Google has released a white paper describing its approach to securing mobile device use for 61,000 employees worldwide.
Google is sharing details about its mobile security strategy to provide guidance to other IT administrators on how to deploy mobile devices securely in modern environments, according to Google.
The mobility best practices document describes what Google calls a tiered access model to mobile security. At its core is the idea that mobile security policies need to be a lot more flexible than just granting or blocking access to enterprise services based solely on the previously known attributes of a device and user role.
“In contrast to traditional models, tiered access provides more granular control,” Google said in its whitepaper. “The level of access given to a single user or a single device may change over time based on device measurements allowing security to set access policy that considers deviations from intended device state.”
Google’s mobile access model comprises of three tiers: a client base and data sources tier, an access control and gateway tier and a third tier comprised of the actual services to be accessed.
The focus at the client base level is to capture as much information as possible on the mobile devices that Google employees use to access the company’s systems and services. The sources that Google uses to capture device level data include asset management inventories, operating system agents, patch management systems and tools that are available within the device itself.
All device attribute data is stored in a centralized repository that is checked each time a device tries to access a Google service. In addition to the attribute data, Google uses a combination of management tools to capture and store the current security state of a device that is attempting to access an internal application or service.
Different groups within Google have the ability to set policies that establish baseline security requirements and capabilities that a mobile device must have to access services. Google employees have the flexibility to use a range of mobile devices and choose the security configurations they want.
The level of access they get to a particular application or service and what they can do with that access will depend on the group to which the user belongs and how closely a device hews to the baseline security requirements for that service or application. Also factored in during this process is the current state of the device and how widely it deviates from acceptable standards.
Different services and platforms within Google have different ‘trust tiers’. For example, a fully managed employee device will have higher-level access to particular services, including read and write access, compared to an unmanaged device. Decisions about access are made at the access intelligence and gateways layer.
Google’s services layer itself is categorized into four tiers—an untrusted tier,…