Cloud native technology is beneficial for organizations to build and run flexible and scalable applications in new dynamic environments such as public cloud, private cloud and hybrid cloud. The representative technologies of cloud nativity include container, service grid, microservice, immutable infrastructure and declarative API. These technologies can build a loosely coupled system with good fault tolerance, easy management and easy observation. Combined with reliable automation means, cloud native technology enables engineers to easily make frequent and predictable major changes to the system.
In 20 14, Google began to launch BeyondCorp, which is a network security model for users to access enterprise networks. BeyondCorp redefines enterprise network access based on the principle of zero trust architecture. At the same time, Google also applies zero trust architecture to how it connects machines, workloads and services. This project goes beyond production.
In BeyondProd, Google designed and practiced the following security principles:
Protect the network at the edge;
By default, there is no mutual trust between services;
Run code with known source code on a trusted machine;
Checkpoints for implementing consistent policies across services;
Simplification, automation and standardization of release process changes;
Isolation between workloads.
In short, through various controls and modules, Google has realized that the container and the micro-services running in it can be safely deployed, securely communicated and safely run next to each other, without increasing the security of the infrastructure and the burden of the implementation details of a single micro-service developer.
About Translator: Chianxin Identity Security Lab, a professional laboratory under Chianxin Group, which focuses on the research of "Zero Trust Identity Security Architecture", translated and published the first zero trust security technology book "Zero Trust Network: Building a Security System in an Untrusted Network". Based on the technical idea of "zero trust security, new identity boundary", the team launched a zero trust identity security solution with "identity as the cornerstone, business security access, continuous trust evaluation and dynamic access control" as the core. Combined with the current situation of the industry, the team has invested heavily in the research of zero-trust security architecture and product standardization, and actively promoted the implementation of "zero-trust identity security architecture" in the industry. Its plan has been widely implemented in ministries, central enterprises, finance and other industries, and has been highly recognized by the market and industry.
BeyondProd: a new cloud native security method
Google has written several white papers before, introducing Google's internal development projects, which will help improve security. In this paper, BeyondProd deliberately follows the concept of BeyondCorp-just as the boundary security model is no longer applicable to end users, it is no longer applicable to microservice scenarios. Contrary to BeyondCorp's article: "The key assumption of this model is no longer valid: the boundary is no longer just the actual location of the enterprise [data center], and the area within the boundary is no longer a safe and reliable place to host personal computing devices and enterprise applications [microservices]."
This article will introduce in detail how Google's multiple infrastructures work together to protect the workload in an architecture now called "cloud-native". For an overview of Google security, please refer to the White Paper on Security Architecture Design.
The contents recorded in this article are correct as of February 20 19. This article only represents the state at the time of writing. As Google continues to improve the protection mechanism for users, the security policies and systems of Google Cloud may change in the future.