Components of Google BeyondCorp

Device & Hosts

  • Device : Collection of physical & virtual components that act as computer. Eg. PC, Server, VMs
  • Host : Snapshot of a device state at a given point of time. Eg. Device might be a mobile phone, while a host would be specifics of operating system and software running on the device.

Device Inventory Service

  • Contains information on devices, hosts and their trust decisions
  • Continuously updated pipeline that imports data from a broad range of sources

    • System management source : Active directory, Puppet, Simian

    • On-device agents, CMS, Corporate Asset Management

    • Out-of-band-data source: vulnerability scanners, certificate authorities, network infrastructure elements (eg. ARP tables)

    • Full or incremental data set

    • Google's scale : Initial phases ingested billions of deltas from 15+ data sources at 3 million data per day totalling to 80 Terabytes

    • Retaining historical data allowed Google to understand end-to-end life cycle of a device, track & analyze trends, perform security audits & forensic analysis

Tiered Access

  • Trust levels are organised into tiers and assigned to each device by the trust inferer

  • Each resource is associated with minimum trust tier required for access

  • To get access, each device's trust tier assignment must be >= resource's trust tier

  • Trust inferer also supports network segmentation effort by dynamically assigning VLAN based on device state

    • Eg. A device without adequate OS patch level becomes untrustworthy and hence assigned to a quarantine network

>> Check full details of Google's BeyondCorp Architecture & Components in the presentation here by Arnab Chattopadhayay, Senior Director. It was earlier presented at SACON - International Security Architecture Conference.

Google's BeyondCorp Architecture (Image)

8669815664?profile=original

Architecture shown above includes:

  • Devices
    • cell installer
    • configuration mgmt agent
    • patch & inventory agent
  • Certificate authority
  • Configuration Mgmt Services
  • Patch Mgmt Services
  • Asset Mgmt
  • Directory Services
  • Network Infrastructure
  • Vulnerability Scanners
  • Inventory Service

Did you enjoy reading this? Great security minds from the world come together to present and conduct workshops at SACON - International Security Architecture Conference. Check out this year's session plan here

8669802070?profile=original

Interested to deliver a talk? Fill in Call For Speakers here

E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform