Why BeyondCorp doesn’t mean a Zero Trust endpoint

Henry Harrison

By Henry Harrison


Increasing numbers of organizations are starting to talk seriously about doing away with their enterprise networks. It’s hardly a new idea. The Jericho Forum was founded back in 2004 to address the issue of what they called “de-perimeterization” – the fact that with mobility and cloud services, the traditional physical network perimeter (as defined by a firewall) was no longer a very useful concept. But nearly 15 years on, the traditional perimeter soldiers on in most enterprises. But now it seems like mainstream, conservative enterprises are now seriously talking about a future model where they just provide raw Internet to the desktop. As so often, we can probably trace a lot of this to Google with their 2014 “BeyondCorp” paper (https://cloud.google.com/beyondcorp/) but the logic is pretty simple: if employees spend half their time working from home or on the road, plugged into the raw Internet, why do anything different in the office?

Zero trust – up to a point

For all but the very highest security environments, I’m a big supporter. But from some of the conversations I’m having, it seems like quite a few people are confusing “raw Internet to the desktop” with “stop worrying about endpoint security”. In most cases that would be a big mistake. Yes to a Zero Trust network. No to a zero trust endpoint. If the user’s endpoint gets compromised, the attacker may have complete control over that endpoint. In that case, anything the user can do, the attacker can too. So, if the user can initiate a large order, or a refund, or change a customer’s details – so can the attacker.

2FA to the rescue?

This is a problem that we all know well: how to protect the money in our bank accounts given that we carry out online banking from potentially insecure endpoints. The technical answer is two factor authentication: when we ask to carry out a sensitive transaction, we may have to confirm it using a second, more secure device. Here in the UK, online business banking and some online consumer banking relies on hardware card readers to validate that a transaction has been initiated by a valid user. But use of hardware 2FA devices for online banking is not ubiquitous, and the reason for that is that users hate it. In many cases, banks would rather take the hit of the inevitable cyber crime than force their users to use 2FA. This will be even more of a factor for enterprise computing. If we have to use 2FA every time we save a file or update a database record, life will become intolerable. And there’s an additional consideration: if you make people use 2FA too much, they get blasé about it. That means it gets easier for an attacker to persuade them to enter their 2FA details in a way that allows the attacker to reuse them. But the situation gets even worse if users have access to sensitive information.

Scraping sensitive data

Many of those looking at “internet-to-the-desktop” models are also talking about “getting all the data off the endpoint” and using it purely as a viewing mechanism for access to data on servers. That’s all well and good, but at the end of the day the same principle remains: if the user can see the data, so can an attacker. Even if the data’s never “on” the endpoint, it’s displayed on the endpoint – and it wouldn’t be very difficult for an attacker to capture the data by scrolling through screen displays. Which means that endpoint security remains just as important in a BeyondCorp/Zero-Trust-Network/Software-Defined-Perimeter/internet-to-the-desktop model as it does in a traditional enterprise networking model.

From de-perimeterization to re-perimeterization

I actually see the whole thing as a sort of “re-perimeterization” (to abuse the Jericho Forum’s original terminology). Having dispensed with the old physically-defined perimeters, we need to define new perimeters based on what we trust and what we don’t. That’s the BeyondCorp model for protecting servers: both trusted and untrusted endpoints are attached to the Internet, and the new model is all about making it simple and easy to ensure that only trusted endpoints are allowed to talk to our sensitive servers. But the same approach needs to be adopted for protecting endpoints. Both trusted servers and highly dangerous servers are attached to the Internet: the new model needs to ensure that our endpoints can only talk to the servers that we trust. Of course, that’s all very well, but 21st century knowledge workers also need access to information that comes from servers we don’t trust. One option of course is to tell them to use their phone. But when users complain that that’s not an acceptable way to have to work (and anyway, what about the risks of compromised phones?) you need an ultra-secure browsing technology to give them back access to the information they need while preserving the security of their endpoint. Just make sure that it delivers a good user experience at scale and most importantly, make sure it really is highly secure.