In a new white paper, Google explains how it keeps its cloud-native architecture safe within the organisation. These kinds of whitepapers from Google are interesting, because in the past they have served as a source of inspiration for start-ups and other companies.
The new framework was christened BeyondProd, which immediately indicates that it complements BeyondCorp, the zero-trust system that Google introduced a few years ago for the security of network access.
BeyondCorp focused on a shift from VPNs and firewalls to protect the network perimeter, to controlling the access of individual users and devices within the network. BeyondProd is about a similar zero-true approach, but for accessing machines, workloads and services in a cloud-native environment.
Google’s cloud-native infrastructure runs almost exclusively on software containers managed by Borg, the predecessor of what has eventually become the popular orchestration tool Kubernetes.
In this cloud-native environment, microservices are central. Microservices are components of applications that run in containers. The idea is to divide a large workload into smaller parts, which are easier to manage. However, this also requires a different security approach, according to Google.
“In a cloud-native environment, the network perimeter still needs to be protected, but this security model is not enough. If a firewall cannot fully protect a corporate network, it cannot fully protect a production network either,” writes Maya Kaczorowski, Product Manager Container Security, and Brandon Baker, Horizontal Lead Cloud Security, in a blog post.
Like BeyondCorp, BeyondProd is therefore based on the principle of zero-trust. This is based on the idea that there is no inherent mutual trust between services and that workloads should always be isolated from each other.
“BeyondProd applies concepts such as mutually verified service endpoints, transport security, edge termination with global load balancing and denial of service security, end-to-end code provenance and runtime sandboxing,” says Kaczorowski and Baker.
By applying these principles, the BeyondProd framework ensures that containers and microservices can be safely implemented and communicate with each other.
Going beyond individual applications
In addition, it removes the concern for the implementation of security from the app developer. “Security functionality requires little or no integration in each individual application and is instead delivered as a fabric that encloses and connects all microservices,” concludes Kaczorowski and Baker.
As was the case with BeyondCorp, Google hopes that other companies will also adopt the BeyondProd framework for the security of cloud-native environments.
Google emphasises that many of the necessary components are already available through Google Kubernetes Engine and its hybrid cloud platform Anthos.