BeyondCorp Enterprise: Google's Chrome-shaped approach to 'cloud-native zero trust computing'
New security features in Chrome but can businesses do everything they need through the browser?
Google has introduced BeyondCorp Enterprise, for secure access to browser-based applications, using new security features in the Chrome browser.
The company already has a service called BeyondCorp Remote Access, for which this is an upgrade. But there are two crucial differences.
First, there are new features in the latest Chrome browser. One is enhanced malware and phishing protection, which the company says includes “real-time URL checks and deep scanning of files for malware.” Next is “sensitive data protection”, which is the ability to enforce policies for what types of data “can be uploaded, downloaded or copied and pasted across sites.”
Finally, there are new reports available to administrators which analyse which users encountered the most threats (such as attempting to visit unsafe sites or reusing a password,) and how many data protection rules were actively enforced. These administrative functions are available through the Chrome Browser Cloud Management dashboard, part of the Chrome Enterprise offering.
BeyondCorp Enterprise also adds the ability to connect with on-premises networks so that the protection extends to web applications hosted in a company’s own datacentre, or on Google Cloud Platform, AWS or Microsoft Azure. The price, Google told us, is from $6 per user per month.
Google’s line is that protecting the connection between the browser and web applications, together with strong authentication preferably using physical security keys as well as username/password, is a better security model than trying to keep malicious actors out of an internal network.
“We all use security keys internally, and we just haven’t been phished,” said Sunil Potti, VP Cloud Security, in a press briefing. The recent widespread nation-state attacked associated with hacked SolarWinds installations help to demonstrate this point. BeyondCorp is agentless – unless you count Chrome as the agent – and avoids use of VPNs.
Third-parties such as Symantec, Citrix and VMware can integrate with the system. In October last year, the company introduced the BeyondCorp Alliance, naming nine companies offering features such as device management, endpoint security, gateways to virtual desktops, and mobile security.
A snag with this approach is that you have to work entirely through the web browser and in particular through Chrome – although Google says other web browsers can be used at the expense of losing some of the protection. “The data loss prevention, the phishing capabilities, will not be available if you’re a Firefox user, for example” said Potti, “but the rest of the solution will still work.”
That said, there is a bit more to it, as the company told us that with Chrome “more fine-grained policies” can be applied, and that “the Chrome footprint while browsing is sending a lot of security signals and at scale, that kind of data for security analytics to leverage would provide the right controls back for access control.”
Remote desktops and virtual applications can run in the browser, so there are ways of running things like Windows applications, but it is still challenging for enterprises with diverse applications from diverse vendors to fit every peg into a Chrome-shaped hole.
"The way we think about this is to look forward," Potti told The Register. "Five years from now we think the number of browser-based apps will be 10x more than today, maybe at 80-90% of the workload. So rather than build something that looks only backward, we’ve optimized for the go-forward architecture."
The security record of Google’s Chrome OS devices, which might be considered the fullest expression of a working largely through a web browser, is good. The full Google Enterprise experience is not for everyone though.
“As someone who runs IT for a medium sized organisation using G Suite (now Google Workspace), I cannot recommend against it enough,” said a recent comment on Hacker News. “It is only a matter of time until we switch I think, and I would strongly caution anyone against adopting it, especially if you plan to use it as the primary file sharing method for more than 10 users.”
Google is betting that the security benefits and convenience of working through the browser will win over Microsoft's hybrid desktop/cloud solution but going the full Google route is still a source of friction for some.®