In-brief: Google is pushing an approach to network security dubbed “tiered access,” demoting the trusted password, which is now just one piece of data that is needed to get access to sensitive data and resources on Google’s network.
The status of the lowly password is falling a bit lower in the hallowed halls of Google, where the company has implemented and is evangelizing an approach to security called “tiered access” that de-emphasizes traditional passwords in favor of more flexible and accurate means of proving someone’s identity.
In a new document, Google said its “tiered access” approach to securing access for some 61,000 employees is better suited to mobile-centric environments where old distinctions, such as the inherent trustworthiness of ‘internal’ versus ‘external’ IP addresses, have broken down. The guidance, which was published Thursday, is just the latest effort by Google to promote the notion of ‘software defined perimeters’ as a replacement for traditional approaches to securing IT networks.
In a blog post on Thursday, Google engineers Michael Janosko, a manager in Google’s Security Engineering group, and Rose La Prairie, a Product Manager for Google Android, described an approach called “tiered access” that evaluates employee requests for access by assessing the user’s individual and group permissions, the level of trust extended to the employee based on their role and the state of the device from which the request was generated.
Traditionally, organizations have treated trust as a binary: either users were trusted or they were not. Trust to a particular IT asset (a computer, server, set of data, etc.) depends on whether the requesting user was accessing the given network from an authorized machine with a valid user name and password. User directories like Microsoft’s Active Directory have been the arbiters: repositories on information on users and their permissions for various IT assets.
Such an approach hasn’t aged well, however, especially as more users seek to access data and applications from outside of the traditional office network, and as online adversaries have gotten better at hijacking legitimate user accounts to steal sensitive information or otherwise lurk on sensitive networks. Attackers who are able to take over a high-privilege user’s account can often move, undetected, about networks, gaining access to and stealing sensitive data, or installing malicious software that gives them persistent network access.
To respond to that challenge, Google said it has implemented a “tiered access” model for its users, in which internal services are associated with a trust tier according to the sensitivity of the data and user requests for that data are carefully vetted to make sure that the risk it represents is low.
Google has long advocated so-called “zero trust networking” that treats all users – internal and external – as suspicious and possibly malicious. User credentials (aka “passwords” or other factors) are part of the verification process – but only part. Decisions to grant access to data are weighed carefully based on data about the user and the device, including whether it is running the latest operating system and application patches, whether it is behaving in ways that arouse suspicion, and so on. Google said it uses commercial tools to do this, but has also developed a range of custom tools that monitor device interactions with its network to build a risk profile of individual devices and users.
Internal services (say, a particular application or data set) are associated with a “trust tier” that must be met if the service is to be accessed. Trust tiers can be uniform for a service, or services can be subdivided into different trust tiers in a granular way. Even when users successfully authenticate, access to services on Google’s network is granted only if the assessed risk profile of the device matches the required trust tier she is trying to access.
Google has created tools like its Identity Aware Proxy (IAP) to help customers of its Google Cloud Platform manage the transition to its “tiered access” approach. But the firm admits it is not easy. Before they can even begin to implement such a system, organizations need a comprehensive catalog- and understanding of what devices inhabit their network, as well as the users associated with each device. Each device must then be associated with a trust “tier.”
The same is true of services that run on their network and the use patterns around those – who accesses them, when, for how long and why? How sensitive is the data they contain? The answer to those questions also determine what trust tier the service is placed in.
Needless to say: most organizations aren’t in a position to implement such a system. In fact, numerous surveys have revealed that wireless and loosely managed IT assets – from test servers to employee-owned hotspots to networked printers – often escape notice in corporate environments. A survey by BakerHostetler found that 43% of phishing attacks, hacking and malware accounted for 43% of cyber incidents, while employee actions or mistakes accounted for another 32%. On average, it took the companies BakerHostetler observed 61 days from the occurrence to discover the incident and another eight days from discovery to contain it – sobering statistics.
Going forward, Google said it is working on ways to automate the risk assessments that it does on both users and services. It is also looking for ways to integrate observations of user behavior on its network into its risk assessments, as well.
Check out Google’s full publication here.