Google is in the process of a radical change in its approach to IT security, reports the WSJ, moving its data from protected internal networks out onto the Internet.
At first glance, it sounds like a crazy move: moving corporate data from protected internal systems, only accessible within Google buildings and via VPN, to publicly-accessible servers. But Google engineering manager Rory Ward believes that the conventional ‘perimeter security’ model no longer reflects the realities of today’s world.
The perimeter security model is often compared to a medieval castle: a fortress with thick walls, surrounded by a moat, with a heavily guarded single point of entry and exit. Anything located outside the wall is considered dangerous, while anything located inside the wall is trusted. Anyone who makes it past the drawbridge has ready access to the resources of the castle […]
However, with the advent of a mobile workforce, [this approach is] fraught with danger.
In other words, if half your workforce is accessing resources from outside the network anyway, you need a different mindset …
The right approach today, says Google, is three layers of protection: the device, the person and the login credentials.
In a paper written late last year describing the approach, Google says that the first level of protection is the device – be it a smartphone, tablet or laptop. Each Google-issued device has a unique identity code, stored in a Device Inventory Database. Any time a user attempts to login to a Google server, the network first checks that the device used is an authorized one; if not, access will be refused even if the user has the correct credentials.
Second, user identity is linked to HR records, ensuring that each user has access only to systems applicable to their projects and role. Again, without this match, login credentials are useless.
Third, two-factor logins are used as you’d expect. Only with the right combination of device plus HR authentication plus two-factor login credentials will someone be granted access.
Google is currently transitioning to this new approach, and the WSJ reports that it is also being used or trialled by other companies, including Coca-Cola, Verizon and Mazda.
Photo: Warner Safeguard