Why Google’s BeyondCorp is not a VPN alternative

How BeyondCorp works image

Google has announced that it is rolling out a new tool known as BeyondCorp Remote Access, a cloud-based app that claims to offer companies a way to let employees access a company’s internal web apps remotely and securely.

All good so far.

The nature of this new tool has seen it being compared to VPNs in some publications, but it is important to note that while BeyondCorp offers some similar features, it is certainly not an alternative to a VPN, not for the everyday user at least.

What is BeyondCorp Remote Access?

Google actually created BeyondCorp Remote Access as far back as 2011. It has since been used as an internal tool to allow Google staff to remote access internal apps.

It grew out of an attempt by Google to simplify its own network access features and was designed as a tool that made it far easier to set specific access policies for a narrow set of users around each internal application.

BeyondCorp’s big feature is a database of every device that is permitted to connect to each specific app. A security certificate has to be installed on each device that has permission and this is cross-referenced with HR information to ensure that only permitted staff are able to connect.

All employees have to do after the initial set-up is to enter the remote network through a single log-in point. This authenticates them to access any content they have permission to connect with and lets them get on with work.

At the moment, all BeyondCorp can do is enforce access controls for web apps, either onsite or in the cloud. Google has hinted that it may add more features in the future but at the time of writing, further details are not available.

Why is Google releasing BeyondCorp now?

With the unprecedented surge in remote working that has occurred in the wake of the coronavirus pandemic and the spike in VPN use that we have seen as a result, Google has seen a timely opportunity to cash in on its investment in the BeyondCorp technology while the market is hot.

In a blog post announcing the launch of BeyondCorp, Google argues that it offers a simpler and faster alternative to VPNs and bizarrely makes the claim that VPNs are often too complicated for employees to be able to use.

This claim smacks of opportunism to us and we would suggest that Google is simply trying to pick up some of the business that has been flowing into both personal and corporate VPNs in recent months.

This is an important distinction and one worth emphasising here. Google is pitching BeyondCorp as an alternative to a corporate VPN. In other words, it is a tool they are trying to sell into big companies with hundreds of staff who all currently find themselves working remotely.

BeyondCorp is not a tool that will be of any use to individuals or small businesses with just a handful of staff. If you fall into that category, a personal VPN is definitely the best way to secure your internet connection when working online from home.

BeyondCorp is not a VPN alternative

But building on that clarification, Google and other media outlets should also be making it clear that BeyondCorp is not an alternative to a VPN at all.

BeyondCorp offers business a secure log-in tool that should help them to stop unwanted users from accessing their internal web apps. To be honest, any big online business worth its salt should have sufficient protections in place to stop this in any case, but Google already has a few prominent customers, including Airbnb, which suggests this isn’t the case.

But beyond that, BeyondCorp offers none of the protections that a VPN brings. It does not encrypt traffic which means that while it might stop direct access, it does nothing to stop hackers hijacking devices or access data in transit.

It also offers no privacy protections whatsoever. Indeed, with BeyondCorp being owned and operated by Google and also rushed to market, it is fair to assume that there are minimal privacy protections in place and quite legitimate to ask how much sensitive corporate data Google will be able to see and what it will do with such information.

BeyondCorp’s USP is that it can be rolled out fast and it is easy to use.

There is no denying that corporate VPNs are more complicated than regular VPNs to roll-out. But the burden of this is born by your companies IT team who really should be able to handle it.

As for ease of use, we are yet to hear any remote workers complaining that either corporate or personal VPNs are impenetrable to use, so this claim seems to tackle a problem that doesn’t really exist.

As the world’s biggest online tech company, it is no surprise that Google wants to get a piece of the action as the entire globe goes remote.

But while BeyondCorp offers a tool that can enforce access policies well, and it’s little fault of themselves, publications should stop claiming this is a replacement for VPN technology, especially as this may confuse individual consumers.

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *