In December 2014, Google published a paper titled “BeyondCorp: A New Approach to Enterprise Security.” This paper puts into words what the community has been saying for years – namely, that perimeter security is obsolete.
Endpoints should not depend on an external entity for their protection – nor should enterprise applications and services. They should behave and be protected as if connected directly to the Internet – their underlying security principles should reflect that.
The paper is located here – http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/43231.pdf, and it has an accompanying video description (a must: https://www.usenix.org/conference/lisa13/enterprise-architecture-beyond-perimeter plus https://www.usenix.org/conference/lisa13/managing-macs-google-scale)
Google, being a pioneer in security, made a huge step forward toward this concept and made their enterprise applications public. But do not get confused – they made it right. Their act of removing the perimeter defenses was preceded by carefully planning and turning the infrastructure inside out – protecting the applications and users from external threats by limiting access to the applications and services only to authorized users and devices.
An interesting consequence is the lack of a need to use a VPN when accessing corporate resources – if the request to access a resource can be identified to belong to an active employee and is performed from a secured corporate device – the connection established will be encrypted by default, and the need for VPNs disappears.
This is one of the most important and, simultaneously, the shortest post in this blog – simply because all I would like to share with you on this topic is in the link to the Google paper.