BeyondCorp

A new approach to enterprise security

View Research Papers View Identity-Aware Proxy

BeyondCorp at Google

BeyondCorp is an enterprise security model that builds upon 6 years of building zero trust networks at Google, combined with best-of-breed ideas and practices from the community. By shifting access controls from the network perimeter to individual devices and users, BeyondCorp allows employees to work more securely from any location without the need for a traditional VPN.

BeyondCorp Implementation at Google

BeyondCorp began as an internal Google initiative to enable every employee to work from untrusted networks without the use of a VPN. BeyondCorp is used by most Googlers every day, to provide user and device based authentication and authorization for Google’s core infrastructure.

BeyondCorp for Everyone

BeyondCorp is now available as a GCP service called Identity-Aware Proxy (IAP). IAP uses identity to protect access for applications deployed on GCP. Administrators create policies to determine which user or group identities should have access to GCP-hosted applications.

About Beyondcorp

High-level Components of BeyondCorp
Single sign-on, access proxy, access control engine, user inventory, device inventory, security policy, trust repository
BeyondCorp Principles
  • Connecting from a particular network must not determine which services you can access.
  • Access to services is granted based on what we know about you and your device.
  • All access to services must be authenticated, authorized and encrypted.
Google’s BeyondCorp Mission (2011-2017)
To have every Google employee work successfully from untrusted networks without use of a VPN.
BeyondCorp Trademark Guidelines

These guidelines provide you with guidance for using the BeyondCorp trademark. You can use the BeyondCorp name on your website or in print without pre-approval, provided you follow these basic guidelines

You may display or use the BeyondCorp name only in connection with compliant implementations of BeyondCorp and related uses in the following ways: display or use of the BeyondCorp name in connection with your compliant implementation; your integration with a compliant implementation; your support for a compliant implementation; your BeyondCorp-compatible product; or in collateral, presentations, and marketing materials relating to compliant implementations of BeyondCorp.

Use of the BeyondCorp logo or other Google brands in ways not expressly covered by this document is not allowed without prior written consent from Google (see the Guidelines for Third Party Use of Google Brand Features for more information). Send requests to beyondcorp-trademark-external@google.com.

“ The BeyondCorp vision is without question the future of enterprise IT. BeyondCorp is an enterprise security model that builds upon 6 years of building zero trust networks at Google, combined with best-of-breed ideas and practices from the community ”

— Steve Pugh Ionic Security CISO and former White House Military Office CISO
View Identity-Aware Proxy

Additional Resources

Identity-aware Proxy

Google’s BeyondCorp as a service

IAM

Identity and Access Management

GCP Security

Our security model