Components of Google BeyondCorp
Device & Hosts
- Device : Collection of physical & virtual components that act as computer. Eg. PC, Server, VMs
- Host : Snapshot of a device state at a given point of time. Eg. Device might be a mobile phone, while a host would be specifics of operating system and software running on the device.
Device Inventory Service
- Contains information on devices, hosts and their trust decisions
- Continuously updated pipeline that imports data from a broad range of sources
- System management source : Active directory, Puppet, Simian
- On-device agents, CMS, Corporate Asset Management
- Out-of-band-data source: vulnerability scanners, certificate authorities, network infrastructure elements (eg. ARP tables)
- Full or incremental data set
- Google's scale : Initial phases ingested billions of deltas from 15+ data sources at 3 million data per day totalling to 80 Terabytes
- Retaining historical data allowed Google to understand end-to-end life cycle of a device, track & analyze trends, perform security audits & forensic analysis
- System management source : Active directory, Puppet, Simian
Tiered Access
- Trust levels are organised into tiers and assigned to each device by the trust inferer
- Each resource is associated with minimum trust tier required for access
- To get access, each device's trust tier assignment must be >= resource's trust tier
- Trust inferer also supports network segmentation effort by dynamically assigning VLAN based on device state
- Eg. A device without adequate OS patch level becomes untrustworthy and hence assigned to a quarantine network
>> Check full details of Google's BeyondCorp Architecture & Components in the presentation here by Arnab Chattopadhayay, Senior Director. It was earlier presented at SACON - International Security Architecture Conference.
Google's BeyondCorp Architecture (Image)
Architecture shown above includes:
- Devices
- cell installer
- configuration mgmt agent
- patch & inventory agent
- Certificate authority
- Configuration Mgmt Services
- Patch Mgmt Services
- Asset Mgmt
- Directory Services
- Network Infrastructure
- Vulnerability Scanners
- Inventory Service
Did you enjoy reading this? Great security minds from the world come together to present and conduct workshops at SACON - International Security Architecture Conference. Check out this year's session plan here
Interested to deliver a talk? Fill in Call For Speakers here
Comments