Joomla Templates and Joomla Extensions by JoomlaVision.Com

Telecom Review North America

Latest Issue

Telecom Review's Interview with Marc Halbfinger, CEO of PCCW Global

Telecom Review Summit 2017

Jeff Seal Interviews Zayo President Mike Strople

Telecom Review's Jeff Seal Moderates Submarine Fiber Optic Gathering

Socialize with us

BeyondProd: How Google Moved from Perimeter to Cloud Native Security PDF Print E-mail
Wednesday, 12 February 2020 11:22

At Google, their infrastructure runs on containers, using a container orchestration system Borg, the precursor to Kubernetes. Google’s architecture is the inspiration and template for what’s widely known as “cloud-native” today—using microservices and containers to enable workloads to be split into smaller, more manageable units for maintenance and discovery.

Google’s cloud-native architecture was developed prioritizing security as part of every evolution in the architecture. As many organizations seek to adopt cloud-native architectures, security teams can learn how Google has been securing its own architecture, and simplify their adoption of a similar security model.

BeyondProd: A New Approach to Cloud-Native Security

Modern security approaches have moved beyond a traditional perimeter-based security model, where a wall protects the perimeter and any users or services on the inside are fully trusted. In a cloud-native environment, the network perimeter still needs to be protected, but this security model is not enough—if a firewall can't fully protect a corporate network, it can't fully protect a production network either. In the same way that users aren't all in the same physical location or using the same device, developers don’t all deploy code to the same environment.

In 2014, Google introduced BeyondCorp, a network security model for users accessing the corporate network. BeyondCorp applied zero-trust principles to define corporate network access. At the same time, we also applied these principles to how we connect machines, workloads, and services. The result is BeyondProd.

In BeyondProd, they developed and optimized for the following security principles:

  • Protection of the network at the edge
  • No inherent mutual trust between services
  • Trusted machines running code with known provenance
  • Choke points for consistent policy enforcement across services, for example, ensuring authorized data access
  • Simple, automated, and standardized change rollout, and Isolation between workloads

BeyondProd applies concepts like: mutually authenticated service endpoints, transport security, edge termination with global load balancing and denial of service protection, end-to-end code provenance, and runtime sandboxing.

Altogether, these controls mean that containers and the microservices running inside them can be deployed, communicate with one another, and run next to each other, securely, without burdening individual microservice developers with the security and implementation details of the underlying infrastructure.

Applying BeyondProd

Over the years Google designed and developed internal tools and services to protect their infrastructure that follows these BeyondProd security principles. That transition to cloud-native security required changes to both our infrastructure and our development process. Their goal is to address security issues as early in the development and deployment lifecycle as possible—when addressing security issues can be less costly—and do so in a way that is standardized and consistent. It was critical to build shared components, so that the burden was not on individual developers to meet common security requirements. Rather, security functionality requires little to no integration into each individual application, and is instead provided as a fabric that envelops and connects all microservices. The end result is that developers spend less time on security while achieving more secure outcomes.

If you’re looking to apply the principles of BeyondProd in your own environment, there are many components, through Google Kubernetes Engine, Anthos, and open source, that you can leverage to achieve a similar architecture