
Google Moves Its Corporate Applications to the Internet - kjhughes
http://blogs.wsj.com/cio/2015/05/11/google-moves-its-corporate-applications-to-the-internet/
======
cs702
I'm so happy to see this. As Bruce Schneier (who runs an open WiFi network at
home) explains, "if my computer isn't secure on a public network, securing my
own network isn't going to reduce my risk very much."[1]

The same is true for corporate applications (and devices like printers). If
they're not secure on a public network, securing the corporate network won't
reduce their risk that much: they're still exposed to potential breaches
elsewhere in the corporate network.

\--

[1]
[https://www.schneier.com/blog/archives/2008/01/my_open_wirel...](https://www.schneier.com/blog/archives/2008/01/my_open_wireles.html)

~~~
Afforess
There are other, valid reasons to not run a public access point. Not wanting
neighbors to steal your bandwidth, run a TOR node off it, or host illegal
content, for example. All of these activities could get you removed from your
ISP, and even taken to court. While you could probably prove your innocence in
court, I can not imagine why taking the risk for absolutely no personal
benefit is worth the risk. I don't really see how running an open wifi network
shows anything other than ignorance of the risks.

~~~
icebraining
Do you think Schneier is ignorant of the risks?

~~~
snowwrestler
Bruce Schneier is a very smart guy, but let's not deify him; he can be wrong
about things too.

For example in the above column he repeats an urban myth: that running an open
WiFi access point provides an affirmative defense against prosecution for
things like piracy, hacking, or child porn.

I call it an urban myth because, personally, I have yet to find a court case
in which such an argument was made, let alone one in which it was a
determinant in the verdict. It's endlessly repeated online, with seemingly no
evidence that it is true. (If someone reading this is aware of such a case,
please reply with it! I would love to know.)

Also be aware that this was written when WEP was the state of the art in
encrypting WiFi, and long before tools like Firesheep were widely available.
You can't expect Schneier to make security arguments that will be true
forever. Today it is so easy to snoop on open WiFi traffic that any given 11
year old could do--and today WPA2 is sufficently good to stop that.

At the same time, Bruce can be really right about things too, like how to
properly secure a laptop. If anyone could run open WiFi and still be secure,
it's a security expert. As opposed to my dad, who until recently was running
Windows XP SP1 on his computer. He benefits from an encrypted WiFi signal as
the first layer of the security onion.

~~~
marssaxman
People assert the counterexample, too, but in reality it's hard to find real
cases where anything bad happened as a result of running an open wifi network.

~~~
rev_bird
There are many, though they all came out of people trying to get away from
kiddie porn charges. [http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-
chil...](http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-child-
pornography-innocent_n_852996.html)

~~~
marssaxman
The article mentions three cases, which I would not call "many". I have not
been able to find any real numbers on this scenario; only a scattered handful
of anecdotes, most of them referring to the same original news articles.

I'm not worried. It is extremely unlikely that there are any kiddie-porn fans
in my neighborhood to begin with, much less any within range of my wifi
signal.

------
furyg3
We tried this where I worked (with the exception of the evil desktop app
financial program)... and had to retract after a zero day defacement in one of
our web apps. In the meantime we also learned that keeping all of your web
apps 100% up to date at all times is really freaking difficult. The good news
is that the (failed) attempt got us off of a few client side applications and
made us much more platform agnostic than we were before.

If you have the resources of Google it's a bit different, especially if all of
the software is custom and developed internally.

~~~
istvan__
The only way to succeed with this is with heavy firewalling or VPNs. There are
several unknown zero days in any application so just by opening up your
application to 0.0.0.0/0 makes it possible for blackhats to get in. The only
question is how much your information is worth for somebody. If you it is less
than price of a brand new zero day you might be ok, but there are still the
script kiddies and political blackhat organizations who mass deface any site
that has a "zero day" vuln, (zero day means in this case: unknown to the
operators of the site).

~~~
rixed
> There are several unknown zero days in any application

I think you want all your applications to authenticate the device and the user
before proceeding to anything. This looks indeed impossible with third party
closed source apps (if only because you can never be sure there is no
backdoor).

Then, even if you authenticate every remote peers using TLS client
certificates, you have to follow closely the vulnerabilities of your TLS
implementation... But that should not be less manageable than to make sure
your firewalls are reliable.

~~~
icebraining
_This looks indeed impossible with third party closed source apps (if only
because you can never be sure there is no backdoor)._

Seems easy enough: don't allow the app to bind to a port on any interface
besides loopback, then put an authenticating reverse proxy in front of it that
can actually receive remote connections.

If it's an HTTP service, you can use nginx with client SSL certificates. For
other protocols, spiped[1] might be a good choice.

[1] [https://www.tarsnap.com/spiped.html](https://www.tarsnap.com/spiped.html)

------
mikecb
Finally, the zero trust network has its day. I've been following this for
quite a while, especially since this kind of architecture makes even more
sense for smaller businesses than large ones that can pay for sophisticated
network-edge protection.

Edit: Great talk at lisa in 2013:
[https://www.usenix.org/conference/lisa13/enterprise-
architec...](https://www.usenix.org/conference/lisa13/enterprise-architecture-
beyond-perimeter)

~~~
omnibrain
Yes, I submitted this yesterday (instead of the article submitted here,
because I found it to be deeper and did not want to submit 2 links at the same
time), but sadly it failed to gain traction.

~~~
higherpurpose
Videos don't usually gain traction on HN.

------
tjohns
It's worth reading the original "BeyondCorp" paper that discusses this:

[http://static.googleusercontent.com/media/research.google.co...](http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/43231.pdf)

As some other folks have pointed out (and contrary to what the headline
implies), there's isn't just setting your firewall to allow 0.0.0.0/0\. In
particular, pay attention to the Device Identity (client cert) and the Access
Proxy parts.

------
evmar
What's left implied but unstated in this post is that a corporate intranet is
often in practice as vulnerable as the internet -- from unpatched Windows to
old Android versions to people plugging in random USB dongles to a million
variations on XSS/XSRF, once you've made your corporate network secure against
these attackers it's also secure against the wider internet.

~~~
Splendor
I felt like that was stated clearly in the second paragraph.

> "The new model — called the BeyondCorp initiative — assumes that the
> internal network is as dangerous as the Internet."

~~~
evmar
You are right. I had meant they left out _why_ the internal network is
dangerous. They open with assuming it is dangerous and then discuss how to
implement it.

------
passive
As a remote worker, it's delightful to see things move in this direction, as
VPNs are a regular thorn in my side.

Of course, there's a certain irony that Google isn't fond of remote workers.
:)

~~~
stephengillie
Few workplaces are fond of remote workers. The major reason a lot of people
remain employed is so they have a _purpose_ to wake up, leave their houses,
and spend the day occupied by the relative comfort of an office building,
surrounded by reasonably-intelligent coworkers, as a faux-family. And it's a
slap in their face that you don't want to spend your time basking in their
physical proximity.

~~~
mahyarm
Communication and management overhead of remote workers is harder to do right.
Like functional programming.

~~~
beachstartup
with modern software, it's only hard to do right if they're not at their
laptop/workstation. which means they're doing some other shit other than
working.

our entire team is remote. it's really obvious when someone isn't at their
computer. it's basically the only hard requirement of the job beyond the work
product - be at your computer when you say you are going to be at your
computer.

~~~
walshemj
Really? some times the crucial part of the job is done away from the computer.

I remember doing a quick fix for one of the attractions at the melenium dome -
the core part of the work was working out on paper all the permutations and
what should happen the coding at a terminal was the trivial part.

BTW the program correctly run first time and was delivered in less than a day.

------
sixdimensional
I wonder how far this really extends into their network and how ipv6 is
related. In principal it sounds really good to me. I realize this is mostly
about access to corporate applications, but how much further could this
approach go?

Thinking out loud, if I suddenly removed the firewall perimeter security from
my network, moved security to devices/servers directly, dropped my NAT,
switched to ipv6 with all publicly routable addresses, my network
infrastructure simplifies incredibly. However, I do have to still protect my
network to ensure network quality of service/availability and protect my
devices/equipment from "public attacks". I guess the principal here is, the
surface area that can be attacked is the same if you can penetrate the layered
security approach - it all ends in the devices and equipment.

The fact that all devices/equipment can now have an publicly
routable/addressable IP in ipv6 solves the problem of running out of address
space, and would fit hand in glove with such an architecture.

Put another way, the network becomes just the network, without the need to
discern between the intranet/LAN, the extranet/WAN (or DMZ) and the
Internet/WAN.

~~~
superuser2
>can now have an publicly routable/addressable IP in ipv6

Almost no one can actually route "publicly routable" IPv6. When it becomes a
standard feature of DSL/cable, maybe.

~~~
ef4
Your information is out of date. Every T-Mobile subscriber with a modern
Android device on LTE has a fully-working, native ipv6 address. And somewhere
between 30% and 50% of Comcast subscribers already have native dual-stack
ipv6.

~~~
superuser2
Somewhere between 50 and 80% of Comcast subscribers, then, do not have IPv6.
In a couple years, yes this should be viable, but it isn't now.

------
snowwrestler
This seems like the sort of thing that can work for Google because Google runs
on Google software, which runs on Google hardware. They control the full stack
from top to bottom, so they can decide where to put the doors and where to put
the monitoring.

Most companies run on stuff that is not their own. Microsoft Exchange running
on Windows running on VMWare running in some 3rd party datacenter is a fairly
modern way to host an email server. In that situation, everything is out of
your hands BUT the network edge. You don't audit Microsoft's code bases, you
don't specify how Webmail works, you don't control the discovery, disclosure,
or patching of critical vulnerabilities.

Sure maybe the firewall/IDS/VPN only keeps amateur griefers out, but there are
way more of those than APTs.

And folks will only have limited insight into the internals of all this 3rd-
party software. But if you have a gated network, then you can use a tool like
NetWitness to characterize and alert on your traffic--and just your traffic.

------
NovaS1X
"The Cloud" that they're talking about is their own datacenters (they're
certianly not using EC2) and they're hosting their web-apps over a WAN without
VPNs or other traditional forms of closing off access.

However, this doesn't say much about their datacenters which will still be
heavily firewalled. IPMI, SSH, and other access wouldn't be shared over a wide
open WAN. The "Cloud" (see: datacenter) LAN will still be protected
traditionally.

This article doesn't have enough information in my opinion.

~~~
mynameisvlad
I mean, of course it's their own datacenters. They're not going to be putting
their corporate data in a competitor's data center. That said, they could be
leveraging new things in their Google App Engine cloud, which would actually
make it "the cloud" as people refer to it.

~~~
ocdtrekkie
The funny thing is, they expect everyone else to put their corporate data in
their datacenters! Google has an extremely one-sided view of where data should
go. (In all cases, directly to their servers.)

~~~
mynameisvlad
Do they, though? They expect everyone else to put their __product __in their
datacenters. I 'm sure they'd like it if others also put their company data in
(more revenue, after all), but I wouldn't say that anything they have offered
is really pushing for the corporate data in the cloud aspect. I'd say Amazon
is more aggressive on that side with things like WorkSpaces and WorkDocs.

~~~
ocdtrekkie
Google Apps for Business? Android for Work?

------
rdl
This kills BYOD, right, at least for now? "Employees can only access corporate
applications with a device that is procured and actively managed by the
company"

~~~
bduerst
Android Work Profiles has this covered, if you would want to use your own
android phone.

It also means you allow your device to be managed remotely by the company
(i.e. purged if lost/stolen).

------
grantlmiller
This brings up a few questions: 1) Does Google not use the same publicly
hosted version of Google Apps that we all use? 2) Does this only work with
privately hosted versions of applications? 3) Are they using the publicly
hosted version of Google Auth for the authentication piece? 4) Is the Device
Inventory Database hosted on a public machine or is that deployed to a private
network? 5) digging into the white paper that provides a bit more information
on how they're actually doing this… does anyone care to take a crack at
explaining what this means? "BeyondCorp defines and deploys an unprivileged
network that very closely resembles an external network, although within a
private address space. The unprivileged network only connects to the Internet,
limited infrastructure services (e.g., DNS, DHCP, and NTP), and configuration
management systems such as Puppet.” (full white paper published by google
available here:
[http://static.googleusercontent.com/media/research.google.co...](http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/43231.pdf))

------
serve_yay
It's nice to see companies moving towards taking security more seriously, but
boy oh boy some of it is a real pain in the ass. Every website you log into
now needs to text you, or have a companion app or whatever. Every time you
lock your screen to get a cup of water or take a leak, you have to log back
in, wait for your flaky vpn connection to come back before you can resume what
you were doing (maybe not an issue here if they actually do away with the
VPN). "Credentials" often comes down to typing very long cryptic passphrases,
on a glass screen, with dots instead of being able to see what you're typing.
Et cetera.

~~~
netheril96
Are you on OS X and have you unchecked the option "Disconnect when switching
user accounts"?

------
atlbeer
The probably falls in the general category of a Good Thing™ for employees and
people developing B2B applications since internal systems are more easily
accessible but, this will be a gut check/squeaky bum time for traditional on-
premises B2B vendors like PeopleSoft/SAP/IBM and the like. The corporate
firewall has always been a bastion of security they have been able to hide
their applications behind. As the concept of a corporate firewall begins to
fade their security risk increases and previously non-worrisome attack vectors
become serious problems for them.

~~~
JTon
Apologies for being off topic..

> squeaky bum time

Never heard this expression before. Quick search defines it as "An exciting
part of a sporting event, particularly the final minutes of a close game or
season". Unfortunately, I still don't really get the reference. Could someone
spell this out for me?

~~~
IvyMike
Squirming in your seat.

[http://www.phrases.org.uk/meanings/squeaky-bum-
time.html](http://www.phrases.org.uk/meanings/squeaky-bum-time.html)

------
mark_l_watson
What has changed? I worked as a contractor at Google in 2013. Everyone had a
securely locked down company laptop. All logins anywhere required a dual auth
device.

I was really sick one day and I had no problems doing my work from home. Also,
one of the great joys of working at Google is the availability of code labs
that are individualized instruction to learn different aspects of their
infrastructure and technology in general. I spent a ton of time when at home
working through code labs that were relevant to my job. No problems with
remote access.

------
itaysk
Nothing new here.. I work for Microsoft. we have had most of our tools in the
cloud for quite a while. One thing's for sure - every new app is cloud based.
We use Azure AD and multi factor auth to allow access from internal and
external networks. It's pretty common with small\medium companies I work with,
maybe less with large enterprises.

------
rev_bird
I think I'm missing something important here. I understand it as far as
"internal networks give people a false sense of security," but it's still
worth _something_ , isn't it? Why not implement all of these security features
AND keep your internal network locked up? Is it really just convenience?

------
priyajv99
The biggest problem with VPNs these days is that they connect a user to the
network, not just to the applications they need to access. Any malware on the
users device can ride the VPN into the network and start having fun. Sure you
can micro-segment the network to limit the damage but at least the Google
approach puts all traffic through an "Internet-Facing Access Proxy" limiting
exposure to the individual applications in question.

However, I completely agree with the previous post that the user devices need
to be considered untrusted. This is a huge problem with the Google approach.
Certificate distribution and management on thousands of employee owned devices
is not practical nor scalable.

[https://oxter.in](https://oxter.in)

------
jingo
I wonder which "cloud hosting provider" they will choose.

Microsoft? Amazon?

Does it make a difference?

If my company starts selling cloud hosting and then I announce my company will
be hosting its internal applications in "the cloud" (i.e., in my own data
centers), what are the security implications for my company?

Are they the same if some other company asks me to host their applications in
my data centers?

Is this article a PR piece (or "submarine" as PG calls it)?

What do you think?

~~~
taylorwc
> I wonder which "cloud hosting provider" they will choose.

Meant to be sarcastic? Google is in this market. Doesn't strike me that there
is any chance they'd use MSFT or Amazon for infrastructure.

~~~
stephengillie
In a way, it seems similar to what Amazon did when they launched AWS.

------
jreed91
The access proxy is somewhat similar to what Cisco is doing with TrustSec.
[http://www.cisco.com/c/en/us/solutions/enterprise-
networks/t...](http://www.cisco.com/c/en/us/solutions/enterprise-
networks/trustsec/index.html)

------
Splendor
I'm not a security expert by any means, but this seems like an intelligent
move to me. And it sounds like this process of accessing corporate
applications has the potential to be less onerous for employees.

------
mbreese
One interesting question is: how many companies have enough public IP
addresses to publish their applications to the internet? If you assume that
there are multiple services and each one is hosted on their own server (or
server farm), then you'd need many more public IP addresses. When we live in a
world that is severely lacking free IPv4 space, how feasible is this? Or is
this just a matter of pushing things from 10.0.0.0/8 land to IPv6 addresses?
How many locally developed enterprise apps have good enough security to be put
on a public facing site _and_ have good IPv6 support?

I applaud the idea and the effect of forcing security to be dealt with. But I
don't know how feasible it is for corporations without their own B or C
blocks.

~~~
colechristensen
If it's http, it doesn't matter much. You can put a thousand different sites
on one (or probably a few) IP and have a load balancer distribute the requests
to the appropriate set of backend servers.

~~~
mbreese
I'd like to agree, but I think you overestimate the sanity of many Enterprise
IT designs...

It certainly would be helpful if there was a single point to handle the
device-level authorizations, but again, many existing systems aren't
necessarily designed to play well with others.

------
zmanian
Seeing the strength of google migrating all their employees to yubikeys

------
gmrs
What if I plug a pendrive in one of these devices and install an app that
reads every network activity? If I have the same sequence of packages required
to authenticate, I'm in?

~~~
greggyb
How is this any different than doing the same on a laptop that is accessing a
VPN?

------
umonicd
The return of capability based security? Couldn't help but notice the phrase
"fine grained access", I guess your device acts like a sort of token?

------
rifung
I hope this means accessing internal resources will be a lot less painful too

------
lessthunk
if it's crucial for the company, it should not be on a public internet.

------
a-dub
so THAT'S why they bought up the .dev TLD.

lame.

------
zobzu
Tldr google no longer use vpns for corp access

------
smegel
Really so they are using a 3rd party hosted HR systems etc on the internet, or
something on their own services?

When you are talking about a company like Google that basically owns a large
part of the internet (backbones, CDNs, hosting services) "moving stuff to the
internet" it means a lot less than a non IT company like a bank.

