Hi, I'm Max, one of the two people who gave the talk this post references. I work in Google Cloud and help publish papers about how we have done BeyondCorp. Ask me questions!
Each time an employee tries to connect to an application, the access proxy makes an evaluation of how much trust that session can earn, and if it's equal to or greater than the trust required by the application, the proxy allows the traffic through.
The trust earning is based on host/machine information as well as user and authentication information.
Hi, I'm Max. I gave the talk that this article mentions, and have helped publish papers about BeyondCorp over the last few years. At Google I work in the Cloud CTO Office. I'm eager to get your feedback on what we can explain better, and answer your questions.
Exactly. And because you can't be sure that the intervening network is safe, you need to encrypt all the traffic, even after checking authorization and authentication. That's the BeyondCorp mission at Google.
[Disclaimer: I work for Google, and worked on these papers and blog post]
You're right, the initial version of Identity-Aware Proxy (IAP) is for Cloud applications, but that's not the end of the story, and we're learning from BeyondCorp's 7 year journey to inform the direction of IAP going forward.
[I work at Google, and helped make these papers, and blog post, happen]
Working on that now, I think I messed up on my end with our internal tool, hope to have the full PDF download from research.google.com in a day or two, maybe next week if I epic failed.
[I work at Google, and helped make these papers, and blog post, happen]
That's correct. Previous papers touch on the inventory data pipeline and machine health, though without as much detail as I might like in your shoes. Our agents track a wide variety of things on client machines, and we use that inventory data to determine how trustworthy a machine could be.
[I work at Google, and helped make these papers, and blog post, happen]
Bring Your Own Device is fine for ChromeOS and Mobile. You might not get the full amount of trust as a Google-issued device (for mobile/tablet).
To achieve the highest levels of access in the BeyondCorp model you need a machine with Google's management agents, so we can evaluate device state accurately and pull information from our inventory management system.