The zero trust security model is essential in today's enterprise environments. It supports the “new normal” of today’s work. While traditional security models rely on the assumption that everything inside a corporate network is trustworthy, most modern companies are thinking about strengthening their security and enabling users to work from everywhere - including untrusted networks. The concept of "never trust, always verify" sounds very attractive, and brings many benefits.
In this article, we'll take a closer look at the features of BeyondCorp Enterprise that you can implement to protect your Google Workspace users. We'll also provide an example use case to give you a sense of what kind of benefits BeyondCorp Enterprise can bring to your organization.
BeyondCorp is Google’s implementation of the zero trust security model that's built upon a decade of Google experience, combined with ideas and best practices from the community.
BeyondCorp supports:
BeyondCorp principles are:
While Google Workspace customers can benefit from features like context-aware access that are provided in Enterprise plans, BeyondCorp Enterprise is a natural extension to secure access to other applications and provide more controls.
Customers who subscribe to BeyondCorp Enterprise are getting BeyondCorp Threat and Data Protection features. With these settings, we can enhance existing Chrome protections, protect against web-based threats, and use DLP rules to protect Chrome Browser.
BeyondCorp Enterprise integrates with Chrome Browser, and if you already manage Chrome Browsers in your organization, you can enhance security with these additional features.
Some of the BeyondCorp Enterprise use cases within Google Workspace include:
In addition to security features and controls, you also get more reporting capabilities across Chrome usage.
You can use the Rules audit log and Security dashboard - security reports to monitor security events related to the Chrome Browser.
The Security dashboard elements are:
To set up BeyondCorp Enterprise and protect Chrome users, you will need:
Chrome Browser Management together with BeyondCorp Enterprise brings a variety of security features, with one of them described below to help you understand how the implementation works.
In this scenario, we will configure a DLP rule that prevents users from uploading files to Google Drive when they're located in a certain country.
1. Navigate to Devices -> Chrome -> Settings, in the ‘Chrome Enterprise connectors’ under the ‘Upload content analysis’ turn on Google BeyondCorp Enterprise for the Org Unit, where you would like to enable the policy.
In this example, we want to delay the file upload, and show the custom warning message to the user.
2. When the BeyondCorp Enterprise connector is enabled, you can go ahead and configure the DLP rule - navigate to the ‘Rules’ tab and create a new ‘Data Protection’ rule.
3. Provide the name and scope for the rule.
4. When the BeyondCorp Enterprise license is assigned to your organization, you will see that Chrome appears on the list of apps supported by the DLP. In this case, we want to scan files when uploaded.
5. Configure the conditions. In this example, the condition is checking if the URL contains the provided string. It can also be more complex to address your organization requirements - you might use one of the predefined content matches or Custom RegEx.
Chrome DLP policies also allow setting the context - if you use Context-Aware access, you can use one of the previously created Access Levels to set the context when to apply the rule (e.g. you might want to limit the upload only when users are outside of your company network). In this example, the access level is based on the user location - Poland.
6. Select the action (what happens when conditions criteria are met) - in our case, we block the upload and send the notification to the Alert Center with Medium severity.
7. Create and activate the rule.
8. Now when the rule is activated, you can test how the blocking mechanism works. Navigate to Google Drive using your test user, and try to upload a new file. You will notice that the file will be analyzed during the upload, using BeyondCorp Enterprise.
9. Since the user is located in Poland, during the upload of files to Google Drive, DLP will block that activity and additionally trigger an alert to the Alert Center for further admin investigation.
BeyondCorp features can be a great way to secure your users and their browsers. As we step into a future dominated by remote work and digital interconnectedness, BeyondCorp isn't just a security solution for Workspace admins - it brings many benefits for Google Cloud, and enables a zero-trust approach. It's the friendly usher guiding your enterprise into a more secure, efficient, and user-centric era.
If your organization is looking for additional security controls of Chrome Browsers - you should definitely try BeyondCorp Enterprise features within your Workspace account.
Thanks for reading and please leave a comment below if you have any questions!