Workflow showing the 4 main features of IAP with: Identity, Context, Rules engine and Enforcement point before reaching to the apps.

Have you heard about BeyondCorp or ZeroTrust security model?

Here you are for a quick visual introduction: What is BeyondCorp? What is Identity Aware Proxy (IAP)?

By reading this whitepaper BeyondCorp: A New Approach to Enterprise Security, 2014, we could learn that BeyondCorp is a security-oriented engineering effort which begun in 2012 to re-architect the Google Corp network to remove any privileges granted solely on the basis of having a Corp IP, instead basing authentication on more secure factors.

Virtually every company today uses firewalls to enforce perimeter security. However, this security model is problematic because, when that perimeter is breached, an attacker has relatively easy access to a company’s privileged intranet. As companies adopt mobile and cloud technologies, the perimeter is becoming increasingly difficult to enforce. Google is taking a different approach to network security. We are removing the requirement for a privileged intranet and moving our corporate applications to the Internet.

Why Zero Trust Networks?

  • Lateral movement is much harder
    • Each service has to authenticated - internal netwrok is not permissive
  • Stolen credentials are less valuable
    • Strong auth requirements increases cost of cred theft and MITM attacks
  • Known vulnerabilities that are easy to exploit will be rarer -Increased ecosystem hygiene
  • Non-targeted attacks have less value
    • Forces targeted attacks - higher cost to attacker

Identity Aware Proxy (IAP) is one of the components of the BeyondCorp security model and lets you establish a central authorization layer for applications accessed by HTTPS. Problems it solves:

  • May remove need for VPN
    • Hard to configure, arguably secure, does not implement zero-trust
  • Access by Contractor (can’t install VPN Client)
    • Some Companies implement SSL VPN - normally a webpage hosted on a NGFW
  • Save costs
    • Utilizing VPN normally means paying for agents installed on devices + sizing large NGFWs due to the encryption they need to support hundreds of users
  • Reduce latency

IAP can help you control access to your public cloud apps, your on-prem apps and your VMs running on Google Cloud. IAP works by verifying a users’s identity and considering the context of their request to determine if they should be allowed access. This is one building block in the zero trust model of access, an enterprise security model that enables every employee to work from untrusted networks without the use of a VPN.

Here is visual demonstration of IAP and Access Context Manager for both HTTPS (web app) and SSH/TCP (VM) resources:

And here are concrete implementations of IAP if you are looking for more examples:

Still a bit confused about how to get started with BeyondCorp and IAP? Here you are:

Further and complementary resources:

Hope you enjoyed this blog article, and hope it’s giving you some ideas about how to modernize your way to implement your Zero Trust security model when dealing with accessing internal web apps, APIs, GSuite, VMs, etc.

Cheers and stay safe!