To address security issues as early in the development and deployment lifecycle as possible, Google implemented a new approach to cloud-native security called BeyondProd. Google released a whitepaper to show how other companies can benefit from BeyondProd as well.
Cloud-native security steers away from the traditional perimeter-based security model in which all users or services on the inside are trusted.
“If a firewall can’t fully protect a corporate network, it can’t fully protect a production network either,” Google wrote in a blog post.
In 2014, Google introduced BeyondCorp, a network security model for users accessing the corporate network, which applied zero-trust principles to define corporate network access.
Google then applied these principles to connecting machines, workloads, and services, resulting in BeyondProd.
According to the company, BeyondProd is optimized for protection of the network at the edge, no inherent mutual trust between services, trusted machines running code with known provenance, choke points for consistent policy enforcement across services and isolation between workloads.
“Altogether, these controls mean that containers and the microservices running inside them can be deployed, communicate with one another, and run next to each other, securely, without burdening individual microservice developers with the security and implementation details of the underlying infrastructure,” Google wrote.
It achieves this through applying concepts such as mutually authenticated service endpoints, transport security, edge termination with global load balancing and denial of service protection, end-to-end code provenance and runtime sandboxing.
Google released guides for companies to achieve a similar architecture using Google Kubernetes Engine, Anthos and open source, which can be viewed here.