Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Communications Google Network Technology

Google Reveals Own Security Regime Policy Trusts No Network, Ever (theregister.co.uk) 41

Darren Pauli, reporting for The Register: Google sees little distinction between boardrooms and bars, cubicles and coffee shops; all are untrusted under its perimeter-less security model detailed in a paper published this week. The "BeyondCorp model" under development for more than five years is a zero-trust network model where the user is king and log in location means little. Staff devices including laptops and phones are logged into a device inventory service which contains trust information and snapshots of the devices at a given time. Employees are awarded varying levels of trust provided they meet minimum criteria which authors Barclay Osborn, Justin McWilliams, Betsy Beyer, and Max Saltonst all say reduces maintenance cost and improves device usability (PDF).
This discussion has been archived. No new comments can be posted.

Google Reveals Own Security Regime Policy Trusts No Network, Ever

Comments Filter:
  • Trust No Network Ever.

    • Yea i agree with all the breaches over last few years, credit cards companies, stores, HOSPITAL's. Any network can be taken over by viruses, Trojans, randomware, etc. Better to go by D.T.A. at this point. (Don't Trust Anything)
    • If you trust them, they suddenly shut down and brick your devices. And this is just one of their own networks - Nest.
      • Oh boo hoo. You bought a device that relies on other people's servers to even function, and you're surprised that you don't really have a say in how long that server will be kept running?

        Welcome to the Internet of Things, where you have to rely on the goodwill of other people to keep their services running. Newsflash: "Lifetime service" in an EULA does not mean what you think it means.

        • by DeVilla ( 4563 )
          These days I'm afraid to buy almost any electronic device. They don't advertise their devices are cloud dependent and have a "privacy policy" with boundary issues. The sales people in brick and mortar stores don't know either. You can't know until it's too late.
    • by Gr8Apes ( 679165 )
      Technically, you should never trust your own network, including internal production networks. 3 tier ring a bell? It's not news and hasn't been for 2 decades. I guess Google finally got the memo?
    • by AHuxley ( 892839 )
      Except for the NSL that got the gov server and splitters in so deep in the network that it looked at everything in plain text.
      That new internal gov network was trusted.
      All the staff who saw the strange new hardware and flood of outgoing connections and said nothing, reported nothing.
      Its kind of hard to clean up after years of having a mil or gov teams just connect deep into any network.
    • Even that is too narrow.

      Never trust.

  • Good idea. (Score:4, Interesting)

    by LWATCDR ( 28044 ) on Wednesday April 06, 2016 @01:39PM (#51854715) Homepage Journal

    Way back in the day a company I worked for had done a good job securing our network...
    Until a developer went to a conference and plugged his network in the hotel network then brought it back inside our firewall.
    We did catch the problem very quickly and only a few machines where infected but we locked things down even more after that.

  • by Shawn Willden ( 2914343 ) on Wednesday April 06, 2016 @04:24PM (#51856157)

    The summary says "Employees are awarded varying levels of trust provided they meet minimum criteria". That should say "employee devices...". Employees, of course, do have differing levels of access to various resources, based on the needs of their jobs, with very fine-grained access control. But the criteria-based trust the article is talking about varies based on device, not user. For example, because my phone isn't "fully trusted" (because I don't want to accept the authentication and other requirements that would impose), it can't access the bug report database or the code repositories, but it does have access to the employee directory, my company e-mail and calendar, etc. My laptop is fully trusted because of how it's configured and I can use it to look at anything I'm authorized to see.

    The key point, though, is that all of this is completely network-independent. It doesn't matter if I'm connected directly to an internal LAN or sitting in a coffee shop, my access, based on my device and my authenticated identity, is the same. Google does still have VPN infrastructure for some legacy services that haven't been fully migrated to the perimeter-less architecture, but that's being phased out as those services are upgraded or replaced. I only use my VPN client a few times per year, and eventually I need it at all.

  • crunchy on the outside, but soft and chewy on the inside!

You are always doing something marginal when the boss drops by your desk.

Working...