Beyond the Edge

Beyond the Edge

Article from Issue 159/2014

The eyes of the tech world are all on Google with the announcement that Google's Compute Engine cloud service is now open to the public. The new service is Google's answer to Amazon's AWS cloud system and is poised to capture some of the same customers. Many are predicting Compute Engine will be a game changer, as the sports addicts would say: a historic move that will change the whole landscape – and they might be right. If anyone has the power and personnel to take on Amazon, it is definitely Google, although it is worth remembering that, after striking it rich with search, Google's later attempts to swallow whole industries have not always been as successful as the experts predicted. (Anyone remember when Google Wave was supposed to take down Facebook?)

The eyes of the tech world are all on Google with the announcement that Google's Compute Engine cloud service is now open to the public. The new service is Google's answer to Amazon's AWS cloud system and is poised to capture some of the same customers. Many are predicting Compute Engine will be a game changer, as the sports addicts would say: a historic move that will change the whole landscape – and they might be right. If anyone has the power and personnel to take on Amazon, it is definitely Google, although it is worth remembering that, after striking it rich with search, Google's later attempts to swallow whole industries have not always been as successful as the experts predicted. (Anyone remember when Google Wave was supposed to take down Facebook?)

We will all be interested to see what comes of the great showdown between Google and Amazon, plus Oracle, HP, Amazon, and a host of other tech titans who have entered the IT cloud thunderdome. But I'm also interested in another project at Google that might change a different game.

Googlers Jan Monsch and Harald Wagener gave a presentation at the recent Usenix LISA 2013 conference on a Google project called Beyond Corp. According to the talk, the mission of the Beyond Corp project is to "re-architect corporate services to remove any privilege associated with having a corporate address." This simple 13-word description might seem arcane, but the implications are enormous.

What these Googlers are really talking about is eliminating the whole concept of a perimeter defense protecting an internal network. As the speakers put it, "Firewalls don't help." Intruders have too many ways around them. The concept of a "perimeter" implies a hostile "outside" and an "inside" with a heightened level of trust. Google, and many security experts, find this concept obsolete. Why automatically assume that anyone who accesses the network from within the geographical region enclosed by the border routers has a right to be there? Maybe an intruder hooked up a laptop from an empty cubicle. Once you work through the implications of how to deal with this kind of scenario, the conversation quickly converges around the concept that zero trust might be the safest way to run a network. And once you decide you're not going to trust anyone on the local network, the difference between the inside and the outside starts to look quite rusty.

Part of Google's solution is to "move trust from the network level (IP address) to the device level." Every device on the network must authenticate. The authorization process is separate from authentication. The network has knowledge of the device state and maintains an inventory of device properties that serves as a means for ensuring the device hasn't been altered. All traffic on the network is encrypted.

The idea of devices authenticating to gain access to the network is nothing new. Some networks require authentication by MAC address to receive an IP address through DHCP. Google's plan takes this idea of restricted local access much further, with a much more elaborate investigation than a simple check of the MAC address.

Perhaps more interesting than the actual technology is the way Google is framing the problem – and their bold prediction that the corporate network will soon be a relic of the distant past. The IT network security space is dominated by huge hardware vendors like Cisco and huge IT software vendors like Microsoft. A whole generation of admins has grown up around a view of the network with the good guys on one side and the bad guys on the other, and with simple mechanisms for granting access to resources through passwords and group memberships. Google has no chance to ever conquer the firewall business, so why not just make firewalls obsolete – through technology, but also by projecting an alternative vision for what the network is and how to protect it. Recent revelations of government snooping, and the constant patter of stories about intruders stealing passwords and credit card numbers, indicate they might even be right.

Joe Casad, Editor in Chief

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus