How Google’s IAP can help you to enable remote work during the Coronavirus outbreak.
Updated: Mar 16, 2020
In Wake of the Coronavirus pandemic, corporations all over the world have decided to act preemptively. Instead of waiting for employees to stop showing up to work, due to quarantine, failure of public transportation or worse, they have instructed their employees to work from home. The technology for this shift is far from being noval,and it comes in different forms - VPN (Virtual Private Networks), SaaS applications, conferencing software and other solutions. These solutions have typically been used to cater to the specific needs of small employee groups, such as roaming salespeople, on call IT people etc. Now, these specialized solutions will be put to the test as whole workforces will start working remotely over the internet for extended periods of time.
One innovative framework stands out from the rest, in the sense that it has been designed from the ground up to face this exact paradigm shift. First conceived by John Kindervag in 2010 and later improved upon by forward thinking organizations such as Google’s Beyond corp, Gartner’s CARTA and others. It was born out of a simple realization - that the traditional security approach which assumes that “a corporate computer network holds all of the organization’s sensitive assets, and if locked down properly, these assets will be protected” is no longer valid.
This realization stems out largely from the following factors:
Companies are using more cloud services, meaning their assets are directly connected to the corporate network.
Globalization has created a strong need to work remotely, so the users aren’t connected to the corporate network either.
In most cases, after an attacker compromises network perimeter, there will be very little or no security controls stopping him from reaching sensitive assets.
These factors and others have created a need for a new type of security framework, a framework that’s geared towards dispersed networks to begin with, lacking the choke points in which one can apply security controls like before - the Zero Trust framework.
Implementing a full Zero Trust network access solution has great benefits, but unfortunately it isn’t something a company can expect to achieve in a short time span, certainly not while battling the different side effects of the Coronavirus outbreak. However, it can use the building blocks cloud providers have to achieve their near future goals of allowing their workforce a secure and seamless experience while working from home during this difficult time.
Google’s Identity Aware Proxy (IAP) provides the following:
Allow secure remote access to google cloud and local applications.
Manage access based on “Context” - identity, location, device etc.
Enables encrypted tunnel access to Cloud assets.
Secure Key enforcement for high value users.
How does it work?
When accessing a google cloud http/s application:
Step 1 - The user tries to access a cloud asset, via a Cloud load balancer or to the Google Application Engine.
Step 2 - The Cloud load balancer or App engine will check the user’s browser for an authentication cookie (meaning he was already authenticated)
Step 3 - If the user doesn’t have a valid cookie, he will be redirected to the OAuth 2.0 Google Account sign-in flow that stores a token in a browser cookie for future sign-ins. If the user successfully authenticates, his role to see he is allowed to access the requested resource. If this check passes as well, the user will be redirected back to the resource and granted access.
When accessing an on-prem application:
Steps 1 through 3 - same as when accessing a google based application.
Step 4 - the user’s request will be routed through the IAP connector to a Cloud Interconnect (site to site VPN from GCP to your on-prem gateway).
What can I connect to these solutions?
Currently, Google supports the following types of resources you can connect to with IAP:
Applications in Google Application Engine.
Applications hosted on a google instance behind a GCP Cloud Load Balancer.
Applications hosted on Google Kubernetes Engine.
Applications hosted on on premise and connected via Cloud Interconnect.
Application inside the Google cloud via Tunneling (TCP forwarding).
Note: The last type (TCP forwarding) requires launching a command line tool which exposes the tunnel endpoint on your workstation, as is geared mainly at developers, IT admins and other technical users.
What will my users experience?
If you are using the regular Google authentication mechanism, your user should be prompted to login to his Google organization account as usual, and after that he will be redirected to the application he requested.
Note: There are other types of authentication methods available which are beyond the scope of this article, including programmatic authentication for mobile devices for example. More information on these can be found here - https://cloud.google.com/iap/docs/identity-howto
If a user has no access, this is what he’ll see after logging in:
What types of access restrictions can I apply?
You can restrict access based on a google mechanism called access level. When you create an access level, you essentially define a set of rules to determine if access will be granted. You may create multiple access levels, for example “high”, “medium” and “low” and for each of these a different set of rules the users need to adhere to in order to use each level. The rules consist of conditions such as ip address, geo location, device type (https://cloud.google.com/access-context-manager/docs/access-level-attributes) and these may be used with logical operators such as “AND”,”OR” and they can even be nested.
How do I monitor the solution?
Logging for IAP is done via Google’s Cloud Audit Logging. After configuration, the logs are visible in the logs page of your project. After that, you could process them in many ways, for example send them to your SIEM or respond to the via a cloud function. Some more information available here -
Some good links for learning how to set up IAP:
For a free consultation session on setting this and other DevOps and Cloud Security projects up, contact us here - http://www.nox90.com/free-consultation