We know by now that usernames and passwords are a poor way of securing applications and online services, but they remain for the most part a key tool in the security arsenal. The trouble is that with all of the security breaches in recent years from Equifax to Anthem to Target (and many others), people’s credentials have been widely shared on the internet black market.
Google wants to help fix that problem and today at Google Next, it announced Context-aware access, a new program that looks beyond your credentials to other factors to help determine if it’s really you or someone pretending to be you.
Context-aware access lets administrators define a set of information that could help them more accurately ascertain the identity of the person trying to access your service. “Context-aware access allows organizations to define and enforce granular access to GCP APIs, resources, G Suite, and third-party SaaS apps based on a user’s identity, location, and the context of their request,” Google explained.
One way to better understand the person accessing your services is to look at some contextual clues such as where they are logging on, the IP address of the machine they are logging on from, the time of day and other factors. Does all of this make sense based on what you know about the person?
The idea flips the notion of security responsibility on its head. Instead of requiring the user to be completely responsible for proving who they are, it puts the burden (and control) in the hands of the administrator where it makes more sense.
Google created this security tool because it recognizes as well as any company that users aren’t tied to the office anymore. They are working on mobile devices and accessing apps and cloud services and it becomes more difficult to trust identity, especially with so many stolen credentials out there.
The new program builds on Google’s BeyondCorp vision, an idea they began developing in 2011 to address the fact that computing no longer took place inside a clearly defined perimeter. In the days before mobile and cloud, people generally accessed computer systems from a specific place. If someone tried to log on from outside of that, you could catch them and turn them away.
Mobile and the cloud changed all that and Google began defining an idea called Zero Trust, the notion that you don’t trust anyone on your services and build an appropriate security position based on that idea. Identity is really central to this, but at some point, even in a Zero Trust model, you have to let people in and do business on your services. This tool gives administrators in a Zero Trust Model much more information to work with beyond a username and password to determine if the user is authentic or not.
Context-aware access management is available today for customers using VPC Service Controls. It will be available soon for customers using Cloud Identity and Access Management (IAM), Cloud Identity-Aware Proxy (IAP), and Cloud Identity, according to the company.