Google Workspace vs BeyondCorp

Hey, Google Workspace admins. This is Goldy again. Recently, someone asked, what’s the difference between Beyond Corp and Google Workspace because they are already using Google Workspace Enterprise Plus. And their question was, why should we compliment our Google Workspace subscription with BeyondCorp?

So I thought to make this quick video to help you understand the difference, hopefully after this video you will have that clarity. So what’s the difference between Google Workspace and BeyondCorp. Now, I assume that you are already running Google Workspace Enterprise subscription, which comes with context aware access that lets you create conditional access policies so that you.

Context, whether it’s user side context, like the IP address or the geographic location or the device context, whether this device is encrypted, company owned, personal owned? All that context is is leveraged when making a decision whether you would have access to a given resource or not

So that comes with Google Workspace Enterprise subscription. It’s called Context Aware Access.

If you are not running Google Workspace Enterprise yet, then this video might not help. I will recommend you go back and see if you should upgrade to enterprise version to get context aware access, because that will be then first step to your journey towards zero trust in Google Workspace.

Okay, so now assuming you already have this in. You can certainly create context aware access policies, which will let you access or not access. Google Workspace resources.

Now to understand why you need beyondcorp or why you should compliment Google Workspace with BeyondCorp, let’s understand the nature of context aware access control because it’s binary and the limited scope that it offers.

So number one, this scope of context aware access is binary, which means once you leverage the context to make the decision whether user will or will not have access to a certain a set of applications that’s binary.

User will have access or will not have access based on the context. Okay, second thing is the limited scope of context aware access.

It can be applied on Google Workspace native applications such as Gmail, drive, meet, chat, etc. and on SAML applications where Google is acting as your identity provider.

Okay, so why do you need beyondcorp then? Or why should you compliment Google Workspace with BeyondCorp? Let’s take both of these scenarios, binary access, control, and limited scope, and see how beyondcorp can help us go one step further.

So for example, let’s say based on my context, I can log in or I can access Google Drive. But what if we want to make a policy saying user cannot download or upload sensitive content from or to Google Drive  that will come under beyondcorp. If you need like more protection from malware phishing and alerting, that will also under beyondcorp.

So in case if you just need more controls, but your scope will still be SAML applications and Google, Workspace native applications or any  web app, which will be leveraging Google Chrome as a browser.

You can go with BeyondCorp enterprise essentials, which is primarily meant for Google Workspace customers.

I have one more video which talks about which plan you should subscribe to.

Now, before I show you the second part of it, which is to enhance the scope where you can cover more applications, let me show you a quick demonstration to make the point, which we just. Okay, so here is my Google Workspace dashboard.

And as you see here, this instance is running in Canada. Okay and my context aware access policy says that in case if the request is not coming from United States, then the we’ll have access, but only to non sensitive applications like chat and meet. They won’t have access to Google, Drive, and Gmail.

And to prove that, if I click first, let’s see, it’s the user identity is bce@mydomain.com. See, if I go to, let’s say, Google Meet, I should be able to access Google Meet and if I say, what’s my ip, you will see that it’s running in. Okay, so I have access to Google Meet as expected, but if I go to Google Drive, it should be rejected.

It says you can’t access from this location because the request is coming from outside US. Okay, now let me go to my different browser here and if I do a quick refresh here to see that this instance is indeed running in US. So that means I should be able to access Google Drive and that should be the case.

Let me show. It’s the same user id, so now when I click on Google Drive, you will see that I have access because the request is indeed coming from US. Okay?

Now, context aware access has done its part so far. I was rejected to access Google Drive because my context didn’t meet the required conditions.

Here I was able to access Google Drive because I met the required context or conditions. Okay?

Now context aware access part is over here in terms of grant access part. Okay? That’s binary.

So I have two documents here. The first one is a goodbye document, and then the second one is a private document.

So the goodbye document says I don’t have anything sensitive in nature, so users should be fine downloading it. But the private document, it has some sensitive information. Okay. I’m just figuring the secret keyword here, but it can be anything that you will consider as sensitive.

If you need to apply policy where users should be able to download the Good Boy, but not the private document because it’s sensitive in nature, that part will be solved by BeyondCorp Enterprise.

And let me show you that. So if I’m on Good Boy and if I click on download, I should be able to download it fine. You will see the scan happening in the bottom left hand side. Right here, and once the scan is done, it says security checks are done. You have downloaded the document, but now let’s try that on the private document.

The scan is taking place again, and as you will see very soon, It says, sorry, this document has private or sensitive information. You can review the message, which your Admin can, for sure, customize and come with better messaging here. But the idea is that you can control what happens when user has got the access to the resource based on the context.

You can take a step further with BeyondCorp and Control. What happens after the user got access. Now it’s not just limited to Google Workspace application, for example, Google Drive. Let’s take another example. This is my Dropbox for the same user.

What I’m gonna do is click on upload and try to upload a file.

It’s the same private document which has that sensitive information. When I click on upload, you will see the scan is taking place within the Chrome and you get a message which says you’re not allowed to. I forget to change the message, but essentially it says, no brother. You can’t upload because it has sensitive content.

Okay, So this is how Google Workspace can be complimented with BeyondCorp Enterprise Essential. If your plan is to have context aware access plus take a step further and control what happens after a user got to the resource based on the context.

So you should be able to do things like data loss prevention, copy and paste prevention, print prevention data upload prevention in case if it meets some sensitive information, malware, phishing protection, and everything will be logged so you can leverage those logs to enhance your security posture.

That’s the first thing, which can be solved with Google BeyondCorp. Enterprise essential primary meant for the businesses that are using Google workspace.

Now let’s take the second one, which is the scope, because whatever we saw so far, it is scoped to, I would say three.

Google, Workspace applications. SAML applications where Google is being used as identity provider, any other application where Chrome is being leveraged, like Dropbox or Box, or Salesforce, etc.

But in case, if you need to enhance your scope even more, how about the applications that you have running inside Google Cloud, maybe an App Engine app or compute engine app, or in fact, if you have those applications running in Azure AD or Amazon Web Services are also in your local infrastructure.

If you need to put that same kind of conditions based continuous access, how would you do that? You can again complement it with BeyondCorp  enterprise subscription.

Again, enterprise Essentials is primary meant for Google workspace customers who would like to have more controls on Google Workspace plus SAML apps, plus the third party apps which are running in browser kind of SaaS apps.

Where you need data loss prevention, etc, Google BeyondCorp Enterprise is meant for everything that’s the highest tier. And I have different pricing video where you can have the same controls on apps running in Google Cloud, and other clouds, and also on-prem.

I have this app engine application that’s called iap.Mydomain.com.

Before I can access that app, in app, it is asking me for. Context. So for example, when I log in, it’s gonna ask me for my credentials and now I can see that application.

So going back to the scenario in case if you just need the basic access control and Google Cloud platform, which leverages users side of context such as users IP range and location, then that’s within GCP itself based on identity aware proxy.

But in case if you need to take step further and leverage device context, browser context, partner signals, or if you need to protect applications running on-prem and in other clouds, then you should go with BeyondCorp Enterprise.

If you have Google BeyondCorp Enterprise, you can get everything that’s shown here.

So I hope this video might have given some clarity on when you should complement your Google Workspace or Google Cloud platform subscription with Google BeyondCorp Enterprise Essentials or BeyondCorp Enterprise.

If you have any questions, comments, or feedback, please do not hesitate to put under this video and I will be happy to collaborate with that. Thank you so

Related Posts

....

....