Google is rolling out a suite of new zero trust security capabilities built directly into its Chrome browser.
The suite, called BeyondCorp Enterprise, is designed to expand on and replace BeyondCorp Remote Access, the company’s cloud-based subscription tool that helps workers securely log in to their work systems and applications from home. The expansion announced this week includes a number of new features, including phish-resistant authentication, embedded data and threat protection, DDoS protection, continuous user authorization agentless support and other services that before now were only available internally to Google employees.
Sunil Potti, vice president and general manager of Google’s cloud security division, told reporters in a briefing last week that while the company has been working on the initiative for years, the widespread shift to remote telework in the face of COVID-19 and major security incidents like the SolarWinds hack over the past year have underlined the need for a “seismic change” in how companies manage security risks across different operating system environments.
“Ultimately someone has to come in and say ‘I like a mobile world where a new OS really had built in security [but] we still live in a world of heterogenous [operating systems]’, whether it be public clouds, private clouds and so forth,” he said. “So, unless we take a seismic change in terms of offering zero trust OS as a layer that sits on top of this hybrid environment, I don’t think we’ll ever make a sea change in terms of trust and risk management.”
Few companies in the world can move markets and bring the kind of comprehensive resources and infrastructure to back up their security solutions. A common piece of feedback from customers in the past has been that while they find Google’s tools attractive, they lack the same network, resources and engineering staff to fully take advantage of them. For example, the company said users will now receive the same DDoS protection services that helped them absorb the largest-ever DDoS attack known to date. That attack, which took place in 2017, directed up to two terabytes of internet traffic per second at Google Cloud servers.
In order to address those concerns and help bridge BeyondCorp’s services across different OS environments, Potti said it made sense to build them directly into Chrome, the company’s web browser that has been downloaded more than 2 billion times since its inception.
“The closest thing that we can think of as a universal agent that can bootstrap these capabilities is a browser,” he said. “[We thought] what if we could light up Chrome to provide BeyondCorp capabilities [like] advanced data, data loss prevention, and a variety of capabilities that otherwise would have been provided in a discreet fashion?”
Towards that same goal, Google is partnering up with a cross section of other security companies, including Check Point, Palo Alto Networks, Symantec, Tanium, VMWare, Citrix, CrowdStrike, JAMF and Lookout to incorporate endpoint telemetry data and integrate other BeyondCorp Enterprise capabilities across different products and security environments.
Tanium CEO Orion Hindawi said many of their government and Fortune 100 customers have known for years that they need to move more forcefully in the direction of zero trust solutions but that the market has thus far presented piecemeal capabilities, like remote access, that must be awkwardly stitched together with products and services from different vendors.
“What the industry historically has presented was a very fractured model, so that in essence [companies] had to cobble together potentially ten different vendors to get a continuous zero trust experience, and just keeping that working was something that was beyond the vast majority of companies…even at the Fortune 100 level,” he said.
An end-to-end zero trust solution backed by Google’s infrastructure and a variety of industry partnerships has the potential to not only integrate real-time endpoint data from companies like Tanium, but improve it over time.
“They’ve been really intentional about creating an ecosystem that let us plug in and both harvest value from that ecosystem but also present value to it,” Hindawi said.
Google’s announcement marks a doubling down of the bet being made, both by industry behemoths and Silicon Valley, that a fundamental shift in cybersecurity is underway: companies will be pushed away from managed corporate networks and trusted insiders and towards a model where each user, device and interaction must be continuously authorized and authenticated.
An August 2020 report from Research And Markets expects the zero trust market to see compound annual growth of 18% over the next five years, citing the effects of a mobile workforce and an increasing reliance on cloud applications. Exponential increases in successful digital attacks from cybercriminal groups over the years have cost companies tens of billions of dollars in losses and further degraded the concept of a security perimeter in the minds of many defenders.
“The increasing activities of cybercriminals who are becoming successful at penetrating and moving laterally within the security perimeter are expected to drive the implementation of zero-trust security because organizations that rely solely on on-premises firewalls and VPNs lack the visibility, solution integration, and agility to deliver timely, end to end security coverage,” the report noted.
Some skeptics argue that zero trust practices must balance accessibility and supporting the mission with security, noting that the perfect security system is usually one that is so restrictive it can’t be used at all. When asked by SC Media how the company toed that line while building BeyondCorp Enterprise for customers, Potti said he understood the concerns but noted that in this instance, he and other Google employees are largely eating their own breakfast.
“I think it’s a really good question between security and usability; it tends to be one of those constant tradeoffs,” he answered. “I’ll tell you that the solution we’re offering to customers is essentially the solution that I use every day. I pretty much cannot work without using that solution and our 100,000 plus employees have the same thing.”