The system sets the maximum trust tier accessible by the device and assigns the VLAN to be used by the device on the corporate network. The Trust Inferer is a system that continuously analyzes and annotates device state.Every resource must be assigned to a trust tier. Any asset – server, hosts, services, applications are considered to be Resources and an enumeration of them maintained in a management system.Whereas, a system handling highly sensitive information must be accessed by a user who has attained higher trust-tier and attaining that would require a stringent claim validation process. For example, a public application where very few or no sensitive information is stored or processed can be mapped to low trust-tier and hence the requirement to attain the trust tier is less stringent. Access requirements are organized into Trust Tiers representing levels of sensitivity.Google came up with BeyondCorp to implement the approach.īeyondCorp is built on the following premises: With the growing mobility of users and increasing use of BYOD, maintaining network perimeter while providing better user experience to the employees becomes challenging. So a breach of perimeter security allows an attacker to relatively easily breach internal application. Enterprise applications are generally available into the intranet and once someone gets access to intranet, they can get access to many enterprise applications and the validation of the request varies based on the strength of AAA mechanism of the respective application. A gating process authenticates a user before allowing to create a VPN channel. A VPN extends an extranet into secured extranet. Typically, employees access to enterprise systems is provided by the ability to connect via VPN. That means trust is inferred by validating each access request and not based on the network boundary from where the request has been originated. Unlike relying deriving trust based on network perimeter, the system works on the principle of “zero-trust”. Google’s BeyondCorp is a bold step towards de-peremiterization access.