Google's Plan To Kill the Corporate Network 308
mask.of.sanity writes "Google has revealed details on its Beyond Corp project to scrap the notion of a corporate network and move to a zero-trust model. The company perhaps unsurprisingly considers the traditional notion of perimeter defense and its respective gadgetry as a dead duck, and has moved to authenticate and authorize its 42,000 staff so they can access Google HQ from anywhere (video). Google also revealed it was perhaps the biggest Apple shop in the world, with 43,000 devices deployed and staff only allowed to use Windows with a supporting business case."
Wow (Score:2, Insightful)
Wow, Google has invented the VPN! What great innovators.
eh, Google no eat own dogfood? (Score:4, Insightful)
why use so many Apple computers when there's your own awesome Chromebook [google.com]?
Zero Trust (Score:4, Insightful)
Looooooong game (Score:1, Insightful)
Google lives in a fantasy world, where the WAN is as fast as the LAN. For me, both at home and in the workplace, you're talking about two and a half orders of magnitude difference. That's the whole reason all this cloud stuff, streaming (as opposed to download) video, etc all seems so bizarrely alien. You're talking about such a tremendous performance downgrade, that I just can't begin to really take it seriously.
I suppose the thinking is that they are planning for the future, when some day the WAN gets reasonably fast, where my home and business DSL line is replaced with fiber. Cool. Be ready, Google. But how are you going to spend those decades of waiting? Some cons are a little too long, IMHO.
Re:how would it work in the real world? (Score:5, Insightful)
Both of my daughters have work issued Macs. One is in education and the other a tech company. When you look at the cost of a computer compared to the salary (and benefits) for an employee over the life of the computer, the cost of even an "expensive" computer is a small rounding error. In addition, the cost of protecting and cleaning up Windows computers is non-trivial and the cost of a data breach can be enormous.
This is not just a VPN, it is a VPN from a known, verified secure computer.
? MS Access... what a joke.
Re:eh, Google no eat own dogfood? (Score:5, Insightful)
Perhaps, because it is still primarily a content consumption device and not a content creation device.
This. Content consumption =/= content creation. Sadly, the nuisance is missed to many in this supposedly nerd realm that slashdot is supposed to be.
Perimeter-less networks (Score:5, Insightful)
From a security perspective, Google is right about the notion that your internal corporate network being "safe" is dead. Between all the laptops, tablets, smartphones and very portable USB devices, there really isn't a secure perimeter on your network. Security needs to be applied at each entry point to the network, whether that is wired (internal or external doesn't matter), wireless or virtual.
The summary implied that the need for security devices goes away once you give up the idea of a perimeter, but that isn't the case at all. The form that security comes in may change, but you still need it. Authenticated users connecting via secure tunnels doesn't eliminate the risk of malware, so you still need IPS and anti-malware devices (Fidelis, FireEye, etc.) to keep your protect company assets from valid authenticated users.
If you can't trust any of the devices on your network, then you need to inspect 100% of the traffic entering the network.
Re:Why? (Score:0, Insightful)
But they're still smarter than the average cat.
Re:Looooooong game (Score:5, Insightful)
Google lives in a fantasy world, where the WAN is as fast as the LAN. For me, both at home and in the workplace, you're talking about two and a half orders of magnitude difference. That's the whole reason all this cloud stuff, streaming (as opposed to download) video, etc all seems so bizarrely alien. You're talking about such a tremendous performance downgrade, that I just can't begin to really take it seriously.
I suppose the thinking is that they are planning for the future, when some day the WAN gets reasonably fast, where my home and business DSL line is replaced with fiber. Cool. Be ready, Google. But how are you going to spend those decades of waiting? Some cons are a little too long, IMHO.
But how much data do you really need to send to your home computer?
I deal with multi-terabyte datasets every day, and can work just as effectively from home as I do from the office since my data lives on the server and I never need to bring it down to my computer. I rarely even compile code on my local computer anymore since it's so much faster to do builds on the 16-core 32GB servers than on my little 4 core 8GB home computer (and even worse on the old 2core 4GB laptop).
Likewise, I don't have a Windows computer on my desk - I remote desktop to the Windows Terminal Server when I need to run a Windows app. At long as I'm not streaming video, it works just as well from home (~12mbit DSL) as it does from the office.
Re:What about apples higher price and lack of hard (Score:5, Insightful)
You're kidding, right? Google - home of the cloud - is going to worry about local storage limits on drone machines. And...again...drone machines - onboard video is probably 4x as fast as they need it to be for nearly all conditions. They've rolled out fiber in an entire town; I'm going to guess that they've got a pretty speedy wireless system on campus.
Apple hardware is very limited if (a) you're looking for a bargain and aren't on a corporate buying plan, or if you're a hardcore gamer, or if you are running massive analysis software, or you are locked into industry software packages which are platform locked. None of that is an issue for desk machines at Google.
I'm not, in any way an Apple fan, but pretty much none of the problems you state are of any consequence to their usage profile.
Re:eh, Google no eat own dogfood? (Score:5, Insightful)
In my experience, a lot of companies buy whatever they can get a bulk price on and which someone in purchasing deems "good enough".
Resulting in employees with slow machines on which they're expected to be productive.
Hell, at an old job they bought a crap-load of new Dell boxes, and the native aspect ratio of the monitor was a non-standard thing in which a circle was drawn as an oval because the monitor was optimized for watching movies at 720p, but not for actually being a monitor (it's native aspect ratio was oblong pixels). Oh, and the machines came with 4GB of RAM, the OS they came with could only see 3GB of RAM, and it wasn't possible to install a newer OS on it because there were no drivers available.
In short, never underestimate how crappy of a machine companies will buy for their employees if it saves them a few bucks. Because many of them do it all the time.
Re:Wow (Score:5, Insightful)
What they're saying is that the idea of border security is a bad model. One compromised system on the inside and you're pretty much done. IDS and DPI are good ideas but they aren't effective enough. Breaking in to any corporate network is as easy as spamming it's users with social-engineering-laden email. Get them to click on a link and you own their soft, squishy, zero-day-vulnerable desktops. Keylog and steal their credentials and you've got a jumping off point to worm in to the rest of their network. It's that easy.
What they're saying is once you move to a trust-nothing model.. Why bother investing in a huge corp network when you can't trust it anyway? When you don't have big corp network what's, the advantages of running your own services over purchasing them from someone else? Like Google?
Re:Wow (Score:5, Insightful)
Because we're dealing with zero trust.
That ALSO means I don't necessarily trust a 3rd party host either.
Re:Wow (Score:4, Insightful)
"Why bother investing in a huge corp network when you can't trust it anyway?"
Redundency in security.
And its in-hand. You can fix it, expand it, modernize it, control it, instead of shifting all that responsibility to some third party to which you are merely another customer.
Trusting nothing, protection at machine level, the user level, the application level and the data level will not do away with the corporate networks.
If anything, it may have the opposite effect, and encourage more use of such wholly-owned networks, perhaps melded with some cloud services.
But as sooner we move away from the Maginot Line mentality for our networks the better.
It may seem counter intuitive in the physical world, but a point defense system is easier to implement in computer networks than in the real world. Each computer should protect itself. Build this in from the beginning and it just happens naturally each computer, each file, each application. Because relying on the stockade to keep out the attackers hasn't actually worked that well in the physical world, and costs a boatload of money and expertise in the network world.
What good is ipv6 if we all have to hide behind firewalls forever.?
Re:Wow (Score:5, Insightful)
I can just imagine the military "Fuck the perimeter, if the enemy gets inside the base it's going to be all knives and hand to hand combat anyway. Sell the guns boys, we're all getting HUGE KNIVES!"
RL military analogies often map poorly to network security space yet it rarely prevents people from making them anyway.
Re:Wow (Score:5, Insightful)
As the senior admin for such an outsourced network, I can tell you what will happen about 2 to 3 years after you migrate to an outsourced service like this.
"We're deprecating the ODBC connection as of January 1... no worries we've got a great new API and it accepts SQL!"
"To reduce system load and improve overall performance of your system we're limiting SQL requests to 100k rows"
"To enhance SLQ efficiency we've written our own proprietary query language called FU-SQL it's fantastic"
"We're aware that some of our customers are not happy with speed of FU-SQL so we've limited the number of joins you can make in a select statement to 1"
"To reduce costs for our customers we now bill our FU-SQL module separately, if you don't use it you don't have to pay for it! If you would like the unneeded additional FU-SQL feature it will bill for $150k/year"
"due to lack of interest FU-SQL has been discontinued, if you need mass access to your data please contact our professional service"
At this point they start doubling the price of their service every time you sign a new contract. Then your boss will ask you why your quote for migrating the network somewhere else was "A Metric Shitton of money"
Have fun with your outsourced network!
Re:how would it work in the real world? (Score:2, Insightful)
Yes, it's called "using a corporate Windows load" which includes lots of crapware to ensure that e-discovery, garbage databases, mandatory drive encryption, company anti-virus, trusted computing, and whatever other garbage works. You probably don't run a bunch of that stuff with roaming AD profiles at home, and at home, it's probably not managed by people who learned on-the-job from a bunch fo solutions which were cobbled together over a period of years by people who did not communicate or document anything.
My work laptop takes literally 12-15 minutes to cold boot into a usable, logged-in Windows 7 desktop. I am a professional [Unix] sysadmin with ~20 years of experience and could easily make this workstation boot much faster (either with a better OS or a better config for the current one), but one of the trade-offs of my current job is that we all use Windows workstations and we do not have local admin. Fine. It's not my computer, and I definitely bill that boot-up time when it happens every couple of weeks. I'd rather have a Linux box, but whatever; every job has something annoying about it, and this is pretty low on the list of problems one might encounter at work. :)