With our team going fully remote, our traditional VPN is no longer cutting it for security. We’re looking into implementing a Zero Trust architecture using Google Cloud’s BeyondCorp. How do we start moving away from "Perimeter Security" to "Identity-Based Access"? I’m specifically worried about how to handle access for third-party contractors who shouldn't have full access to our production VPC.
3 answers
BeyondCorp is fantastic because it treats every request as if it originates from an untrusted network. You should start by setting up "Identity-Aware Proxy" (IAP). This allows you to gate your web applications and SSH/RDP access based on the user's identity and the context of their request (like device health or location). For your contractors, you can create "Access Levels" in the Access Context Manager. This way, a contractor can only access the staging environment if they are using a corporate-managed laptop with an active antivirus, regardless of whether they have the right password.
Are you planning to integrate this with an external Identity Provider (IdP) like Okta, or are you sticking strictly to Google Workspace identities?
You should definitely use Workload Identity Federation; it’s the modern standard for connecting external identities to GCP resources without needing service account keys.
Sandra is right. Avoiding long-lived service account keys is the single best thing you can do for your security posture in a Zero Trust model.
We are already using Okta, Donald. I’m a bit confused about how to sync the Okta groups into GCP’s IAM roles without creating a manual management nightmare. Have you used the Google Cloud Directory Sync tool for this, or is there a more modern way to federate identities so that permissions update automatically when a contractor's contract ends?