Google releases details of cloud-native security system BeyondProd

Google Cloud is pulling back the curtain on how it has implemented security protocols in its own microservices architecture in the hopes that others adopting cloud-native computing will have a roadmap to follow.

Today, Google released a white paper on BeyondProd, the company’s cloud-native security architecture. BeyondProd follows a security industry trend that seeks to broaden security beyond the focus of preventing attackers from entering a system.

“Modern security approaches have moved beyond a traditional perimeter-based security model, where a wall protects the perimeter and any users or services on the inside are fully trusted,” wrote Maya Kaczorowski, Google’s product manager for container security, and Brandon Baker, horizontal lead for cloud security, in a blog post. “In a cloud-native environment, the network perimeter still needs to be protected, but this security model is not enough — if a firewall can’t fully protect a corporate network, it can’t fully protect a production network either.”

Google has led the move toward overhauling the way applications are built for online services by championing “microservices” or “cloud native computing.” By breaking applications into smaller, self-contained units, developers can significantly reduce the costs and time needed to write, deploy, and manage each one. To encourage that shift, Google open-sourced Kubernetes, a platform it created for managing these containerized applications, to the Linux Foundation, which now manages it through the Cloud Native Computing Foundation.

Naturally, one of the concerns such a fundamental shift raises is security. To that end, Google said it always emphasized security in its own transition to microservices. It describes BeyondProd as “the model for how we implement cloud-native security at Google.”

Five years ago, Google adopted a new internal network security model called BeyondCorp that targeted anyone using its corporate network. It then expanded that same dynamic to all machines and services that interact with its network, an extension it calls BeyondProd.

BeyondProd’s principles prioritize protecting the network’s edge, no default trust, greater confidence in any machine running software whose origin could be identified, and isolation between services that limited any potential damage.

The upshot is that because security is built into the fundamental architecture, microservice developers don’t have to worry about introducing flaws that could leave the entire network vulnerable, the authors write in the blog post.

“Over the years we designed and developed internal tools and services to protect our infrastructure that following these security principles,” the Google team wrote. “That transition to cloud-native security required changes to both our infrastructure and our development process. Our goal is to address security issues as early in the development and deployment lifecycle as possible — when addressing security issues can be less costly — and do so in a way that is standardized and consistent.”

Google Cloud also lists in the white paper many of the open source security tools it uses and offers guidance about how the general security fabric of networks can be reinforced.