New Google cloud service aims to bring zero trust security to the web

Google launches BeyondCorp Enterprise, a new enterprise security service.
Written by Liam Tung, Contributing Writer on

Google has announced general availability of BeyondCorp Enterprise, a new security service from Google Cloud based on the principle of designing networks with zero trust. 

As US security companies come to terms with the SolarWinds supply chain hack, Google and Microsoft are talking up their capabilities in the cloud around zero trust. 

Microsoft last week urged customers to adopt a "zero trust mentality" and abandon the assumption that everything inside an IT network is safe and now Google has launched the BeyondCorp Enterprise service based around the same concept. 

SEE: Power checklist: Local email server-to-cloud migration (TechRepublic Premium)

"Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned)," explains the National Institute of Standards and Technology (NIST).  

"Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established."

BeyondCorp Enterprise replaces BeyondCorp Remote Access, a cloud service Google announced in April in response to remote working due to the COVID-19 pandemic and the heightened need for virtual private network (VPN) apps. 

The service allowed employees to securely access their company's internal web apps from any device and location. Google has been using BeyondCorp for several years internally to protect employee access to apps, data, and other users. 

"BeyondCorp Enterprise brings this modern, proven technology to organizations so they can get started on their own zero trust journey. Living and breathing zero trust for this long, we know that organizations need a solution that will not only improve their security posture, but also deliver a simple experience for users and administrators," said Sunil Potti, VP of Google Cloud Security. 

As Microsoft highlighted last week, the three main attack vectors in the SolarWinds attack were compromised user accounts, compromised vendor accounts, and compromised vendor software. These can be significantly mitigated by zero trust principles, such as restricting privileged access to accounts that need them and enabling multi-factor authentication. It's encouraging organizations to use Azure Active Directory for identity and access management versus on-premise identity management systems. 

Google's main weapon in the fight against sophisticated attackers is Chrome through which it's promising easy "agentless support". Chrome has over two billion users, so it has scale too. 

Then there's Google's network with 144 network edge locations across 200 countries and territories, which helps back up its distributed denial of service (DDoS) protection service. 

Google is encouraging organizations to use the Google Identity-Aware Proxy (IAP) to manage access to apps running in Google Cloud. 

SEE: AWS is opening yet another cloud computing region

The pandemic and the SolarWinds hack has made security a bigger value proposition for companies like Microsoft and Google. For the first time, Google parent Alphabet on February 2 will break out cloud revenue as a separate reporting segment starting with its Q4 2020 results.

Other key security highlights for Chrome under the BeyondCorp Enterprise service include threat protection to prevent data loss and exfiltration and malware infections from the network to the browser; phishing protection; continuous authorization; segmentation between users and apps and between apps and other apps; and management of digital certificates. 

BeyondCorp Enterprise lets admins check URLs in real time and scan files for malware; create rules for what types of data can be uploaded, downloaded or copied and pasted across sites; and track malicious downloads on company-issued devices and monitor whether employees enter passwords on known phishing sites. 

Editorial standards