BeyondCorp is an implementation ideal surrounding Zero Trust Networking and Architecture. I wrote an article for US CyberSecurity Magazine called “Identity and Transmission Based Authentication” right before the pandemic started, not knowing how spot-on I was going to be. The proliferation with work-from-home however, I could not have calculated to occur so rapidly.
Organizations were in a scramble to find ways to enable their organizations with ways to connect to corporate services securely and safely. The Department of Defense was no exception. Given COVID restrictions and ways to reduce spread, organizations are still looking for ways to operate securely and/or improve their security posture.
BeyondCorp essentially combines an Identity Engine to determine on a recurring basis if you are eligible to access a specific service. The Identity Engine can correlate a variety of factors and events to augment your risk score which can be used to weigh your current posture. For example, if you authenticated in one location and then 5 minutes later in another, you might be flagged as a risk and temporarily reduce your access until other decisions could be made about future access.
A Virtual Private Network typically does not have this type of feature. It usually relies on a single authentication and then you have unfettered access to whatever segments of the network you were granted. Microsegmentation of network units to prevent lateral movement is complicated with the type of network architecture and certainly does not follow a zero-trust philosophy natively.
While BeyondCorp has its strengths, it’s not without its challenges. Most BeyondCorp implementations do not work well outside of web browsers. There are a few reasons for this. Typically the authentication mechanism once passed through the identity provider, is a Layer 7 header or cookie. This means that your session is sandboxed with your browser. Cookies essentially make HTTP stateful.
What happens when you leave your web browser? Your other tooling, clients, and programs that are not aware of your browser do not seem to know what to do to handle authentication workflows sometimes natively. Many of the tools were not designed with BeyondCorp in mind. There really isn’t a standard either. There are a number of ways to solve this, and really it depends upon what you are protecting and how you want your end-users to access it.
I’ve had a lot of experience in working with these types of technologies in the DoD. I helped a division of the Air Force roll out many variations of implementations to solve a variety of cases. The next-generation of BeyondCorp will certainly need to deal with developing some standards around access models so that application developers can create access methods which leverage these powerful and secure technologies.