Today's cloud-based, remote workplaces can no longer rely on a network perimeter and consumer-grade web browsers for security. The current ideal is to use secure enterprise browsers to safely run SaaS and cloud-hosted web applications, and to implement a zero-trust network model to enforce rigorous access policies, regardless of location, role or previous authorization.
Secure access service edge (SASE) and security service edge (SSE) models offer two possible ways to achieve this goal, but they may be difficult and expensive to integrate. Google's BeyondCorp Enterprise, based on the internal system Google implemented over a decade ago, offers a light, agentless, and affordable context-aware zero-trust solution.
Managing the browser
BeyondCorp Enterprise is delivered through Chrome, providing a secure enterprise browser with centralized browser management.
Chrome Enterprise can manage browser usage across an organization by using on-premises solutions. It also gives organizations cloud-based management capabilities that are platform-agnostic and allow IT and security teams to manage Chrome browsers on all devices accessing company resources, including remote laptops and employee personal devices.
Using either method, IT admins can implement and enforce hundreds of company security policies; manage, block, delete and force-install browser extensions; enforce MFA password policies; selectively block URLs and file transfers; and gain total visibility into browser versions, settings and usage, simplifying compliance.
"For many organizations and the hundreds of millions of enterprise users who already use Chrome, the browser has essentially become the new endpoint, which makes it the perfect place to level up enterprise security," Google's VP of Chrome, Parisa Tabriz, wrote in a recent blog post.
Implementing zero trust
However, companies that rely on cloud-based applications and services may need more protection. BeyondCorp Enterprise builds on Chrome Enterprise to deliver context-aware zero-trust access controls, data-loss prevention, threat protection and more than 100 local access points worldwide.
"Access must be secured, authorized and granted based on knowledge of identities and devices, and with no assumed trust in the network," Tabriz writes in a January 2021 blog post. "With Chrome, BeyondCorp Enterprise is able to deliver customers a zero-trust solution that protects data, better safeguards users against threats in real time and provides critical device information to inform access decisions, all without the need for added agents or extra software."
BeyondCorp Enterprise comes in two tiers: BeyondCorp Enterprise Essentials, which has base pricing of $4 per user per month, and the standard BeyondCorp Enterprise offering, which runs to $6 per user per month.
The Essentials tier delivers zero-trust access control for SaaS and SAML-based web applications. It determines access using signals such as user location; user or group profiles; third-party signals from BeyondCorp Alliance partners including Check Point, CrowdStrike, Palo Alto Networks and VMware; and device status, i.e., whether a device is managed by the enterprise or is an employee's personal device.
BeyondCorp Enterprise Essentials also provides proactive malware and phishing prevention that goes beyond blacklisting known malicious URLs. Instead, it actively scans potential malware and assesses potential phishing sites. Intrusions and other security incidents can be handled with the Security Investigation Tool in the Google Admin console.
Data-loss prevention is implemented through strict management of an employee's ability to upload or download files, and copy or print materials, using Chrome. DLP controls can be made context-aware — for example, an employee might be able to copy-and-paste or print sensitive materials from a designated company website or web app if using an enterprise-managed device, but could be prevented from doing so on a personal device.
BeyondCorp Enterprise adds to the Essentials feature set with context-aware access controls for cloud-hosted applications and other assets, regardless of whether they are hosted on Google Cloud Platform (GCP), Amazon Web Services, Microsoft Azure or in a hybrid cloud/on-prem setup. It also provides zero-trust access to GCP-hosted application programming interfaces (APIs) and virtual machines. (We'll delve further into BeyondCorp Enterprise's zero-trust controls in a subsequent article.)
"With the move to cloud workloads accelerating over the coming years, we're investing in tighter integrations between Chrome and the full slate of security tools and services that organizations use every day to provide complete end-to-end security for users and data," says Robert Shield, Director of Engineering for Chrome Enterprise, in a November 2022 interview. "It's exciting to see the browser evolve to play an active role in securing business environments."
