Following the success of its BeyondCorp framework for network access, Google LLC is pitching another model its adopted for securing its cloud-native information technology architecture.

BeyondProd, as the new model is called, is the subject of a new white paper that details how Google has implemented cloud-native security principles within its organization.

Google developed BeyondProd to secure its modern, cloud-native computing infrastructure, which runs almost exclusively on software containers and is governed by Borg, the precursor to the company’s popular Kubernetes container orchestration tool.

Cloud-native is all about using microservices, which are the components of modern applications that are hosted in software containers, in order to split workloads into smaller, more manageable units. Google says cloud-native architectures require a fundamentally new security model as the old way of doing things, using a firewall to protect corporate networks, simply won’t suffice anymore.

“In a cloud-native environment, the network perimeter still needs to be protected, but this security model is not enough — if a firewall can’t fully protect a corporate network, it can’t fully protect a production network either,” Maya Kaczorowski, product manager of container security, and Brandon Baker, horizontal lead of cloud security at Google, wrote in a blog post.

Google’s BeyondCorp is a “zero-trust” security framework that shifts access controls from the perimeter to individual devices and users, allowing employees to work securely from any location without the need for a traditional virtual private network. With BeyondProd, Google is implementing similar zero-trust principles to how it connects machines, workloads and services.

Those principles are based on the idea that there’s no inherent mutual trust between services and that there should always be isolation between workloads. Other principles applied include protection of the network at the edge, trusted machines running code with known provenance, and the need for choke points to ensure consistent policy enforcement across services, such as ensuring authorized data access.

“BeyondProd applies concepts like: mutually authenticated service endpoints, transport security, edge termination with global load balancing and denial of service protection, end-to-end code provenance, and runtime sandboxing,” Kaczorowski and Baker said.

Through these principles, BeyondProd ensures that containers and microservices can be deployed and run, and communicate with each other in a secure fashion. Moreover, it removes the burden of implementing security from application developers, who can instead focus on writing their apps.

“Security functionality requires little to no integration into each individual application, and is instead provided as a fabric that envelops and connects all microservices,” Kaczorowski and Baker added.

Constellation Research Inc. analyst Holger Mueller told SiliconANGLE that Google had little choice but to continue pushing the security envelope with BeyondProd, as the launch of its Google Anthos platform for building hybrid applications extends its reach beyond its own data centers.

“Google had to establish a more advanced security protocol and architecture,” Mueller said. “The good news for enterprises is that advances in security mean more productive developers for secure next-generation applications.”

Just as with BeyondCorp, Google is hoping to convince other organizations to adopt its model for cloud-native security.

“By applying the security principles in the BeyondProd model to your own cloud-native infrastructure, you can benefit from our experience, to strengthen the deployment of your workloads, how their communications are secured, and how they affect other workloads,” Kaczorowski and Baker said.

Image: MasterTux/Pixabay