This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Improve the security of your Google Workspace Environment: Protect users with BeyondCorp Enterprise

Posted on 02-23-2024 06:31 AM
and filed in workspace-comm-blog
Marcin_Milewski
Staff

beyondcorp-blog.png

The zero trust security model is essential in today's enterprise  environments. It supports the “new normal” of today’s work. While traditional security models rely on the assumption that everything inside a corporate network is trustworthy, most modern companies are thinking about strengthening their security and enabling users to work from everywhere - including untrusted networks. The concept of "never trust, always verify" sounds very attractive, and brings many benefits.

In this article, we'll take a closer look at the features of BeyondCorp Enterprise that you can implement to protect your Google Workspace users. We'll also provide an example use case to give you a sense of what kind of benefits BeyondCorp Enterprise can bring to your organization.  

What is BeyondCorp Enterprise?

Marcin_Milewski_0-1708619388195.png

BeyondCorp is Google’s implementation of the zero trust security model that's built upon a decade of Google experience, combined with ideas and best practices from the community. 

BeyondCorp supports:

  • Single sign-on
  • Access control policies
  • Access proxy
  • User- and device-based authentication and authorization

BeyondCorp principles are:

  • Access to services must not be determined by the network from which you connect 
  • Access to services is granted based on contextual factors from the user and their device
  • Access to services must be authenticated and authorized

While Google Workspace customers can benefit from features like context-aware access that are provided in Enterprise plans, BeyondCorp Enterprise is a natural extension to secure access to other applications and provide more controls.

BeyondCorp Enterprise features for Google Workspace

Customers who subscribe to BeyondCorp Enterprise are getting BeyondCorp Threat and Data Protection features. With these settings, we can enhance existing Chrome protections, protect against web-based threats, and use DLP rules to protect Chrome Browser. 

BeyondCorp Enterprise integrates with Chrome Browser, and if you already manage Chrome Browsers in your organization, you can enhance security with these additional features.

Some of the BeyondCorp Enterprise use cases within Google Workspace include:

  • Warn or block the sharing of sensitive data through the Chrome Browser
  • Block access to URLs that are unsafe or not compliant with org policies
  • Blocking upload or download from certain web pages
  • Detect malware or ransomware while uploading files to Google Drive
  • Monitor file transfer and risky user activities to identify compliance or security risks
  • Control access to Google Workspace/SAML apps based on the context (part of Workspace Enterprise offering)

In addition to security features and controls, you also get more reporting capabilities across Chrome usage.

You can use the Rules audit log and Security dashboard - security reports to monitor security events related to the Chrome Browser.

Marcin_Milewski_1-1708619388283.png

The Security dashboard elements are:

What is required to set up BeyondCorp Enterprise in Google Workspace?

To set up BeyondCorp Enterprise and protect Chrome users, you will need: 

  • Chrome management. You have to manage Chrome Browser first, you can use one of the available methods, depending on the operating systems - either Chrome Browser Cloud Management (to manage the browsers and the policies from Cloud and the admin console), Chrome Managed Profiles (to apply the policies on user-level, not only on managed devices) or Chrome Device Management (when you manage Chrome family Devices)
  • BeyondCorp Enterprise License, and the BeyondCorp Enterprise service enabled in the Admin Console (Apps -> Additional Google Services -> Turn the service on if disabled). If you want to learn more about pricing, reach out to our sales teams.
  • Enable Chrome Enterprise connectors so content gathered in Chrome is uploaded to Google Cloud for analysis. Depending on the content analysis, you will need to configure the policies.
  • Set up Data Protection rules to implement sensitive data detection for files that are uploaded and downloaded, and for content that is pasted or dragged and dropped.

Example use case

Chrome Browser Management together with BeyondCorp Enterprise brings a variety of security features, with one of them described below to help you understand how the implementation works. 

Blocking the file upload to certain websites

In this scenario, we will configure a DLP rule that prevents users from uploading files to Google Drive when they're located in a certain country.

1. Navigate to Devices -> Chrome -> Settings, in the ‘Chrome Enterprise connectors’ under the ‘Upload content analysis’ turn on Google BeyondCorp Enterprise for the Org Unit, where you would like to enable the policy.
Marcin_Milewski_2-1708619388108.png

In this example, we want to delay the file upload, and show the custom warning message to the user.

2. When the BeyondCorp Enterprise connector is enabled, you can go ahead and configure the DLP rule - navigate  to the ‘Rules’ tab and create a new ‘Data Protection’ rule.

Marcin_Milewski_3-1708619388067.png

3. Provide the name and scope for the rule.

Marcin_Milewski_4-1708619388352.png

4. When the BeyondCorp Enterprise license is assigned to your organization, you will see that Chrome appears on the list of apps supported by the DLP.  In this case, we want to scan files when uploaded. 

Marcin_Milewski_5-1708619388079.png

5. Configure the conditions. In this example, the condition is checking if the URL contains the provided string. It can also be more complex to address your organization requirements - you might use one of the predefined content matches or Custom RegEx.  

Chrome DLP policies also allow setting the context - if you use Context-Aware access, you can use one of the previously created Access Levels to set the context when to apply the rule (e.g. you might want to limit the upload only when users are outside of your company network). In this example, the access level is based on the user location - Poland. 

Marcin_Milewski_6-1708619388121.png

6. Select the action (what happens when conditions criteria are met) - in our case, we block the upload and send the notification to the Alert Center with Medium severity. 

Marcin_Milewski_7-1708619388119.png

7. Create and activate the rule.

Marcin_Milewski_8-1708619388142.png

8. Now when the rule is activated, you can test how the blocking mechanism works. Navigate to Google Drive using your test user, and try to upload a new file. You will notice that the file will be analyzed during the upload, using BeyondCorp Enterprise. 

Marcin_Milewski_9-1708619388911.png

9. Since the user is located in Poland, during the upload of files to Google Drive, DLP will block that activity and additionally trigger an alert to the Alert Center for further admin investigation.

Marcin_Milewski_10-1708619388087.png

BeyondCorp features can be a great way to secure your users and their browsers. As we step into a future dominated by remote work and digital interconnectedness, BeyondCorp isn't just a security solution for Workspace admins - it brings many benefits for Google Cloud, and enables a zero-trust approach. It's the friendly usher guiding your enterprise into a more secure, efficient, and user-centric era.

If your organization is looking for additional security controls of Chrome Browsers - you should definitely try BeyondCorp Enterprise features within your Workspace account. 

Thanks for reading and please leave a comment below if you have any questions! 

1 2 5,929
Article Labels
2 Comments