BeyondCorp – Tiered Access

Traditional security models use a binary, all-or-nothing access model where access is granted solely on the basis of machine, user, and service membership into an authentication authority, such as active directory or LDAP.

Google is taking a different approach and using tiered access as one tool to address these challenges. In contrast to traditional models, tiered access provides more granular control. The level of access given to a single user or a single device may change over time based on device measurements allowing security to set access policy that considers deviations from intended device state.

At Google, the Technical Infrastructure organization manages access for the devices used by more than 61,000 employees while protecting against sophisticated adversaries. Below we outline the model that Google has adopted and continues to evolve as it’s rolled out. The first phase of roll-out has enabled access from mobile devices, while subsequent phases will expand enrollment to cover the entire fleet of Google devices.


SafetyNet: Google’s tamper detection

Deep dive into one of the cloud based protection systems for the Android ecosystem. This is a very detailed walk-though of what it does, exactly how it does it, and how to use some of its features to secure your own apps (like remote attestation.)

What is SafetyNet

The Android Pay application got released a few days ago. Some people using rooted devices discovered that it refused to work. This is because it uses a new Google Play Services feature:SafetyNet attestation.

SafetyNet attestation is Google telling the app their opinion regarding the CTS compatibility status of a device. CTS normally stands for Compatibility Test Suite, which is a suite of tests a device must pass, prior to release, to be allowed to include Google Play Services. It means something different in the SafetyNet context, like ‘the device is currently in a non-tampered state‘. Tampered state has multiple definitions and can include ‘being rooted’, ‘being monitored’ or ‘being infected with malware’.


Part 2: