implementing-beyondcorp-zero-trust-access-model▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Implementing Google's BeyondCorp zero trust access model to eliminate implicit trust from the network perimeter, enforce identity-aware access controls using IAP, Access Context Manager, and Chrome Enterprise Premium for VPN-less secure application access.
| name | implementing-beyondcorp-zero-trust-access-model |
| description | 'Implementing Google''s BeyondCorp zero trust access model to eliminate implicit trust from the network perimeter, enforce identity-aware access controls using IAP, Access Context Manager, and Chrome Enterprise Premium for VPN-less secure application access. ' |
| domain | cybersecurity |
| subdomain | zero-trust-architecture |
| tags | - beyondcorp - zero-trust - google-cloud - iap - identity-aware-proxy - ztna - access-context-manager |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.AA-01 - PR.AA-05 - PR.IR-01 - GV.PO-01 |
Implementing BeyondCorp Zero Trust Access Model
When to Use
- When replacing traditional VPN infrastructure with identity-based application access
- When migrating to Google Cloud and requiring zero trust access for internal applications
- When implementing device trust verification as a prerequisite for resource access
- When needing context-aware access policies based on user identity, device posture, and location
- When securing access for remote and hybrid workforce without network-level trust
Do not use when applications require raw network-level access (e.g., UDP-based protocols not supported by IAP), for consumer-facing public applications, or when the organization lacks an identity provider with MFA capabilities.
Prerequisites
- Google Cloud organization with Cloud Identity or Google Workspace
- Identity-Aware Proxy (IAP) API enabled on the GCP project
- Chrome Enterprise Premium license for endpoint verification
- Applications deployed behind a Google Cloud Load Balancer or on App Engine/Cloud Run
- Endpoint Verification extension deployed on all corporate devices
- Access Context Manager API enabled
Workflow
Step 1: Configure Access Context Manager with Access Levels
Define access levels that represent trust tiers based on device and user attributes.
# Enable required APIs
gcloud services enable iap.googleapis.com
gcloud services enable accesscontextmanager.googleapis.com
gcloud services enable beyondcorp.googleapis.com
# Create an access policy (organization level)
gcloud access-context-manager policies create \
--organization=ORG_ID \
--title="BeyondCorp Enterprise Policy"
# Create a basic access level for corporate managed devices
cat > corporate-device-level.yaml << 'EOF'
- devicePolicy:
allowedEncryptionStatuses:
- ENCRYPTED
osConstraints:
- osType: DESKTOP_CHROME_OS
minimumVersion: "13816.0.0"
- osType: DESKTOP_WINDOWS
minimumVersion: "10.0.19045"
- osType: DESKTOP_MAC
minimumVersion: "13.0.0"
requireScreenlock: true
requireAdminApproval: true
regions:
- US
- GB
- DE
EOF
gcloud access-context-manager levels create corporate-managed \
--policy=POLICY_ID \
--title="Corporate Managed Device" \
--basic-level-spec=corporate-device-level.yaml
# Create a custom access level using CEL expressions
gcloud access-context-manager levels create high-trust \
--policy=POLICY_ID \
--title="High Trust Level" \
--custom-level-spec=high-trust-cel.yaml
Step 2: Deploy Identity-Aware Proxy on Applications
Enable IAP on backend services to enforce identity verification before granting access.
# Create OAuth consent screen
gcloud iap oauth-brands create \
--application_title="Corporate Applications" \
[email protected]
# Create OAuth client for IAP
gcloud iap oauth-clients create BRAND_NAME \
--display_name="BeyondCorp IAP Client"
# Enable IAP on a backend service (GCE/GKE behind HTTPS LB)
gcloud compute backend-services update internal-app-backend \
--iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET \
--global
# Enable IAP on App Engine
gcloud iap web enable \
--resource-type=app-engine \
--oauth2-client-id=CLIENT_ID \
--oauth2-client-secret=CLIENT_SECRET
# Enable IAP on Cloud Run service
gcloud run services add-iam-policy-binding internal-api \
--member="serviceAccount:[email protected]" \
--role="roles/run.invoker" \
--region=us-central1
Step 3: Configure IAM Bindings with Access Level Conditions
Bind IAP access to specific groups with access level requirements.
# Grant access to engineering group with corporate device requirement
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=internal-app-backend \
--member="group:[email protected]" \
--role="roles/iap.httpsResourceAccessor" \
--condition="expression=accessPolicies/POLICY_ID/accessLevels/corporate-managed,title=Require Corporate Device"
# Grant access to contractors with high-trust requirement
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=internal-app-backend \
--member="group:[email protected]" \
--role="roles/iap.httpsResourceAccessor" \
--condition="expression=accessPolicies/POLICY_ID/accessLevels/high-trust,title=Require High Trust"
# Configure re-authentication settings (session duration)
gcloud iap settings set --project=PROJECT_ID \
--resource-type=compute \
--service=internal-app-backend \
--reauth-method=LOGIN \
--max-session-duration=3600s
Step 4: Deploy Endpoint Verification on Corporate Devices
Roll out Chrome Enterprise Endpoint Verification for device posture collection.
# Deploy Endpoint Verification via Chrome policy (managed browsers)
# In Google Admin Console > Devices > Chrome > Apps & extensions
# Force-install: Endpoint Verification extension ID: callobklhcbilhphinckomhgkigmfocg
# Verify device inventory in Admin SDK
gcloud endpoint-verification list-endpoints \
--filter="deviceType=CHROME_BROWSER" \
--format="table(deviceId, osVersion, isCompliant, encryptionStatus)"
# Create device trust connector for third-party EDR signals
gcloud beyondcorp app connections create crowdstrike-connector \
--project=PROJECT_ID \
--location=global \
--application-endpoint=host=crowdstrike-api.internal:443,port=443 \
--type=TCP_PROXY_TUNNEL \
--connectors=projects/PROJECT_ID/locations/us-central1/connectors/connector-1
# List enrolled devices and their compliance status
gcloud alpha devices list --format="table(name,deviceType,complianceState)"
Step 5: Implement BeyondCorp Enterprise Threat Protection
Enable URL filtering, malware scanning, and DLP for Chrome Enterprise users.
# Configure Chrome Enterprise Premium threat protection rules
# In Google Admin Console > Security > Chrome Enterprise Premium
# Create a BeyondCorp Enterprise connector for on-prem apps
gcloud beyondcorp app connectors create onprem-connector \
--project=PROJECT_ID \
--location=us-central1 \
--display-name="On-Premises App Connector"
gcloud beyondcorp app connections create hr-portal \
--project=PROJECT_ID \
--location=us-central1 \
--application-endpoint=host=hr.internal.company.com,port=443 \
--type=TCP_PROXY_TUNNEL \
--connectors=projects/PROJECT_ID/locations/us-central1/connectors/onprem-connector
# Enable security investigation tool for access anomaly detection
gcloud logging read '
resource.type="iap_tunnel"
jsonPayload.decision="DENY"
timestamp >= "2026-02-22T00:00:00Z"
' --project=PROJECT_ID --format=json --limit=100
Step 6: Monitor and Audit BeyondCorp Access Decisions
Set up comprehensive logging and alerting for zero trust policy enforcement.
# Create a log sink for IAP access decisions
gcloud logging sinks create iap-access-audit \
--destination=bigquery.googleapis.com/projects/PROJECT_ID/datasets/beyondcorp_audit \
--log-filter='resource.type="iap_tunnel" OR resource.type="gce_backend_service"'
# Query BigQuery for access pattern analysis
bq query --use_legacy_sql=false '
SELECT
protopayload_auditlog.authenticationInfo.principalEmail AS user,
resource.labels.backend_service_name AS application,
JSON_EXTRACT_SCALAR(protopayload_auditlog.requestMetadata.callerSuppliedUserAgent, "$") AS device,
protopayload_auditlog.status.code AS decision_code,
COUNT(*) AS request_count
FROM `PROJECT_ID.beyondcorp_audit.cloudaudit_googleapis_com_data_access`
WHERE timestamp > TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 24 HOUR)
GROUP BY user, application, device, decision_code
ORDER BY request_count DESC
LIMIT 50
'
# Create an alert policy for repeated access denials
gcloud alpha monitoring policies create \
--display-name="BeyondCorp Repeated Access Denials" \
--condition-display-name="High denial rate" \
--condition-filter='resource.type="iap_tunnel" AND jsonPayload.decision="DENY"' \
--condition-threshold-value=10 \
--condition-threshold-duration=300s \
--notification-channels=projects/PROJECT_ID/notificationChannels/CHANNEL_ID
Key Concepts
| Term | Definition |
|---|---|
| BeyondCorp | Google's zero trust security framework that shifts access controls from network perimeter to per-request identity and device verification |
| Identity-Aware Proxy (IAP) | Google Cloud service that intercepts HTTP requests and verifies user identity and device context before forwarding to backend applications |
| Access Context Manager | GCP service that defines fine-grained attribute-based access control policies using access levels and service perimeters |
| Endpoint Verification | Chrome Enterprise extension that collects device attributes (OS version, encryption, screen lock) for access level evaluation |
| Access Levels | Named conditions in Access Context Manager that define minimum requirements (device posture, IP range, geography) for resource access |
| Chrome Enterprise Premium | Google's commercial BeyondCorp offering providing threat protection, URL filtering, DLP, and continuous access evaluation |
Tools & Systems
- Google Cloud IAP: Identity-aware reverse proxy enforcing per-request authentication and authorization for GCP-hosted applications
- Access Context Manager: Policy engine defining access levels based on device attributes, IP ranges, and geographic locations
- Chrome Enterprise Premium: Extended BeyondCorp capabilities including real-time threat protection and data loss prevention
- Endpoint Verification: Device posture collection agent deployed as Chrome extension to all corporate endpoints
- BeyondCorp Enterprise Connectors: Secure tunnel connectors enabling IAP protection for on-premises applications
- Cloud Audit Logs: Immutable log records of all IAP access decisions for compliance and forensic analysis
Common Scenarios
Scenario: Migrating 50+ Internal Applications from VPN to BeyondCorp
Context: A technology company with 3,000 employees uses Cisco AnyConnect VPN for accessing internal applications. The VPN introduces latency, creates a single point of failure, and grants excessive network access after authentication.
Approach:
- Inventory all 50+ applications and categorize by hosting (GCP, on-prem, SaaS) and protocol (HTTPS, TCP, SSH)
- Deploy Endpoint Verification to all corporate devices and establish baseline device posture data over 2 weeks
- Create access levels in Access Context Manager: corporate-managed, contractor-device, high-trust
- Enable IAP on GCP-hosted HTTPS applications first (App Engine, Cloud Run, GKE services)
- Deploy BeyondCorp Enterprise connectors for on-premises applications
- Migrate users in 3 phases: IT/Engineering (week 1-2), General staff (week 3-4), Executives/Finance (week 5-6)
- Configure re-authentication policies: 8 hours for general apps, 1 hour for financial systems
- Set up BigQuery audit pipeline for continuous monitoring and anomaly detection
- Decommission VPN after 30-day parallel operation period
Pitfalls: Some legacy applications may not support HTTPS proxying and require TCP tunnel mode. Device enrollment takes time; plan a 2-week onboarding period before enforcing device posture requirements. Break-glass accounts with bypassed access levels must be created and tested for identity provider outages.
Output Format
BeyondCorp Zero Trust Implementation Report
==================================================
Organization: TechCorp Inc.
Implementation Date: 2026-02-23
Migration Phase: Phase 2 of 3
ACCESS ARCHITECTURE:
Identity Provider: Google Workspace
Access Proxy: Google Cloud IAP
Device Management: Chrome Enterprise + Endpoint Verification
Threat Protection: Chrome Enterprise Premium
On-Prem Connector: BeyondCorp Enterprise Connector (3 instances)
ACCESS LEVEL COVERAGE:
Access Level: corporate-managed
Devices enrolled: 2,847 / 3,000 (94.9%)
Compliant devices: 2,712 / 2,847 (95.3%)
Access Level: high-trust
Devices enrolled: 312 / 350 (89.1%)
Compliant devices: 298 / 312 (95.5%)
APPLICATION MIGRATION:
GCP HTTPS apps (IAP-protected): 32 / 35 (91.4%)
On-prem apps (via connector): 12 / 15 (80.0%)
SaaS apps (via SAML/OIDC): 8 / 8 (100%)
Total migrated: 52 / 58 (89.7%)
SECURITY METRICS (last 30 days):
Total access requests: 1,247,832
Denied by IAP policy: 3,412 (0.27%)
Denied by access level: 1,208 (0.10%)
Re-authentication triggered: 45,219
Anomalous access patterns: 12 (investigated)
VPN-related incidents (before): 8/month
BeyondCorp incidents (after): 1/month
VPN DECOMMISSION STATUS:
Parallel operation remaining: 14 days
Users still on VPN: 148 (5%)
Planned decommission: 2026-03-15
How to use implementing-beyondcorp-zero-trust-access-model on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add implementing-beyondcorp-zero-trust-access-model
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches implementing-beyondcorp-zero-trust-access-model from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate implementing-beyondcorp-zero-trust-access-model. Access the skill through slash commands (e.g., /implementing-beyondcorp-zero-trust-access-model) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.7★★★★★42 reviews- ★★★★★Aditi Mensah· Dec 28, 2024
implementing-beyondcorp-zero-trust-access-model fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Yuki Ramirez· Dec 24, 2024
I recommend implementing-beyondcorp-zero-trust-access-model for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Mia Diallo· Dec 24, 2024
Keeps context tight: implementing-beyondcorp-zero-trust-access-model is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Chaitanya Patil· Dec 4, 2024
We added implementing-beyondcorp-zero-trust-access-model from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Piyush G· Nov 23, 2024
implementing-beyondcorp-zero-trust-access-model reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Yuki Bansal· Nov 15, 2024
Useful defaults in implementing-beyondcorp-zero-trust-access-model — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Jin Gill· Nov 15, 2024
implementing-beyondcorp-zero-trust-access-model is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Amina Thompson· Nov 15, 2024
implementing-beyondcorp-zero-trust-access-model has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Shikha Mishra· Oct 14, 2024
implementing-beyondcorp-zero-trust-access-model is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Evelyn Flores· Oct 6, 2024
Registry listing for implementing-beyondcorp-zero-trust-access-model matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 42