implementing-beyondcorp-zero-trust-access-model
Implementing Google's BeyondCorp zero trust access model to eliminate implicit trust from the network perimeter, enforce identity-aware access controls using IAP, Access Context Manager, and Chrome Enterprise Premium for VPN-less secure application access.
What this skill does
# Implementing BeyondCorp Zero Trust Access Model
## When to Use
- When replacing traditional VPN infrastructure with identity-based application access
- When migrating to Google Cloud and requiring zero trust access for internal applications
- When implementing device trust verification as a prerequisite for resource access
- When needing context-aware access policies based on user identity, device posture, and location
- When securing access for remote and hybrid workforce without network-level trust
**Do not use** when applications require raw network-level access (e.g., UDP-based protocols not supported by IAP), for consumer-facing public applications, or when the organization lacks an identity provider with MFA capabilities.
## Prerequisites
- Google Cloud organization with Cloud Identity or Google Workspace
- Identity-Aware Proxy (IAP) API enabled on the GCP project
- Chrome Enterprise Premium license for endpoint verification
- Applications deployed behind a Google Cloud Load Balancer or on App Engine/Cloud Run
- Endpoint Verification extension deployed on all corporate devices
- Access Context Manager API enabled
## Workflow
### Step 1: Configure Access Context Manager with Access Levels
Define access levels that represent trust tiers based on device and user attributes.
```bash
# Enable required APIs
gcloud services enable iap.googleapis.com
gcloud services enable accesscontextmanager.googleapis.com
gcloud services enable beyondcorp.googleapis.com
# Create an access policy (organization level)
gcloud access-context-manager policies create \
--organization=ORG_ID \
--title="BeyondCorp Enterprise Policy"
# Create a basic access level for corporate managed devices
cat > corporate-device-level.yaml << 'EOF'
- devicePolicy:
allowedEncryptionStatuses:
- ENCRYPTED
osConstraints:
- osType: DESKTOP_CHROME_OS
minimumVersion: "13816.0.0"
- osType: DESKTOP_WINDOWS
minimumVersion: "10.0.19045"
- osType: DESKTOP_MAC
minimumVersion: "13.0.0"
requireScreenlock: true
requireAdminApproval: true
regions:
- US
- GB
- DE
EOF
gcloud access-context-manager levels create corporate-managed \
--policy=POLICY_ID \
--title="Corporate Managed Device" \
--basic-level-spec=corporate-device-level.yaml
# Create a custom access level using CEL expressions
gcloud access-context-manager levels create high-trust \
--policy=POLICY_ID \
--title="High Trust Level" \
--custom-level-spec=high-trust-cel.yaml
```
### Step 2: Deploy Identity-Aware Proxy on Applications
Enable IAP on backend services to enforce identity verification before granting access.
```bash
# Create OAuth consent screen
gcloud iap oauth-brands create \
--application_title="Corporate Applications" \
[email protected]
# Create OAuth client for IAP
gcloud iap oauth-clients create BRAND_NAME \
--display_name="BeyondCorp IAP Client"
# Enable IAP on a backend service (GCE/GKE behind HTTPS LB)
gcloud compute backend-services update internal-app-backend \
--iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET \
--global
# Enable IAP on App Engine
gcloud iap web enable \
--resource-type=app-engine \
--oauth2-client-id=CLIENT_ID \
--oauth2-client-secret=CLIENT_SECRET
# Enable IAP on Cloud Run service
gcloud run services add-iam-policy-binding internal-api \
--member="serviceAccount:[email protected]" \
--role="roles/run.invoker" \
--region=us-central1
```
### Step 3: Configure IAM Bindings with Access Level Conditions
Bind IAP access to specific groups with access level requirements.
```bash
# Grant access to engineering group with corporate device requirement
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=internal-app-backend \
--member="group:[email protected]" \
--role="roles/iap.httpsResourceAccessor" \
--condition="expression=accessPolicies/POLICY_ID/accessLevels/corporate-managed,title=Require Corporate Device"
# Grant access to contractors with high-trust requirement
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=internal-app-backend \
--member="group:[email protected]" \
--role="roles/iap.httpsResourceAccessor" \
--condition="expression=accessPolicies/POLICY_ID/accessLevels/high-trust,title=Require High Trust"
# Configure re-authentication settings (session duration)
gcloud iap settings set --project=PROJECT_ID \
--resource-type=compute \
--service=internal-app-backend \
--reauth-method=LOGIN \
--max-session-duration=3600s
```
### Step 4: Deploy Endpoint Verification on Corporate Devices
Roll out Chrome Enterprise Endpoint Verification for device posture collection.
```bash
# Deploy Endpoint Verification via Chrome policy (managed browsers)
# In Google Admin Console > Devices > Chrome > Apps & extensions
# Force-install: Endpoint Verification extension ID: callobklhcbilhphinckomhgkigmfocg
# Verify device inventory in Admin SDK
gcloud endpoint-verification list-endpoints \
--filter="deviceType=CHROME_BROWSER" \
--format="table(deviceId, osVersion, isCompliant, encryptionStatus)"
# Create device trust connector for third-party EDR signals
gcloud beyondcorp app connections create crowdstrike-connector \
--project=PROJECT_ID \
--location=global \
--application-endpoint=host=crowdstrike-api.internal:443,port=443 \
--type=TCP_PROXY_TUNNEL \
--connectors=projects/PROJECT_ID/locations/us-central1/connectors/connector-1
# List enrolled devices and their compliance status
gcloud alpha devices list --format="table(name,deviceType,complianceState)"
```
### Step 5: Implement BeyondCorp Enterprise Threat Protection
Enable URL filtering, malware scanning, and DLP for Chrome Enterprise users.
```bash
# Configure Chrome Enterprise Premium threat protection rules
# In Google Admin Console > Security > Chrome Enterprise Premium
# Create a BeyondCorp Enterprise connector for on-prem apps
gcloud beyondcorp app connectors create onprem-connector \
--project=PROJECT_ID \
--location=us-central1 \
--display-name="On-Premises App Connector"
gcloud beyondcorp app connections create hr-portal \
--project=PROJECT_ID \
--location=us-central1 \
--application-endpoint=host=hr.internal.company.com,port=443 \
--type=TCP_PROXY_TUNNEL \
--connectors=projects/PROJECT_ID/locations/us-central1/connectors/onprem-connector
# Enable security investigation tool for access anomaly detection
gcloud logging read '
resource.type="iap_tunnel"
jsonPayload.decision="DENY"
timestamp >= "2026-02-22T00:00:00Z"
' --project=PROJECT_ID --format=json --limit=100
```
### Step 6: Monitor and Audit BeyondCorp Access Decisions
Set up comprehensive logging and alerting for zero trust policy enforcement.
```bash
# Create a log sink for IAP access decisions
gcloud logging sinks create iap-access-audit \
--destination=bigquery.googleapis.com/projects/PROJECT_ID/datasets/beyondcorp_audit \
--log-filter='resource.type="iap_tunnel" OR resource.type="gce_backend_service"'
# Query BigQuery for access pattern analysis
bq query --use_legacy_sql=false '
SELECT
protopayload_auditlog.authenticationInfo.principalEmail AS user,
resource.labels.backend_service_name AS application,
JSON_EXTRACT_SCALAR(protopayload_auditlog.requestMetadata.callerSuppliedUserAgent, "$") AS device,
protopayload_auditlog.status.code AS decision_code,
COUNT(*) AS request_count
FROM `PROJECT_ID.beyondcorp_audit.cloudaudit_googleapis_com_data_access`
WHERE timestamp > TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 24 HOUR)
GROUP BY user, application, device, decision_code
ORDER BY request_count DESC
LIMIT 50
'
# Create an alert policy for repeated access denials
gcloud alpha monitoring policies create \
--display-name="BeyondCorp Repeated Access Denials" \
--condition-display-name="High denial rate" \
--condition-filRelated in General
modeling-omnistudio-epc-catalog
IncludedSalesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).
relationship-science-coach
IncludedUse this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.
building-sf-integrations
IncludedSalesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).
venue-templates
IncludedAccess comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.
let-fate-decide
IncludedDraws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.
net-ops
IncludedCross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.