities and we have application tax applications on the workstations the whole platform teams

the out the OS teams coordinate to make sure the certificates are installed and secured we have secure certificate storage TPMS trusted platform modules are the best we can do on Mac with their key stores and things like that but we maintain those and again it's an effort to keep the operational things going to keep those up to date and rotated correctly and installed correctly and so you can trust in them likewise as a whole inventory control system from delivery and provisioning when you scan the devices in to know where it is who's the owner of it who's the user for it coordinating user access to device access so if you see this device come up

and what's Joe Bob doing on this device that's not his machine then that's a signal that says perhaps we shall have less trust in this coordination because this user should not be on that machine is this a Trojan horse pretending to be Jo Bob on Sam's machine whatever they're all the signals we're trying to capture to know the state of the device is it one of ours does it have our security credentials on it has it checked in with your binary whitelisting application when you know--but nine or whatever you have to verify that these is being antivirus scanned if they have the latest version of the operating system is this application even suppose to be on this

machine all these signals are coordinating this backend database so we know whether that device is a real trusted you know access using the device and all these signals are coordinated into a repository a database and inference system that says given all we know about this device its history its logs its usage where it's been who it's going to we can figure out a level of trust in that device and if it's like a well it's a wired workstation in our building behind our door locks we give it a lot more trust than that's an iPhone that some Googler says they bought last week you know so there's a whole gradation of what we know about

the device that determines whether it can have access to critical since their beta if all you want to do is check your calendar or look at the what the cafe menu is okay you can do it on your phone but if you want to actually touch the source code or the databases and things like that you need to have a much more trusted machine to get there so bringing all those sources of signals together the user inventory device inventory the trust repository and then security policy says for any given application or data flow or connection connect type what do we allow we bring this all to a central server all right which has all the policy rules uniformly expressed

across all the sources who want to talk to all their back-end resources so we can apply this universally and uniformly across all the applications this this is one of the things in the old days you had to go secure this app and that app and this protocol on that protocol on this router and that firewall it's really hard to prove at the end of the day that you have allowed or disallowed the access you care about by having this in a language and access control language that understands users and machines and levels of access and types of backends we can express that these kinds of client sources can talk to these kinds of backends on a very

fine-grain basis and the great part about that is once we've dissociated the network address from the access and have it all based on device and user and need-to-know and proper security protocols in place then you can do it from anywhere doesn't really matter now whether you're in the corporate building in most cases or whether you're in an airport or a hotel or at your home we have the protocols in the security that will carry the traffic from wherever you are to where you it to be so again a big benefit to Google at this point was that people could do their work from anywhere in the world you know modulo what that exact network was but the vast majority

of web applications for Ohr and Finance and turning the crank and even code editing can be done over the web these days really freed up a lot without using a VPN which took time to set up now you just hit the front end access proxy HTTP stuff goes to the back ends it's very easy very fast and very useful okay how did we get to there miss is a big change in the network basically we're turning off all the access to these applications unless you go through specified gateways the access proxy or things like that and just to say in Google the access proxy which is an HTTP proxy actually services a lot more because we actually like

wrapped our SSH connections through HTTP so they go through the same proxy a different pathways are different different questions we ask about who's going where but it's a lot of that is the same Google front end over proxy access proxy it all is the nexus of these traffic flows okay how do we get there our decision was to one choice was to say take our current network our sure engineering all access trusted network which has all these open ports from there to the back ends and one by one start closing off those ports and making sure people go do their job that's really dangerous because you really don't know what is out there who's using what how often and things

like that our approach was to read a new VLAN we all know VLANs who knows what a personal LAN is okay this is how you segment who can talk to what so we made a new VLAN we said this VLAN can't talk to anybody you can't even talk from one workstation to the one sitting right beside it on the same segment because of threats if you have an infected machine here you don't want them to migrate to the one sitting next door so no you have to go through an access proxy even to SSH from your laptop to your workstation that LAN can talk to the access proxy which carries web traffic and SSH and a few other

things that we carefully craft to go through to get from here to there but it cannot talk to the server back in VLAN that's the critical thing and you can't talk to your neighbor so it's hard for an infiltrated broken machine a Trojan horse here to get to anybody else and then having that clean protective space we then move devices once we know that the user of that device will be successful all right so a device wakes up by the way there's 802 1 X if you know about this it's you you device wakes up and says dear network what should I do where can I go and the network says well show me your certificate tell me which

device you are mean look I'm saying that we trust that devices at a Google managed device and they're checked in with a bit 9 recently or whatever it is ok you're a good device you're a Google managed up to date top priority yes we'll put you on this managed your managed device you have the right software and your Google clients opening on this managed non-privileged network and now you have a clean well-lighted place to work and you can go talk to Cooper proxy or whoever else did get the rest of your job done the key to this whole migration though was to make sure we didn't put anybody on that till we knew if they would be successful can you

put on that network and they have to go around RDP to their Windows server to do some sysadmin work it'll just fail if they're running a java-based RM I that client application that needs to talk to some system back there it will fail if they're running let's say finance application that wants an Excel spreadsheet in order to you know tabulate things I'll add Excel using Microsoft Office it's also going to fail y'all because in FS or CIFS yes we don't allow that to go through the network so we wanted to make sure we found first of all all the applications that would fail before we move users over and fix those before we get it so we got out the

network analysis job net flow logs from the routers to see which machine stock which backends talk to which front ends over which port sandwich protocols why are they doing that and of course immediately you lock look in these lock and you say oh my god there's traffic like that on my network we thought we got that rid of that three years ago well no there's more stuff out there and you can imagine it it's not all port 80 HTTP or port 443 there's just applications you didn't know that your procurement system has deployed these oh I shouldn't say Windows applications I should say third-party applications that do 1980 technology in a way you thought was bad then and it's really bad

nowadays so we find all this analysis find who can do what where who needs special treatment and we say can you fix your application can you buy a new application can we wrap it in HTTP if it really is HTTP why aren't you going through the access proxy just reconfigure the system change DNS and now you all you're you're dissing URL will go through the controlled access check for user coordination check for authentication and keep on going so that was the first phase find all the bad traffic get it fixed find the users who are successful and then move their devices onto this new network where they're safe and happy to do that we automated it Google's very

big on data and analysis so we automated this pipeline to look at the network logs we actually built an on client application which is its IP tables basically but it watched all their traffic so we could simulate whether their applications would hit the firewall and fail and with those logs we could then again find things remediate the applications find the users and automatically processing logs if they were clean for 30 days the next time they hit the network they'd go to this non-privileged network this is our vision we've written a number of papers out here for USENIX you'll be able to look at those I'm running short on time because we started like here we

go to do a change of this magnitude you need the whole corporation behind you understand the threats explain it to the executives get buy-in and commitment from the top down that's not easy it's not fast to change the way you know hundreds or thousands of people hundreds of thousands of people in our case access and do their job and you don't want to break the user it's just the important thing clean this up so it works for the users data quality is key knowing your users knowing your devices having an inventory control system the databases the ability to process that as near to real-time as you can so you can react to various threats I mean we've

had cases where there's a day zero attack out there where you say okay all these devices turn them off they're not allowed off the corporate network anymore until we can get it fixed enable painless migration I think my sludge have stopped advancing here which is to say we do success - where you at my Gration prove that the user will be happy before you move them over but then be very aggressive moving them over because excuses like well my app uses NFS so I have to stay here it's a bad excuse we have to get solutions for that and that goes along with getting everybody on board really clear continuous communication working with management the business application

developers and managers the actual users the tech support people because where do people go when they say hey my network stop failing what's the problem here they don't know whether their device is bad the network is bad or hate fails as intended that's why it's what we wanted to have happen you shouldn't be able to run that app anymore so getting them all on board and keeping the process and the communication clearer is really key and most important all this again is when you move people to these new systems these databases these pipelines this analysis system this policy engine this proxy if any of those fail what happens users can't do their job their machines

fall for network their packets don't flow they can't do their job and in Google's case that means accounts receivable our accounts payable are not processing that huge flow of money that we know and love okay so it's important I'm saying to make sure it's reliable because if anything breaks along the way the amount of confusion and pain and setback to the morale and the productivity is enormous so be very clear keep these things going and then not keep them going because there's a red sign here saying don't anyway there's the synopsis have zero trust in the network do it at the data level get data about your devices and then carefully carefully move them over again

by a data and analysis and it can be done thank you [Applause] if you would like to hear more about beyond corp we've got security talks happening three blocks down the street from RSA on Tuesday and Wednesday just go to a search engine and type in Google security talks and you'll see them all right thanks again guys so appreciate it and on behalf of besides SF and Fitbit here's a speaker gift for you guys thank you very much we really appreciate your contribution all right everybody will be about ten minutes to the next presentation thank you