![google beyondcorp zero trust white paper google beyondcorp zero trust white paper](https://www.datacloak.com/images/blog/report/20200907-02.png)
That’s all well and good, but at the end of the day the same principle remains: if the user can see the data, so can an attacker. Many of those looking at “internet-to-the-desktop” models are also talking about “getting all the data off the endpoint” and using it purely as a viewing mechanism for access to data on servers. But the situation gets even worse if users have access to sensitive information.
![google beyondcorp zero trust white paper google beyondcorp zero trust white paper](https://www.praetorian.com/wp-content/uploads/2021/01/zero-trust-products.png)
That means it gets easier for an attacker to persuade them to enter their 2FA details in a way that allows the attacker to reuse them. And there’s an additional consideration: if you make people use 2FA too much, they get blasé about it.
#Google beyondcorp zero trust white paper update
If we have to use 2FA every time we save a file or update a database record, life will become intolerable. This will be even more of a factor for enterprise computing. In many cases, banks would rather take the hit of the inevitable cyber crime than force their users to use 2FA. But use of hardware 2FA devices for online banking is not ubiquitous, and the reason for that is that users hate it. Here in the UK, online business banking and some online consumer banking relies on hardware card readers to validate that a transaction has been initiated by a valid user. The technical answer is two factor authentication: when we ask to carry out a sensitive transaction, we may have to confirm it using a second, more secure device.
#Google beyondcorp zero trust white paper how to
This is a problem that we all know well: how to protect the money in our bank accounts given that we carry out online banking from potentially insecure endpoints. So, if the user can initiate a large order, or a refund, or change a customer’s details – so can the attacker. In that case, anything the user can do, the attacker can too. If the user’s endpoint gets compromised, the attacker may have complete control over that endpoint. In most cases that would be a big mistake. But from some of the conversations I’m having, it seems like quite a few people are confusing “raw Internet to the desktop” with “stop worrying about endpoint security”. As so often, we can probably trace a lot of this to Google with their 2014 “BeyondCorp” paper ( ) but the logic is pretty simple: if employees spend half their time working from home or on the road, plugged into the raw Internet, why do anything different in the office? Zero trust – up to a pointįor all but the very highest security environments, I’m a big supporter. But now it seems like mainstream, conservative enterprises are now seriously talking about a future model where they just provide raw Internet to the desktop. But nearly 15 years on, the traditional perimeter soldiers on in most enterprises. The Jericho Forum was founded back in 2004 to address the issue of what they called “de-perimeterization” – the fact that with mobility and cloud services, the traditional physical network perimeter (as defined by a firewall) was no longer a very useful concept. Increasing numbers of organizations are starting to talk seriously about doing away with their enterprise networks.