How does Google manage its own devices? With a huge range of devices on multiple platforms used by over 61,000 employees, it’s no small feat.
Google’s Technical Infrastructure organization is tasked with protecting employees against sophisticated adversaries, while ensuring that corporate security practices do not interfere with Google’s culture of innovation, freedom and flexibility. It accomplishes this with a tiered access security model that categorizes corporate services and devices into trust tiers to determine access.
Today, we are sharing details about our tiered access approach so that IT admins can use it to deploy devices in their organizations.
In contrast to traditional security models, tiered access looks at a wide range of variables to make granular decisions regarding access. These variables go beyond simple user authentications—for example, device state, group permissions and required level of trust for a particular employee role are all taken into account.
First, internal services are associated with a trust tier according to the sensitivity of the data. A service can have one minimum trust tier or a more granular model of access where components and/or capabilities (e.g. read or write access) have different minimum trust tiers based on risk.
Second, as resource requests are made from devices, user credentials are verified and the state of the device is queried to assess its risk profile. On successful user verification, access to services is granted only if the assessed risk profile of the device matches the required trust tier.
When implementing tiered access, there are three main components to consider:
Client base and data sources: what is the composition of your organization’s fleet of devices and what data do you have about them?
Access intelligence and gateways: what technology can you use to evaluate a set of policies and make access decisions? How close to when some attempts to access information can these decisions be made?
Services to be accessed: what services need access controls and how will you classify the sensitivity of those services?
For Google, tiered access is a powerful tool that goes hand in hand with a larger project called BeyondCorp, which challenges the traditional security assumptions that private or “internal” IP addresses represented a “more trusted” device than those coming from the internet, and is now available as a GCP service called Identity-Aware Proxy (IAP).
To learn more about taking a similarly dynamic, flexible approach to security when planning device deployments, check out the second edition in Google Cloud’s best practice series, which shares recommendations for IT decision-makers deploying Android and Chrome devices.