Identity and Context-Aware Access Control
The course is part of these learning paths
This course explores Zero Trust and how it can be implemented using BeyondCorp Enterprise. We also look at securing resources and applying access levels.
- Explaining the Zero Trust Security Model
- Implementing Zero Trust using BeyondCorp Enterprise
- Securing resources with an Identity-Aware Proxy
- Extending security by creating and applying access levels
- GCP Developers
- GCP Security Engineers
- Access to a GCP account
Traditionally, network security is based around perimeters and segmentation. Devices and users connected to the corporate network are trusted. Anything outside is distrusted. This model used to make sense, but does it still?
Originally, both engineers and servers were physically located in the same building.
And everything was connected to the same private network. That means early on, security was mostly focused on the physical. Access to the server room equaled access to the servers. However, with the introduction of the internet and the cloud, things have become much more complicated.
The corporate network is slowly becoming a ghost town. Both machines and people are leaving. Servers are being shifted into the cloud, and employees are going remote. And yet we are still trying to funnel everything through the same old centralized design. VPN connections used to be outliers. Now they have become the norm. Mobile and IoT devices are on the rise. Threats now exist both inside and out. Many of our key assumptions no longer hold true.
For all these reasons, many companies today are adopting a “zero trust security model”. Zero trust means that you stop trusting by default. Ask yourself: Are your private networks actually private? Do you have clear perimeters, or are they becoming blurred? The new motto has become: “Never trust. Always verify.”
Zero trust means access is granted based upon device and credential, regardless of the network location. Except for latency, local and remote access should be nearly identical. The focus should be less on connecting to networks (one-to-many) and instead should be one-to-one connections (either user-to-app or app-to-app). Zero trust eliminates the risk of lateral movement, and it prevents a compromised device from infecting other network resources.
This results in a number of obvious benefits:
Zero trust authentication does not require any extra software or provisioning on the client side. It can be practically invisible. Instead of fiddling with a VPN, your employees can simply use SSO with MFA.
Zero trust eliminates the risk of lateral movement. That means a single point of failure no longer gives an attack free reign. Malicious actors have to attack each system individually. Also, infected devices cannot easily infect others. Your users and devices are shielded from direct internal attack.
Authentication and authorization are no longer tied to location. With a zero trust model, working from home or while traveling is just as easy as working from the office.
Essentially, zero trust is designed to protect modern systems from modern threats.
Daniel began his career as a Software Engineer, focusing mostly on web and mobile development. After twenty years of dealing with insufficient training and fragmented documentation, he decided to use his extensive experience to help the next generation of engineers.
Daniel has spent his most recent years designing and running technical classes for both Amazon and Microsoft. Today at Cloud Academy, he is working on building out an extensive Google Cloud training library.
When he isn’t working or tinkering in his home lab, Daniel enjoys BBQing, target shooting, and watching classic movies.