0

I'm reading the BeyondCorp papers and trying to get a very high level idea of how it could be implemented by a small to medium organisation, rather than a behemoth like Google.

What kind of software would a managed device require? I assume that not only an anti-malware, but something that also blocks potential dangerous requests (e.g. to domains/ips knowns to below to APTs CCs). Also, would this software check that there's no data leakeage? (e.g. someone pwning the device; using it to access internal systems and then exfiltrating the data).

schroeder
  • 123,438
  • 55
  • 284
  • 319
Augusto
  • 398
  • 1
  • 11
  • 1
    I removed the product question. The search term you are looking for is "zero trust". There are lots of vendors. – schroeder Jan 30 '20 at 16:23
  • 1
    Thanks @schroeder ! That made it a lot easier to find more information. – Augusto Jan 30 '20 at 16:47
  • Actually, if you search for "zero trust" you are going to likely find the answer to your other question, too. There is no set things that the client must have, but the trust engine needs to trust whatever is there and whatever is expected. Different implementations use different controls. – schroeder Jan 30 '20 at 19:57

1 Answers1

1

One of the goals we have with the research papers is to save other companies time and effort in moving to a BeyondCorp model, especially because as we've grown the model internally we've opened up many of the elements to others to use. On Google Cloud this is collected under the umbrella of Context-Aware Access.

The best way to stop malware is binary authorization, allowing only trusted, safe executables on each managed device. Every system gets tricked, even this one, but it's by far the most reliable way to protect yourself, especially from zero-day vulnerabilities.

In "Building a Healthy Fleet" we dig into ways to manage a fleet of machines, including monitoring and maintaining their health. That paper links to a bunch of tools, and lays out best practices across many methods.

OS Query and Santa are two open source tools to help with controlling what software is allowed to run on machines you manage. They give you both control and visibility, and can scale to a large number of machines.

Google also provides Endpoint Verification for Chrome and Chrome OS, allowing you to then feed machine metadata directly into access decisions made by other BeyondCorp tools to control which devices can access Google Cloud resources or Cloud-backed web-apps.

I don't think any of the tools I've listed will prevent data leakage from individual devices, but you can see other discussions here.

Max Saltontsall
  • 126
  • 3
  • 1
    Thanks a lot for your answer Max!! The links you shared opened a few layers of of the onion I'm researching :D. – Augusto Feb 01 '20 at 16:51