BeyondCorp
A new approach to enterprise security.
What is BeyondCorp?
BeyondCorp is Google's implementation of the zero trust model. It builds upon a decade of experience at Google, combined with ideas and best practices from the community. By shifting access controls from the network perimeter to individual users, BeyondCorp enables secure work from virtually any location without the need for a traditional VPN.
BeyondCorp at Google
BeyondCorp began as an internal Google initiative to enable every employee to work from untrusted networks without the use of a VPN. Now, BeyondCorp is used by most Googlers every day to provide user- and device-based authentication and authorization for Google's core infrastructure and corporate resources.
BeyondCorp research papers
These research papers describe the story of BeyondCorp at Google, from concept through implementation:
An overview: "A New Approach to Enterprise Security"
How Google did it: "Design to Deployment at Google"
Google's frontend infrastructure: "The Access Proxy"
Migrating to BeyondCorp: "Maintaining Productivity while Improving Security"
Components of BeyondCorp
BeyondCorp allows for single sign-on, access control policies, access proxy, and user- and device-based authentication and authorization. The BeyondCorp principles are:
- Access to services must not be determined by the network from which you connect
- Access to services is granted based on contextual factors from the user and their device
- Access to services must be authenticated, authorized, and encrypted
Google's BeyondCorp mission (2011–present)
To enable every Google employee to work successfully from untrusted networks without the use of a VPN.
BeyondCorp for everyone
BeyondCorp can now be enabled at virtually any organization with BeyondCorp Remote Access—a cloud solution that can help you rapidly deliver secure remote access to web apps and cloud services through Google’s global network, allowing your employees and extended workforce to access the apps they need from virtually any device, anywhere, without a traditional remote-access VPN.
Additional resources
Manage your users, devices, and apps with Cloud Identity
Guard access to your apps and VMs with Identity-Aware Proxy
Help keep your organization secure with Google Cloud
Branding guidelines for using the BeyondCorp trademark:
You can use the BeyondCorp name on your website or in print without pre-approval, provided you follow these basic guidelines.
You may display or use the BeyondCorp name only in connection with compliant implementations of BeyondCorp and related uses in the following ways: display or use of the BeyondCorp name in connection with your compliant implementation; your integration with a compliant implementation; your support for a compliant implementation; your BeyondCorp-compatible product; or in collateral, presentations, and marketing materials relating to compliant implementations of BeyondCorp.
Use of the BeyondCorp logo or other Google brands in ways not expressly covered by this document is not allowed without prior written consent from Google (see the Guidelines for Third Party Use of Google Brand Features for more information). Send requests to beyondcorp-trademark-external@google.com.