1. Home
  2. Training Library
  3. Google Cloud Platform
  4. Courses
  5. Identity and Context-Aware Access Control

Features

Contents

keyboard_tab
Identity and Context-Aware Access Control
1
Introduction
PREVIEW1m 49s
2
Zero Trust Security
PREVIEW3m 37s
3
Features
3m 25s
4
Demo
14m 39s
5
Summary
1m 40s
Start course
Difficulty
Intermediate
Duration
25m
Students
88
Ratings
5/5
starstarstarstarstar
Description

This course explores Zero Trust and how it can be implemented using BeyondCorp Enterprise. We also look at securing resources and applying access levels. 

Learning Objectives

  • Explaining the Zero Trust Security Model
  • Implementing Zero Trust using BeyondCorp Enterprise
  • Securing resources with an Identity-Aware Proxy
  • Extending security by creating and applying access levels

Intended Audience 

  • GCP Developers
  • GCP Security Engineers

Prerequisites 

  • Access to a GCP account
Transcript

BeyondCorp Enterprise is Google's implementation of the zero trust model.  It provides secure access to your GCP resources with integrated threat and data protection.  By shifting access controls from the network perimeter to the individual users, BeyondCorp allows employees to work  securely from any location without the need for a VPN.

BeyondCorp consists of three main components: Chrome browser integration, Identity-Aware Proxy, and Access Policies. 

First, by integrating with the Chrome browser, you can protect your employee’s machines without having to install a separate agent application.  Not only do they get the built-in security features of Chrome, but BeyondCorp also provides additional protections against malware and social engineering.  You can create Data Loss Prevention (or DLP) rules, as well as get security alerts and reporting tools.

Second, an Identity-Aware Proxy gives you a central authorization layer for managing access to web applications and cloud resources.  When a user tries to access a resource, they must have the correct IAM role.  You can get fine-grained access controls for each product without requiring a VPN.  And when a user tries to access an IAP-secured resource, IAP performs authentication and authorization checks.

Third, you can define access policies, and then apply them to all of your applications and resources.  IAP policies scale across your whole organization, so you can easily verify that everything is correct and up-to-date.  You can configure policies based upon user identity, device health, and other factors.

With BeyondCorp, you can ensure everyone can access just the resources they need.  It can help secure your Google APIs, as well as modern or legacy apps.  Basically, If it runs on Compute Engine, App Engine or GKE, you can protect it.

BeyondCorp Enterprise is offered as an additional service on top of GCP.  You get a number of standard features for free just for being a GCP customer.  However, there are additional protections that are only available if you pay for BeyondCorp Enterprise.  Here is a table summarizing the two tiers:

You can see that if you are interested in protecting applications and VMs with identity, that is already included in the baseline features.  However, if you want to protect an application that is running outside of GCP (say on-premises or on another cloud service provider) you are going to have to upgrade to get that feature.  The baseline features will allow you to add IP and location-based rules.  But if you want to get fancier with device-based rules or custom rules, again you will have to upgrade to get those features.  

If you are interested in upgrading, you are going to want to check out this URL to get the latest pricing information.

About the Author
Students
18974
Courses
29
Learning Paths
11

Daniel began his career as a Software Engineer, focusing mostly on web and mobile development. After twenty years of dealing with insufficient training and fragmented documentation, he decided to use his extensive experience to help the next generation of engineers.

Daniel has spent his most recent years designing and running technical classes for both Amazon and Microsoft. Today at Cloud Academy, he is working on building out an extensive Google Cloud training library.

When he isn’t working or tinkering in his home lab, Daniel enjoys BBQing, target shooting, and watching classic movies.