Transcript

Alexandre Popp: 

Thank you all for joining. For the next 3 to 4 minutes, I'll provide a 30,000-foot view of what Google is seeing. It's a good introduction. Our friends from Promevo can offer a more pointed perspective based on their work with customers.

The points I'll touch on are not groundbreaking but make sense intuitively. In the post-code age, hybrid work is here to stay. Workers will be in transit, remote, or meeting customers in the field. The idea of everyone being in the office is unlikely to return soon. The topology of the modern worker has changed, with discussions about the rise of the cloud worker.

A cloud worker spends most of their time in the browser, accessing 3 to 5 applications for work. Centralizing work in the browser enhances productivity, but it also increases the number of threats and their consequences. The browser remains a leading vector for compromise, and the average cost of a breach continues to rise.

Moving on to security concerns stemming from the browser, risks include browser extensions, lack of control over browsers, and vulnerabilities leading to phishing and malware. Admins must have visibility into how employees access content, data, and applications to discover threats and recover.

Data exfiltration is a significant concern, often resulting from human error like opening malicious links. Embedding security within the browser could mitigate such risks. Unmanaged devices, including BYOD trends, remain a challenge, especially with the uncertainty of remote or office work.

In summary, these are six high-level security concerns seen at Google. To counter these, we propose engendering a secure enterprise browsing approach with characteristics such as treating security as a first-class citizen, real-time protection, and flexibility for administrators to manage security policies.

The goal is to balance user productivity while ensuring secure interactions with data, applications, and content. Google's tagline for secure enterprise browsing is about protecting corporate data while enabling users to work securely from anywhere and with any device.

In practice, this involves mitigating data exfiltration, real-time user protection, and adopting a zero-trust approach. 

Now, let's transition to the data that will illustrate what this approach looks like. David, over to you.

David Aulick:

Great, thanks, Alex. Let me share my screen. We'll dive into an actual configuration of BeyondCorp, focusing on protecting data exfiltration from the Chrome browser and its integration with data loss prevention. I believe this will come together nicely.

Bear with me as I walk you through this. The first step is setting up context conditions. We define conditions like meeting specific criteria or not, and then actions are taken based on the set level. These levels can allow temporary access, restrict access to certain workdays or time periods, and adjust access based on device status, such as admin approval, encryption, and ownership.

Now, let's create an access level, starting with a simple example like locales. But note that these principles apply to BeyondCorp as a whole. I'll be demonstrating Chrome data loss prevention today, but it extends to other aspects like hybrid cloud, Google Cloud Platform, and Workspace APIs. For locales, let's say we want access only from the United States. This means anyone outside the U.S., as determined by their IP address, won't have access. Geo-IP is one condition among others like device status, device OS, and IP range.

Once these access levels are defined, we apply them. Now, let's combine a BeyondCorp access rule with a data loss prevention rule, specifically in the Chrome browser. In data loss prevention, we set up rules for file uploads, downloads, content pasted, and content printed. We then define conditions, such as detecting credit card numbers.

This rule is now combined with the access level. Users must meet the context conditions for the rule to apply. For instance, if a user is on a non-company-owned device, they won't be able to copy-paste, download, or upload sensitive data.

We move to the actions section where we choose to block. You can also allow it with a warning or set it to audit-only for a less intrusive rollout. Alerts can be sent to the Google Alert Center or specified email recipients.

Now, let me show you an example. I have a document with a credit card-like number. When attempting to download, it checks against organization policies and denies the download. The user receives a customizable message indicating the potential presence of sensitive data.

This level of control extends to other actions like printing. If someone tries to print sensitive content, it undergoes the same scrutiny, maintaining a secure posture.

This triggered the rule — attempting to print a document with a credit card number — so we block it.

Now, let's delve deeper into this scenario from an administrator's perspective. When incidents occur, like the one we just witnessed, the information is sent to the alert center. You can view details, such as the triggered event (printing in this case), file name (credit card number), detector name, and actions taken (an alert and blocking page printing).

In the alert center, you can assign investigators, set statuses, and review related alerts. The investigation tool allows you to explore Chrome log events related to sensitive data transfers. You can filter events, review details, and even take actions like suspending a user or forcing a password reset.

To provide a meta-level overview, the Security Center dashboard summarizes data protection incidents, including unsafe site visits, password reuse, malware transfers, and sensitive data transfers. This visual representation offers insights into different categories and helps identify high-risk domains. The Data Protection Summary provides a clear visualization of activities, and you can export metrics for further analysis.

The Chrome blocking with DLP extends to reporting, allowing you to export data for analytics. You can pivot back to the investigation tool to focus on specific incidents. This comprehensive approach ensures a holistic view of context-aware access, data loss prevention, and security incidents related to the Chrome browser.

Now, let's move to the slides. Based on our practical examples, the following information should tie everything together and emphasize the utility and necessity of this solution in an organization.

Let's dive into some more examples to showcase the versatility of BeyondCorp. Imagine you want to limit access to shift workers only during their designated hours. We can make that happen with time-based controls. Need to grant temporary access? No problem. You can even set it to expire after a certain period, offering more flexibility than just sticking to recurring schedules like typical shift hours.

Now, let's talk security. You want to ensure that access happens only through managed Chrome browsers with the latest updates. Simple enough, but hey, technology moves fast, and we need to keep up. So, regular updates are key. Speaking of security, devices with screen lock enabled should be the standard for access.

But let's talk about user login credentials. If someone doesn't have a security key set up, it's a red flag, right? Deny access. It's an extra layer of protection. And how about keeping an eye on the freshness of data? If you're using CrowdStrike, you can set a condition that only allows access if the data has been updated within a specific timeframe. Want to keep your Drive files in the cloud? No worries. You can disable downloading.

Now, these are just examples. The beauty of BeyondCorp is that you can get creative. Mix it up with Chrome, third-party vendors, SaaS apps, Google Cloud Platform, other cloud providers, and on-prem solutions. It's your security cocktail.

Let's tailor this to different roles in your organization. Employees? They get access to specific web apps, nothing more, nothing less. Frontline workers? Maybe just the point-of-sale system, no web surfing allowed. Call center staff? Internal call center apps only, keeping customer data and PII safe. And for vendors, contractors, and consultants, let's bring them under the same policy umbrella.

BYOD policies? Sure, we got that covered too. Controlled access to specific apps, securing corporate records and sensitive info.

Now, how does this all work? Picture it as a seamless addition to your existing security setup. No need for extra programs on machines. You can deploy it silently, and hey, you can take it slow. Start with a pilot, define your groups, and expand gradually. No disruption to your legacy items. BeyondCorp grows with your deployment.

So, any questions on this security fiesta?

Brandon Carter: 

Hey, David, thanks for that! It was pretty insightful, and I've got to say, it's not every day you see a demo that's both useful and cool. I mean, I've worked in security, and finding something compelling can be a real challenge, so kudos for that live walkthrough. And Alex, your dive into the background, shedding light on the importance of BeyondCorp, really sets the stage.

That stat about 54% of IT departments feeling overwhelmed by modern cyber attacks hits hard. I mean, who would've thought more than half of them would admit it? It's a tough field.

Now, let's address a question from the audience. Do you guys have any thoughts on whether BeyondCorp is suitable for businesses of different sizes? I mean, the name says "BeyondCorp Enterprise," but it sounds like it's not just for the big players. What's your take on that?

Alexandre Popp: 

Absolutely! BeyondCorp can flex its security muscles in any ring, be it a small startup, a mid-sized enterprise, or the big players. We've seen it provide robust protection for smaller user groups and scale seamlessly to cover the needs of large enterprises. The simplicity of implementation ensures that even businesses with limited resources can roll it out without breaking a sweat.

Brandon Carter: 

Got it. So, the scalability and adaptability make it accessible for all sizes. That's good to know. Now, onto a topic that's been floating around the questions. Does BeyondCorp play well in a non-Chrome or mixed environment? I'm guessing people are wondering if they need to go all-in on Chromebooks.

Alexandre Popp: 

You've nailed it! Chrome is the main player here. The Chrome browser is a must-have, and the endpoint verification extension is the communicator for device context. Sure, you can get some details without it, but this extension ensures your device is continually meeting the required context. 

So, in essence, you're hitching a ride on the Chrome ecosystem for your company's data safety. And hey, if you want to enforce Chrome usage, you can set policies to mandate it, adding an extra layer of control.

Brandon Carter: 

Makes sense! Chrome is the VIP in this scenario. And you've got tools to enforce it. Now, let's wrap up with a common query. Is there a specific Workspace tier required, or any additional products needed for BeyondCorp? I mean, does it only work in the Workspace environment?

Alexandre Popp: 

No need to worry about specific tiers! BeyondCorp isn't picky. It extends the security controls you have in Workspace. So, any Workspace license will do the job. The specific security controls at your disposal, though, depend on your Workspace licensing.

Brandon Carter: 

Great! So, it's more about leveraging what you already have in Workspace. Thanks for clearing that up. This BeyondCorp journey seems pretty versatile and user-friendly.