Google details development of universal zero trust network access model

In response to a 2009 cyberattack targeting Google linked to a Chinese entity, Google restructured its network security model to eliminate traditional perimeters and adopt identity and device-based access controls, laying groundwork for what is now known as zero trust network access (ZTNA). This evolution is relevant to enterprise IT leaders seeking to improve secure access architecture for hybrid workforces.

Historical Cyberattack Catalyzing Change

Following an incident involving the Elderwood Group compromising Google and other firms through exploitation of system vulnerabilities, Google reassessed its network security, acknowledging the risks of trusting internal networks equivalent to the public internet. This breach underscored the vulnerabilities of relying on traditional network perimeters and privileged network zones.

Development of BeyondCorp Architecture

From 2014 to 2018, Google implemented BeyondCorp, an access model that removes network-based trust and employs identity-aware proxies to control access based on user credentials and device posture without reliance on network location. This approach treats all access as remote and mandates managed devices with strong authentication protocols.

Emergence of Zero Trust Network Access (ZTNA) Models

In 2019, Gartner identified two Zero-Trust Network Access (ZTNA) approaches: endpoint-initiated, designed for local access by returning authorized applications post-authentication, and service-initiated, aligned with BeyondCorp principles that consider all users as remote and negate device management prerequisites. Service-initiated models gained adoption for remote access due to their cloud-based broker architecture establishing “inside-out” connections to protect application exposure.

Introduction of Universal ZTNA

Some vendors, including Netskope, have expanded ZTNA offerings with on-premises (on-prem) brokers, coining the term “universal ZTNA.” This integration aligns more closely with BeyondCorp by supporting access consistency irrespective of user or application location, addressing challenges such as hairpinning where non-optimized routing reduces performance.

Operational Benefits of Universal ZTNA

Universal ZTNA harmonizes access experiences by providing a uniform method that removes distinctions between local and remote connections, thereby reducing users' need for insecure workarounds. It eliminates privileged networks by replacing IP-based routing with identity-based access, reducing risk vectors linked to traditional VPNs and Network Access Control (NAC).

This model shifts access control to the application layer, limiting network-level exposure and circumventing limitations of outdated hardware and complex policy configurations associated with traditional NAC solutions.

Furthermore, universal ZTNA optimizes performance by enabling location-based access pathways, preventing inefficient routing and maintaining productivity by minimizing access-related interruptions.

Overall, universal ZTNA removes the separation between local and remote access, delivering tailored, consistent, and secure connectivity adaptable for modern enterprise environments.

This Blog Signals brief presents a fact-based summary of the vendor blog outlining the progression from historical breach response to universal ZTNA architectures relevant to enterprise security configuration.