One of the big news stories last week was the Wall Street Journal article, reporting that Google has “given up on their internal network” and are moving their business applications to the internet (called BeyondCorp). The reason behind is that they don’t see the internal network as private/protectable anymore. With todays adversaries, malware and general lack of security-awareness of users, they don’t really can justify a private network anymore. Instead they have developed more secure and robust applications, that can be access over the internet from practically any point of the world. However, some important limitations still exist. The connecting device must be under Google’s control, which means that the system cannot be compromised, has to be secured, maintained and in general good health. Once that has been verified, the user can be authorised over a secure connection and be granted access to the application. This is a dream come true. Why run a private network, when all your apps are built with security in mind and you have full control over the devices accessing your services and data?
However, keep in mind that Google is in a very, very unique position. They practically control the whole stack, from the operating system (Android for mobiles, Chrome OS for laptops), the browser (Chrome) with all the security features (e.g. certificate pinning, strong encryption, automatic updates), “the HTTP protocol (SPDY/HTTP2)”, the network layer (Google Fi, Google Fiber, their own dark fiber), their custom built web server software and their unique application architecture and data centers. And if they rely on third-party software (e.g. Mac OS X), they have invested a huge amount of resources in aligning that software to their needs.
I will be eager to keep an eye out, how this works out for Google and the other companies trying to build this. And again, it has its perks. I am just not sure if it is a fit for all companies out there.
PS: I find it funny that the story is being treated as big news. There are presentations available, that show the concept and work as early as 2013 – and the quoted paper was published in 2014.