In December 2014 Google published a paper titled “BeyondCorp: A New Approach to Enterprise Security”. This paper put in words what the community has been saying for years – namely, that perimeter security is obsolete.
Endpoints should not depend on an external entity for their protection – nor should enterprise applications and services. Each one of them should behave and be protected as if connected directly to the Internet – and their underlying security principles should reflect that.
The paper is located here – http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/43231.pdf and it has an accompanying video description (a must: https://www.usenix.org/conference/lisa13/enterprise-architecture-beyond-perimeter plus https://www.usenix.org/conference/lisa13/managing-macs-google-scale)
Google, being a pioneer in security, made a huge step forward towards this concept and made their enterprise applications public. But do not get confused – they made it right. Their act of removing the perimeter defenses was preceded by carefully planning and turning the infrastructure inside out – protecting the applications and users from external threats by limiting access to the applications and services only to authorized users and devices.
An interesting consequence is the lack of a need to use a VPN when accessing corporate resources – if the request to access a resource can be identified to belong to an active employee and is performed from a secured, corporate device – the connection established will be encrypted by default and the need for VPNs disappears.
This is one of the most important and at the same time, the shortest post in this blog – simply because all I would like to share with you on this topic is in the link to the Google paper.