Google shares its tiered approach to enterprise mobile security in new paper

Google has shed light on the tiered access method it employs in managing the devices of its more than 61,000 employees in a new whitepaper – with the aim to get IT admins to deploy it in their own organisations.

Michael Janosko, manager for security engineering and Rose La Prairie, Android product manager, explain the internal process in a company blog post. “Google’s technical infrastructure organisation is tasked with protecting employees against sophisticated adversaries, while ensuring that corporate security practices do not interfere with Google’s culture of innovation, freedom and flexibility,” the two explain.

“It accomplishes this with a tiered access security model that categorises corporate services and devices into trust tiers to determine access.”

This tiered approach, digging down into the whitepaper (pdf), means there are three main components to consider: the client base and data sources, access intelligence and gateways, and the services to be accessed. In other words, users can have the flexibility to use a range of devices, and potentially choose less secure configurations, such as removing the PIN or a longer screen unlock time, with the result that their level of access to enterprise services will depend on their device, its current state, and the user authentication.

Putting the three-tiered approach into a diagram looks like this:

The four trust tiers at Google range from untrusted – no access to Google data or corporate services in general – through basic access, which includes campus maps, bus schedules, and other limited need-to-know data, privileged access, and finally highly privileged access, which includes access to all corporate services, including those with confidential or need-to-know data.

Google adds that its own system continues to evolve, with next steps potentially including the addition of artificial intelligence into the mix. “In addition to data about device attributes and the state of the device, an additional piece of information to consider is the user’s observed behaviour and how that compares to normal activity as analysed with machine learning,” the paper notes. “This would help assess how much to trust both the device and the user.”

You can read the full blog post here.

Main picture credit: Google

Related Stories

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.