This is the fascinating tale of how Google getting attacked by advanced Chinese hackers actually made it easier to protect remote workers during this time of the pandemic lockdown.
Google, like so many organizations, has recently asked most of its employees to work from home courtesy of the ongoing COVID-19 pandemic. It was able to do this securely with relative ease, enabling access to the apps and information that those workers needed from untrusted networks and on a myriad of devices, without using a remote-access VPN.
It could do so thanks, bizarrely, to a group of Chinese hackers who compromised Google and stole intellectual property. This hack attack was the catalyst for Google to develop a security-posture that treated everyone as a remote worker, even when they weren’t. This isn’t as back-to-front as it might sound, and it was this security rethink that enabled Google to develop a service which might just signal the beginning of the end for the virtual private network (VPN.)
How Chinese hackers caused a security rethink at Google
This strange tale of serendipitous security happenstance begins way back in December 2010. It was then that Google found itself under attack by highly sophisticated hackers originating from China. Sophisticated hackers originating from China have a long history of advanced attack capabilities, so this should come as no surprise. The hack targeted Google corporate infrastructure and using layers of encryption along with multiple malware programs, and an Internet Explorer zero-day, managed to steal intellectual property. Google wasn’t alone as a victim of this coordinated hack attack, as many as 34 other organizations, including Adobe were also targeted.
By January 12, 2010, Google confirmed that it had already made infrastructure and architectural improvements to enhance its internal security posture. In a newly published interview with SDxCentral, Google Cloud vice-president, Sunil Potti, reflects that after the 2010 breach there was a “major investment” to “hit the reset button on how to approach protection of both employees and assets.” That investment gave birth to BeyondCorp, an internal zero-trust security platform, just a year later.
The birth of BeyondCorp
“In 2011,” Potti said in an April 20, 2020, Google blog posting, “we started our journey to implement a zero-trust access approach we called BeyondCorp.” Although initially designed purely for internal Google use, Potti has announced that the BeyondCorp Remote Access security service is now available for use by any enterprise. The release of a service such as this, based on Google’s internal security solution, comes at precisely the time when many organizations are struggling to secure their networks in the face of a dramatic and sudden shift to working from home. It does this by ensuring that the right users can access the correct information in the proper context.
Potti uses the example of using BeyondCorp to enforce a policy that means HR recruiters working from home, and using their own laptop, could access a web-based document management system without access to anything else. And only then if they have the latest, patched version of the operating system installed and are using the correct level of “phishing-resistant authentication like security keys.”
This is known as a Zero-Trust approach to the problem of a remote workforce, starting from the assumption that nobody can be trusted, no matter where they are connecting from, and those users are then allocated permissions to access only what they can be trusted with. What BeyondCorp isn’t is a magic wand, it can’t make deploying zero-trust security an instant thing across the organization. But then, Google isn’t suggesting it is. What Potti is saying, however, is that BeyondCorp means organizations can get started by securing remote access to internal web apps for specified groups of workers. And that’s what many are struggling with right now given that VPNs might take many weeks to deploy properly across hundreds of new remote workers. “With BeyondCorp Remote Access,” Potti said, “we can help you do this in days.”
Too early to report the death of the VPN
VPNs are the most obvious solution to the remote working secure access problem, but that doesn’t mean they are the most efficient or cost-effective. At the same time, the BeyondCorp announcement from Google doesn’t herald the death of the VPN just yet either. Think of it more like a flesh wound than a fatal shot. VPNs can be problematic when it comes to scaling quickly, as has been the case for many organizations as they shovel whole workforces out of the workplace.
This extra load may simply be too much for the VPN architecture in place. BeyondCorp looks good to go to deal with this kind of problem, but not across the entire enterprise network just yet. The ability to define those tight access restrictions for specific users on an application by application basis is not to be sniffed at. Still, we are talking access to web-based apps: it’s a cloud solution for now. “Over time,” Potti said, “we plan to offer the same capability, control, and additional protections for virtually any application or resource a user needs to access.”
BeyondCorp Remote Access is a subscription-based service and costs $6 (£4.80) per user per month.