<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" version="XHTML+RDFa 1.0" dir="ltr" xmlns:og="http://ogp.me/ns#" xmlns:article="http://ogp.me/ns/article#" xmlns:book="http://ogp.me/ns/book#" xmlns:profile="http://ogp.me/ns/profile#" xmlns:video="http://ogp.me/ns/video#" xmlns:product="http://ogp.me/ns/product#"> <head profile="http://www.w3.org/1999/xhtml/vocab"> <script type="text/javascript" id="Cookiebot" src="https://consent.cookiebot.com/uc.js" data-cbid="694f6fb4-ca29-459f-a9b6-c1deccf2eaca" async="async"></script> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><script type="text/javascript">(window.NREUM||(NREUM={})).init={ajax:{deny_list:["bam.nr-data.net"]}};(window.NREUM||(NREUM={})).loader_config={licenseKey:"d823139095",applicationID:"509444"};;/*! For license information please see nr-loader-rum-1.282.0.min.js.LICENSE.txt */ (()=>{var e,t,r={8122:(e,t,r)=>{"use strict";r.d(t,{a:()=>i});var n=r(944);function i(e,t){try{if(!e||"object"!=typeof e)return(0,n.R)(3);if(!t||"object"!=typeof t)return(0,n.R)(4);const r=Object.create(Object.getPrototypeOf(t),Object.getOwnPropertyDescriptors(t)),o=0===Object.keys(r).length?e:r;for(let a in o)if(void 0!==e[a])try{if(null===e[a]){r[a]=null;continue}Array.isArray(e[a])&&Array.isArray(t[a])?r[a]=Array.from(new Set([...e[a],...t[a]])):"object"==typeof e[a]&&"object"==typeof t[a]?r[a]=i(e[a],t[a]):r[a]=e[a]}catch(e){(0,n.R)(1,e)}return r}catch(e){(0,n.R)(2,e)}}},2555:(e,t,r)=>{"use strict";r.d(t,{Vp:()=>c,fn:()=>s,x1:()=>u});var n=r(384),i=r(8122);const o={beacon:n.NT.beacon,errorBeacon:n.NT.errorBeacon,licenseKey:void 0,applicationID:void 0,sa:void 0,queueTime:void 0,applicationTime:void 0,ttGuid:void 0,user:void 0,account:void 0,product:void 0,extra:void 0,jsAttributes:{},userAttributes:void 0,atts:void 0,transactionName:void 0,tNamePlain:void 0},a={};function s(e){try{const t=c(e);return!!t.licenseKey&&!!t.errorBeacon&&!!t.applicationID}catch(e){return!1}}function c(e){if(!e)throw new Error("All info objects require an agent identifier!");if(!a[e])throw new Error("Info for ".concat(e," was never set"));return a[e]}function u(e,t){if(!e)throw new Error("All info objects require an agent identifier!");a[e]=(0,i.a)(t,o);const r=(0,n.nY)(e);r&&(r.info=a[e])}},5217:(e,t,r)=>{"use strict";r.d(t,{D0:()=>m,gD:()=>b,xN:()=>v});r(860).K7.genericEvents;const n="experimental.marks",i="experimental.measures",o="experimental.resources";var a=r(993);const s=e=>{if(!e||"string"!=typeof e)return!1;try{document.createDocumentFragment().querySelector(e)}catch{return!1}return!0};var c=r(2614),u=r(944),l=r(384),d=r(8122);const f="[data-nr-mask]",g=()=>{const e={feature_flags:[],experimental:{marks:!1,measures:!1,resources:!1},mask_selector:"*",block_selector:"[data-nr-block]",mask_input_options:{color:!1,date:!1,"datetime-local":!1,email:!1,month:!1,number:!1,range:!1,search:!1,tel:!1,text:!1,time:!1,url:!1,week:!1,textarea:!1,select:!1,password:!0}};return{ajax:{deny_list:void 0,block_internal:!0,enabled:!0,autoStart:!0},distributed_tracing:{enabled:void 0,exclude_newrelic_header:void 0,cors_use_newrelic_header:void 0,cors_use_tracecontext_headers:void 0,allowed_origins:void 0},get feature_flags(){return e.feature_flags},set feature_flags(t){e.feature_flags=t},generic_events:{enabled:!0,autoStart:!0},harvest:{interval:30},jserrors:{enabled:!0,autoStart:!0},logging:{enabled:!0,autoStart:!0,level:a.p_.INFO},metrics:{enabled:!0,autoStart:!0},obfuscate:void 0,page_action:{enabled:!0},page_view_event:{enabled:!0,autoStart:!0},page_view_timing:{enabled:!0,autoStart:!0},performance:{get capture_marks(){return e.feature_flags.includes(n)||e.experimental.marks},set capture_marks(t){e.experimental.marks=t},get capture_measures(){return e.feature_flags.includes(i)||e.experimental.measures},set capture_measures(t){e.experimental.measures=t},capture_detail:!0,resources:{get enabled(){return e.feature_flags.includes(o)||e.experimental.resources},set enabled(t){e.experimental.resources=t},asset_types:[],first_party_domains:[],ignore_newrelic:!0}},privacy:{cookies_enabled:!0},proxy:{assets:void 0,beacon:void 0},session:{expiresMs:c.wk,inactiveMs:c.BB},session_replay:{autoStart:!0,enabled:!1,preload:!1,sampling_rate:10,error_sampling_rate:100,collect_fonts:!1,inline_images:!1,fix_stylesheets:!0,mask_all_inputs:!0,get mask_text_selector(){return e.mask_selector},set mask_text_selector(t){s(t)?e.mask_selector="".concat(t,",").concat(f):""===t||null===t?e.mask_selector=f:(0,u.R)(5,t)},get block_class(){return"nr-block"},get ignore_class(){return"nr-ignore"},get mask_text_class(){return"nr-mask"},get block_selector(){return e.block_selector},set block_selector(t){s(t)?e.block_selector+=",".concat(t):""!==t&&(0,u.R)(6,t)},get mask_input_options(){return e.mask_input_options},set mask_input_options(t){t&&"object"==typeof t?e.mask_input_options={...t,password:!0}:(0,u.R)(7,t)}},session_trace:{enabled:!0,autoStart:!0},soft_navigations:{enabled:!0,autoStart:!0},spa:{enabled:!0,autoStart:!0},ssl:void 0,user_actions:{enabled:!0,elementAttributes:["id","className","tagName","type"]}}},p={},h="All configuration objects require an agent identifier!";function m(e){if(!e)throw new Error(h);if(!p[e])throw new Error("Configuration for ".concat(e," was never set"));return p[e]}function v(e,t){if(!e)throw new Error(h);p[e]=(0,d.a)(t,g());const r=(0,l.nY)(e);r&&(r.init=p[e])}function b(e,t){if(!e)throw new Error(h);var r=m(e);if(r){for(var n=t.split("."),i=0;i<n.length-1;i++)if("object"!=typeof(r=r[n[i]]))return;r=r[n[n.length-1]]}return r}},3371:(e,t,r)=>{"use strict";r.d(t,{V:()=>f,f:()=>d});var n=r(8122),i=r(384),o=r(6154),a=r(9324);let s=0;const c={buildEnv:a.F3,distMethod:a.Xs,version:a.xv,originTime:o.WN},u={customTransaction:void 0,disabled:!1,isolatedBacklog:!1,loaderType:void 0,maxBytes:3e4,onerror:void 0,ptid:void 0,releaseIds:{},appMetadata:{},session:void 0,denyList:void 0,timeKeeper:void 0,obfuscator:void 0,harvester:void 0},l={};function d(e){if(!e)throw new Error("All runtime objects require an agent identifier!");if(!l[e])throw new Error("Runtime for ".concat(e," was never set"));return l[e]}function f(e,t){if(!e)throw new Error("All runtime objects require an agent identifier!");l[e]={...(0,n.a)(t,u),...c},Object.hasOwnProperty.call(l[e],"harvestCount")||Object.defineProperty(l[e],"harvestCount",{get:()=>++s});const r=(0,i.nY)(e);r&&(r.runtime=l[e])}},9324:(e,t,r)=>{"use strict";r.d(t,{F3:()=>i,Xs:()=>o,xv:()=>n});const n="1.282.0",i="PROD",o="CDN"},6154:(e,t,r)=>{"use strict";r.d(t,{OF:()=>c,RI:()=>i,WN:()=>l,bv:()=>o,gm:()=>a,mw:()=>s,sb:()=>u});var n=r(1863);const i="undefined"!=typeof window&&!!window.document,o="undefined"!=typeof WorkerGlobalScope&&("undefined"!=typeof self&&self instanceof WorkerGlobalScope&&self.navigator instanceof WorkerNavigator||"undefined"!=typeof globalThis&&globalThis instanceof WorkerGlobalScope&&globalThis.navigator instanceof WorkerNavigator),a=i?window:"undefined"!=typeof WorkerGlobalScope&&("undefined"!=typeof self&&self instanceof WorkerGlobalScope&&self||"undefined"!=typeof globalThis&&globalThis instanceof WorkerGlobalScope&&globalThis),s=Boolean("hidden"===a?.document?.visibilityState),c=/iPad|iPhone|iPod/.test(a.navigator?.userAgent),u=c&&"undefined"==typeof SharedWorker,l=((()=>{const e=a.navigator?.userAgent?.match(/Firefox[/\s](\d+\.\d+)/);Array.isArray(e)&&e.length>=2&&e[1]})(),Date.now()-(0,n.t)())},1687:(e,t,r)=>{"use strict";r.d(t,{Ak:()=>c,Ze:()=>d,x3:()=>u});var n=r(7836),i=r(3606),o=r(860),a=r(2646);const s={};function c(e,t){const r={staged:!1,priority:o.P3[t]||0};l(e),s[e].get(t)||s[e].set(t,r)}function u(e,t){e&&s[e]&&(s[e].get(t)&&s[e].delete(t),g(e,t,!1),s[e].size&&f(e))}function l(e){if(!e)throw new Error("agentIdentifier required");s[e]||(s[e]=new Map)}function d(e="",t="feature",r=!1){if(l(e),!e||!s[e].get(t)||r)return g(e,t);s[e].get(t).staged=!0,f(e)}function f(e){const t=Array.from(s[e]);t.every((([e,t])=>t.staged))&&(t.sort(((e,t)=>e[1].priority-t[1].priority)),t.forEach((([t])=>{s[e].delete(t),g(e,t)})))}function g(e,t,r=!0){const o=e?n.ee.get(e):n.ee,s=i.i.handlers;if(!o.aborted&&o.backlog&&s){if(r){const e=o.backlog[t],r=s[t];if(r){for(let t=0;e&&t<e.length;++t)p(e[t],r);Object.entries(r).forEach((([e,t])=>{Object.values(t||{}).forEach((t=>{t[0]?.on&&t[0]?.context()instanceof a.y&&t[0].on(e,t[1])}))}))}}o.isolatedBacklog||delete s[t],o.backlog[t]=null,o.emit("drain-"+t,[])}}function p(e,t){var r=e[1];Object.values(t[r]||{}).forEach((t=>{var r=e[0];if(t[0]===r){var n=t[1],i=e[3],o=e[2];n.apply(i,o)}}))}},7836:(e,t,r)=>{"use strict";r.d(t,{P:()=>c,ee:()=>u});var n=r(384),i=r(8990),o=r(3371),a=r(2646),s=r(5607);const c="nr@context:".concat(s.W),u=function e(t,r){var n={},s={},l={},d=!1;try{d=16===r.length&&(0,o.f)(r).isolatedBacklog}catch(e){}var f={on:p,addEventListener:p,removeEventListener:function(e,t){var r=n[e];if(!r)return;for(var i=0;i<r.length;i++)r[i]===t&&r.splice(i,1)},emit:function(e,r,n,i,o){!1!==o&&(o=!0);if(u.aborted&&!i)return;t&&o&&t.emit(e,r,n);for(var a=g(n),c=h(e),l=c.length,d=0;d<l;d++)c[d].apply(a,r);var p=v()[s[e]];p&&p.push([f,e,r,a]);return a},get:m,listeners:h,context:g,buffer:function(e,t){const r=v();if(t=t||"feature",f.aborted)return;Object.entries(e||{}).forEach((([e,n])=>{s[n]=t,t in r||(r[t]=[])}))},abort:function(){f._aborted=!0,Object.keys(f.backlog).forEach((e=>{delete f.backlog[e]}))},isBuffering:function(e){return!!v()[s[e]]},debugId:r,backlog:d?{}:t&&"object"==typeof t.backlog?t.backlog:{},isolatedBacklog:d};return Object.defineProperty(f,"aborted",{get:()=>{let e=f._aborted||!1;return e||(t&&(e=t.aborted),e)}}),f;function g(e){return e&&e instanceof a.y?e:e?(0,i.I)(e,c,(()=>new a.y(c))):new a.y(c)}function p(e,t){n[e]=h(e).concat(t)}function h(e){return n[e]||[]}function m(t){return l[t]=l[t]||e(f,t)}function v(){return f.backlog}}(void 0,"globalEE"),l=(0,n.Zm)();l.ee||(l.ee=u)},2646:(e,t,r)=>{"use strict";r.d(t,{y:()=>n});class n{constructor(e){this.contextId=e}}},9908:(e,t,r)=>{"use strict";r.d(t,{d:()=>n,p:()=>i});var n=r(7836).ee.get("handle");function i(e,t,r,i,o){o?(o.buffer([e],i),o.emit(e,t,r)):(n.buffer([e],i),n.emit(e,t,r))}},3606:(e,t,r)=>{"use strict";r.d(t,{i:()=>o});var n=r(9908);o.on=a;var i=o.handlers={};function o(e,t,r,o){a(o||n.d,i,e,t,r)}function a(e,t,r,i,o){o||(o="feature"),e||(e=n.d);var a=t[o]=t[o]||{};(a[r]=a[r]||[]).push([e,i])}},3878:(e,t,r)=>{"use strict";function n(e,t){return{capture:e,passive:!1,signal:t}}function i(e,t,r=!1,i){window.addEventListener(e,t,n(r,i))}function o(e,t,r=!1,i){document.addEventListener(e,t,n(r,i))}r.d(t,{DD:()=>o,jT:()=>n,sp:()=>i})},5607:(e,t,r)=>{"use strict";r.d(t,{W:()=>n});const n=(0,r(9566).bz)()},9566:(e,t,r)=>{"use strict";r.d(t,{LA:()=>s,bz:()=>a});var n=r(6154);const i="xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx";function o(e,t){return e?15&e[t]:16*Math.random()|0}function a(){const e=n.gm?.crypto||n.gm?.msCrypto;let t,r=0;return e&&e.getRandomValues&&(t=e.getRandomValues(new Uint8Array(30))),i.split("").map((e=>"x"===e?o(t,r++).toString(16):"y"===e?(3&o()|8).toString(16):e)).join("")}function s(e){const t=n.gm?.crypto||n.gm?.msCrypto;let r,i=0;t&&t.getRandomValues&&(r=t.getRandomValues(new Uint8Array(e)));const a=[];for(var s=0;s<e;s++)a.push(o(r,i++).toString(16));return a.join("")}},2614:(e,t,r)=>{"use strict";r.d(t,{BB:()=>a,H3:()=>n,g:()=>u,iL:()=>c,tS:()=>s,uh:()=>i,wk:()=>o});const n="NRBA",i="SESSION",o=144e5,a=18e5,s={STARTED:"session-started",PAUSE:"session-pause",RESET:"session-reset",RESUME:"session-resume",UPDATE:"session-update"},c={SAME_TAB:"same-tab",CROSS_TAB:"cross-tab"},u={OFF:0,FULL:1,ERROR:2}},1863:(e,t,r)=>{"use strict";function n(){return Math.floor(performance.now())}r.d(t,{t:()=>n})},944:(e,t,r)=>{"use strict";function n(e,t){"function"==typeof console.debug&&console.debug("New Relic Warning: https://github.com/newrelic/newrelic-browser-agent/blob/main/docs/warning-codes.md#".concat(e),t)}r.d(t,{R:()=>n})},5284:(e,t,r)=>{"use strict";r.d(t,{t:()=>c,B:()=>s});var n=r(7836),i=r(6154);const o="newrelic";const a=new Set,s={};function c(e,t){const r=n.ee.get(t);s[t]??={},e&&"object"==typeof e&&(a.has(t)||(r.emit("rumresp",[e]),s[t]=e,a.add(t),function(e={}){try{i.gm.dispatchEvent(new CustomEvent(o,{detail:e}))}catch(e){}}({loaded:!0})))}},8990:(e,t,r)=>{"use strict";r.d(t,{I:()=>i});var n=Object.prototype.hasOwnProperty;function i(e,t,r){if(n.call(e,t))return e[t];var i=r();if(Object.defineProperty&&Object.keys)try{return Object.defineProperty(e,t,{value:i,writable:!0,enumerable:!1}),i}catch(e){}return e[t]=i,i}},6389:(e,t,r)=>{"use strict";function n(e,t=500,r={}){const n=r?.leading||!1;let i;return(...r)=>{n&&void 0===i&&(e.apply(this,r),i=setTimeout((()=>{i=clearTimeout(i)}),t)),n||(clearTimeout(i),i=setTimeout((()=>{e.apply(this,r)}),t))}}function i(e){let t=!1;return(...r)=>{t||(t=!0,e.apply(this,r))}}r.d(t,{J:()=>i,s:()=>n})},5289:(e,t,r)=>{"use strict";r.d(t,{GG:()=>o,We:()=>i,sB:()=>a});var n=r(3878);function i(){return"undefined"==typeof document||"complete"===document.readyState}function o(e,t){if(i())return e();(0,n.sp)("load",e,t)}function a(e){if(i())return e();(0,n.DD)("DOMContentLoaded",e)}},384:(e,t,r)=>{"use strict";r.d(t,{NT:()=>o,US:()=>l,Zm:()=>a,bQ:()=>c,dV:()=>s,nY:()=>u,pV:()=>d});var n=r(6154),i=r(1863);const o={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net"};function a(){return n.gm.NREUM||(n.gm.NREUM={}),void 0===n.gm.newrelic&&(n.gm.newrelic=n.gm.NREUM),n.gm.NREUM}function s(){let e=a();return e.o||(e.o={ST:n.gm.setTimeout,SI:n.gm.setImmediate,CT:n.gm.clearTimeout,XHR:n.gm.XMLHttpRequest,REQ:n.gm.Request,EV:n.gm.Event,PR:n.gm.Promise,MO:n.gm.MutationObserver,FETCH:n.gm.fetch,WS:n.gm.WebSocket}),e}function c(e,t){let r=a();r.initializedAgents??={},t.initializedAt={ms:(0,i.t)(),date:new Date},r.initializedAgents[e]=t}function u(e){let t=a();return t.initializedAgents?.[e]}function l(e,t){a()[e]=t}function d(){return function(){let e=a();const t=e.info||{};e.info={beacon:o.beacon,errorBeacon:o.errorBeacon,...t}}(),function(){let e=a();const t=e.init||{};e.init={...t}}(),s(),function(){let e=a();const t=e.loader_config||{};e.loader_config={...t}}(),a()}},2843:(e,t,r)=>{"use strict";r.d(t,{u:()=>i});var n=r(3878);function i(e,t=!1,r,i){(0,n.DD)("visibilitychange",(function(){if(t)return void("hidden"===document.visibilityState&&e());e(document.visibilityState)}),r,i)}},3434:(e,t,r)=>{"use strict";r.d(t,{Jt:()=>o,YM:()=>c});var n=r(7836),i=r(5607);const o="nr@original:".concat(i.W);var a=Object.prototype.hasOwnProperty,s=!1;function c(e,t){return e||(e=n.ee),r.inPlace=function(e,t,n,i,o){n||(n="");const a="-"===n.charAt(0);for(let s=0;s<t.length;s++){const c=t[s],u=e[c];l(u)||(e[c]=r(u,a?c+n:n,i,c,o))}},r.flag=o,r;function r(t,r,n,s,c){return l(t)?t:(r||(r=""),nrWrapper[o]=t,function(e,t,r){if(Object.defineProperty&&Object.keys)try{return Object.keys(e).forEach((function(r){Object.defineProperty(t,r,{get:function(){return e[r]},set:function(t){return e[r]=t,t}})})),t}catch(e){u([e],r)}for(var n in e)a.call(e,n)&&(t[n]=e[n])}(t,nrWrapper,e),nrWrapper);function nrWrapper(){var o,a,l,d;try{a=this,o=[...arguments],l="function"==typeof n?n(o,a):n||{}}catch(t){u([t,"",[o,a,s],l],e)}i(r+"start",[o,a,s],l,c);try{return d=t.apply(a,o)}catch(e){throw i(r+"err",[o,a,e],l,c),e}finally{i(r+"end",[o,a,d],l,c)}}}function i(r,n,i,o){if(!s||t){var a=s;s=!0;try{e.emit(r,n,i,t,o)}catch(t){u([t,r,n,i],e)}s=a}}}function u(e,t){t||(t=n.ee);try{t.emit("internal-error",e)}catch(e){}}function l(e){return!(e&&"function"==typeof e&&e.apply&&!e[o])}},9559:(e,t,r)=>{"use strict";r.d(t,{A5:()=>d,NF:()=>c,tV:()=>u});var n=r(6154),i=r(1863),o=r(5289),a=r(9566),s=r(384);const c="websocket-",u="addEventListener",l={};function d(e){if(l[e.debugId]++)return e;if(!(0,s.dV)().o.WS)return e;class t extends WebSocket{static name="WebSocket";constructor(...t){super(...t);const r=(0,a.LA)(6);this.report=function(t){const r=(0,i.t)();return function(n,...a){const s=a[0]?.timeStamp||(0,i.t)(),u=(0,o.We)();e.emit(c+n,[s,s-r,u,t,...a])}}(r),this.report("new");["message","error","open","close"].forEach((e=>{this.addEventListener(e,(function(t){this.report(u,{eventType:e,event:t})}))}))}send(...e){this.report("send",...e);try{return super.send(...e)}catch(t){throw this.report("send-err",...e),t}}}return n.gm.WebSocket=t,e}},993:(e,t,r)=>{"use strict";r.d(t,{ET:()=>o,p_:()=>i});var n=r(860);const i={ERROR:"ERROR",WARN:"WARN",INFO:"INFO",DEBUG:"DEBUG",TRACE:"TRACE"},o="log";n.K7.logging},3969:(e,t,r)=>{"use strict";r.d(t,{Pj:()=>u,TZ:()=>i,XG:()=>c,rs:()=>o,xV:()=>s,z_:()=>a});var n=r(9559);const i=r(860).K7.metrics,o="sm",a="cm",s="storeSupportabilityMetrics",c="storeEventMetrics",u=["new","send","close",n.tV]},6630:(e,t,r)=>{"use strict";r.d(t,{T:()=>n});const n=r(860).K7.pageViewEvent},782:(e,t,r)=>{"use strict";r.d(t,{T:()=>n});const n=r(860).K7.pageViewTiming},6344:(e,t,r)=>{"use strict";r.d(t,{G4:()=>i});var n=r(2614);r(860).K7.sessionReplay;const i={RECORD:"recordReplay",PAUSE:"pauseReplay",REPLAY_RUNNING:"replayRunning",ERROR_DURING_REPLAY:"errorDuringReplay"};n.g.ERROR,n.g.FULL,n.g.OFF},4234:(e,t,r)=>{"use strict";r.d(t,{W:()=>o});var n=r(7836),i=r(1687);class o{constructor(e,t){this.agentIdentifier=e,this.ee=n.ee.get(e),this.featureName=t,this.blocked=!1}deregisterDrain(){(0,i.x3)(this.agentIdentifier,this.featureName)}}},7603:(e,t,r)=>{"use strict";r.d(t,{j:()=>K});var n=r(860),i=r(2555),o=r(3371),a=r(9908),s=r(7836),c=r(1687),u=r(5289),l=r(6154),d=r(944),f=r(3969),g=r(384),p=r(6344);const h=["setErrorHandler","finished","addToTrace","addRelease","recordCustomEvent","addPageAction","setCurrentRouteName","setPageViewName","setCustomAttribute","interaction","noticeError","setUserId","setApplicationVersion","start",p.G4.RECORD,p.G4.PAUSE,"log","wrapLogger"],m=["setErrorHandler","finished","addToTrace","addRelease"];var v=r(1863),b=r(2614),y=r(993);var w=r(2646),A=r(3434);const E=new Map;function R(e,t,r,n){if("object"!=typeof t||!t||"string"!=typeof r||!r||"function"!=typeof t[r])return(0,d.R)(29);const i=function(e){return(e||s.ee).get("logger")}(e),o=(0,A.YM)(i),a=new w.y(s.P);a.level=n.level,a.customAttributes=n.customAttributes;const c=t[r]?.[A.Jt]||t[r];return E.set(c,a),o.inPlace(t,[r],"wrap-logger-",(()=>E.get(c))),i}function _(){const e=(0,g.pV)();h.forEach((t=>{e[t]=(...r)=>function(t,...r){let n=[];return Object.values(e.initializedAgents).forEach((e=>{e&&e.api?e.exposed&&e.api[t]&&n.push(e.api[t](...r)):(0,d.R)(38,t)})),n.length>1?n:n[0]}(t,...r)}))}const x={};function N(e,t,g=!1){t||(0,c.Ak)(e,"api");const h={};var w=s.ee.get(e),A=w.get("tracer");x[e]=b.g.OFF,w.on(p.G4.REPLAY_RUNNING,(t=>{x[e]=t}));var E="api-",_=E+"ixn-";function N(t,r,n,o){const a=(0,i.Vp)(e);return null===r?delete a.jsAttributes[t]:(0,i.x1)(e,{...a,jsAttributes:{...a.jsAttributes,[t]:r}}),T(E,n,!0,o||null===r?"session":void 0)(t,r)}function k(){}h.log=function(e,{customAttributes:t={},level:r=y.p_.INFO}={}){(0,a.p)(f.xV,["API/log/called"],void 0,n.K7.metrics,w),function(e,t,r={},i=y.p_.INFO){(0,a.p)(f.xV,["API/logging/".concat(i.toLowerCase(),"/called")],void 0,n.K7.metrics,e),(0,a.p)(y.ET,[(0,v.t)(),t,r,i],void 0,n.K7.logging,e)}(w,e,t,r)},h.wrapLogger=(e,t,{customAttributes:r={},level:i=y.p_.INFO}={})=>{(0,a.p)(f.xV,["API/wrapLogger/called"],void 0,n.K7.metrics,w),R(w,e,t,{customAttributes:r,level:i})},m.forEach((e=>{h[e]=T(E,e,!0,"api")})),h.addPageAction=T(E,"addPageAction",!0,n.K7.genericEvents),h.recordCustomEvent=T(E,"recordCustomEvent",!0,n.K7.genericEvents),h.setPageViewName=function(t,r){if("string"==typeof t)return"/"!==t.charAt(0)&&(t="/"+t),(0,o.f)(e).customTransaction=(r||"http://custom.transaction")+t,T(E,"setPageViewName",!0)()},h.setCustomAttribute=function(e,t,r=!1){if("string"==typeof e){if(["string","number","boolean"].includes(typeof t)||null===t)return N(e,t,"setCustomAttribute",r);(0,d.R)(40,typeof t)}else(0,d.R)(39,typeof e)},h.setUserId=function(e){if("string"==typeof e||null===e)return N("enduser.id",e,"setUserId",!0);(0,d.R)(41,typeof e)},h.setApplicationVersion=function(e){if("string"==typeof e||null===e)return N("application.version",e,"setApplicationVersion",!1);(0,d.R)(42,typeof e)},h.start=()=>{try{(0,a.p)(f.xV,["API/start/called"],void 0,n.K7.metrics,w),w.emit("manual-start-all")}catch(e){(0,d.R)(23,e)}},h[p.G4.RECORD]=function(){(0,a.p)(f.xV,["API/recordReplay/called"],void 0,n.K7.metrics,w),(0,a.p)(p.G4.RECORD,[],void 0,n.K7.sessionReplay,w)},h[p.G4.PAUSE]=function(){(0,a.p)(f.xV,["API/pauseReplay/called"],void 0,n.K7.metrics,w),(0,a.p)(p.G4.PAUSE,[],void 0,n.K7.sessionReplay,w)},h.interaction=function(e){return(new k).get("object"==typeof e?e:{})};const S=k.prototype={createTracer:function(e,t){var r={},i=this,o="function"==typeof t;return(0,a.p)(f.xV,["API/createTracer/called"],void 0,n.K7.metrics,w),g||(0,a.p)(_+"tracer",[(0,v.t)(),e,r],i,n.K7.spa,w),function(){if(A.emit((o?"":"no-")+"fn-start",[(0,v.t)(),i,o],r),o)try{return t.apply(this,arguments)}catch(e){const t="string"==typeof e?new Error(e):e;throw A.emit("fn-err",[arguments,this,t],r),t}finally{A.emit("fn-end",[(0,v.t)()],r)}}}};function T(e,t,r,i){return function(){return(0,a.p)(f.xV,["API/"+t+"/called"],void 0,n.K7.metrics,w),i&&(0,a.p)(e+t,[r?(0,v.t)():performance.now(),...arguments],r?null:this,i,w),r?void 0:this}}function j(){r.e(296).then(r.bind(r,8778)).then((({setAPI:t})=>{t(e),(0,c.Ze)(e,"api")})).catch((e=>{(0,d.R)(27,e),w.abort()}))}return["actionText","setName","setAttribute","save","ignore","onEnd","getContext","end","get"].forEach((e=>{S[e]=T(_,e,void 0,g?n.K7.softNav:n.K7.spa)})),h.setCurrentRouteName=g?T(_,"routeName",void 0,n.K7.softNav):T(E,"routeName",!0,n.K7.spa),h.noticeError=function(t,r){"string"==typeof t&&(t=new Error(t)),(0,a.p)(f.xV,["API/noticeError/called"],void 0,n.K7.metrics,w),(0,a.p)("err",[t,(0,v.t)(),!1,r,!!x[e]],void 0,n.K7.jserrors,w)},l.RI?(0,u.GG)((()=>j()),!0):j(),h}var k=r(5217),S=r(8122);const T={accountID:void 0,trustKey:void 0,agentID:void 0,licenseKey:void 0,applicationID:void 0,xpid:void 0},j={};var I=r(5284);const O=e=>{const t=e.startsWith("http");e+="/",r.p=t?e:"https://"+e};let P=!1;function K(e,t={},r,n){let{init:a,info:c,loader_config:u,runtime:d={},exposed:f=!0}=t;d.loaderType=r;const p=(0,g.pV)();c||(a=p.init,c=p.info,u=p.loader_config),(0,k.xN)(e.agentIdentifier,a||{}),function(e,t){if(!e)throw new Error("All loader-config objects require an agent identifier!");j[e]=(0,S.a)(t,T);const r=(0,g.nY)(e);r&&(r.loader_config=j[e])}(e.agentIdentifier,u||{}),c.jsAttributes??={},l.bv&&(c.jsAttributes.isWorker=!0),(0,i.x1)(e.agentIdentifier,c);const h=(0,k.D0)(e.agentIdentifier),m=[c.beacon,c.errorBeacon];P||(h.proxy.assets&&(O(h.proxy.assets),m.push(h.proxy.assets)),h.proxy.beacon&&m.push(h.proxy.beacon),_(),(0,g.US)("activatedFeatures",I.B),e.runSoftNavOverSpa&&=!0===h.soft_navigations.enabled&&h.feature_flags.includes("soft_nav")),d.denyList=[...h.ajax.deny_list||[],...h.ajax.block_internal?m:[]],d.ptid=e.agentIdentifier,(0,o.V)(e.agentIdentifier,d),e.ee=s.ee.get(e.agentIdentifier),void 0===e.api&&(e.api=N(e.agentIdentifier,n,e.runSoftNavOverSpa)),void 0===e.exposed&&(e.exposed=f),P=!0}},8374:(e,t,r)=>{r.nc=(()=>{try{return document?.currentScript?.nonce}catch(e){}return""})()},860:(e,t,r)=>{"use strict";r.d(t,{$J:()=>u,K7:()=>s,P3:()=>c,XX:()=>i,qY:()=>n,v4:()=>a});const n="events",i="jserrors",o="browser/blobs",a="rum",s={ajax:"ajax",genericEvents:"generic_events",jserrors:i,logging:"logging",metrics:"metrics",pageAction:"page_action",pageViewEvent:"page_view_event",pageViewTiming:"page_view_timing",sessionReplay:"session_replay",sessionTrace:"session_trace",softNav:"soft_navigations",spa:"spa"},c={[s.pageViewEvent]:1,[s.pageViewTiming]:2,[s.metrics]:3,[s.jserrors]:4,[s.spa]:5,[s.ajax]:6,[s.sessionTrace]:7,[s.softNav]:8,[s.sessionReplay]:9,[s.logging]:10,[s.genericEvents]:11},u={[s.pageViewEvent]:a,[s.pageViewTiming]:n,[s.ajax]:n,[s.spa]:n,[s.softNav]:n,[s.metrics]:i,[s.jserrors]:i,[s.sessionTrace]:o,[s.sessionReplay]:o,[s.logging]:"browser/logs",[s.genericEvents]:"ins"}}},n={};function i(e){var t=n[e];if(void 0!==t)return t.exports;var o=n[e]={exports:{}};return r[e](o,o.exports,i),o.exports}i.m=r,i.d=(e,t)=>{for(var r in t)i.o(t,r)&&!i.o(e,r)&&Object.defineProperty(e,r,{enumerable:!0,get:t[r]})},i.f={},i.e=e=>Promise.all(Object.keys(i.f).reduce(((t,r)=>(i.f[r](e,t),t)),[])),i.u=e=>"nr-rum-1.282.0.min.js",i.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),e={},t="NRBA-1.282.0.PROD:",i.l=(r,n,o,a)=>{if(e[r])e[r].push(n);else{var s,c;if(void 0!==o)for(var u=document.getElementsByTagName("script"),l=0;l<u.length;l++){var d=u[l];if(d.getAttribute("src")==r||d.getAttribute("data-webpack")==t+o){s=d;break}}if(!s){c=!0;var f={296:"sha512-l47U0Uoe1hZBr59ploFpMvlKF+8qyXRcrIz3FyX0RjKPtbVX/XVLlM33rGSBPUp0xtj5pGZfY8WGANUrr9Zq4A=="};(s=document.createElement("script")).charset="utf-8",s.timeout=120,i.nc&&s.setAttribute("nonce",i.nc),s.setAttribute("data-webpack",t+o),s.src=r,0!==s.src.indexOf(window.location.origin+"/")&&(s.crossOrigin="anonymous"),f[a]&&(s.integrity=f[a])}e[r]=[n];var g=(t,n)=>{s.onerror=s.onload=null,clearTimeout(p);var i=e[r];if(delete e[r],s.parentNode&&s.parentNode.removeChild(s),i&&i.forEach((e=>e(n))),t)return t(n)},p=setTimeout(g.bind(null,void 0,{type:"timeout",target:s}),12e4);s.onerror=g.bind(null,s.onerror),s.onload=g.bind(null,s.onload),c&&document.head.appendChild(s)}},i.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},i.p="https://js-agent.newrelic.com/",(()=>{var e={374:0,840:0};i.f.j=(t,r)=>{var n=i.o(e,t)?e[t]:void 0;if(0!==n)if(n)r.push(n[2]);else{var o=new Promise(((r,i)=>n=e[t]=[r,i]));r.push(n[2]=o);var a=i.p+i.u(t),s=new Error;i.l(a,(r=>{if(i.o(e,t)&&(0!==(n=e[t])&&(e[t]=void 0),n)){var o=r&&("load"===r.type?"missing":r.type),a=r&&r.target&&r.target.src;s.message="Loading chunk "+t+" failed.\n("+o+": "+a+")",s.name="ChunkLoadError",s.type=o,s.request=a,n[1](s)}}),"chunk-"+t,t)}};var t=(t,r)=>{var n,o,[a,s,c]=r,u=0;if(a.some((t=>0!==e[t]))){for(n in s)i.o(s,n)&&(i.m[n]=s[n]);if(c)c(i)}for(t&&t(r);u<a.length;u++)o=a[u],i.o(e,o)&&e[o]&&e[o][0](),e[o]=0},r=self["webpackChunk:NRBA-1.282.0.PROD"]=self["webpackChunk:NRBA-1.282.0.PROD"]||[];r.forEach(t.bind(null,0)),r.push=t.bind(null,r.push.bind(r))})(),(()=>{"use strict";i(8374);var e=i(944),t=i(6344),r=i(9566);class n{agentIdentifier;constructor(){this.agentIdentifier=(0,r.LA)(16)}#e(t,...r){if("function"==typeof this.api?.[t])return this.api[t](...r);(0,e.R)(35,t)}addPageAction(e,t){return this.#e("addPageAction",e,t)}recordCustomEvent(e,t){return this.#e("recordCustomEvent",e,t)}setPageViewName(e,t){return this.#e("setPageViewName",e,t)}setCustomAttribute(e,t,r){return this.#e("setCustomAttribute",e,t,r)}noticeError(e,t){return this.#e("noticeError",e,t)}setUserId(e){return this.#e("setUserId",e)}setApplicationVersion(e){return this.#e("setApplicationVersion",e)}setErrorHandler(e){return this.#e("setErrorHandler",e)}addRelease(e,t){return this.#e("addRelease",e,t)}log(e,t){return this.#e("log",e,t)}}class o extends n{#e(t,...r){if("function"==typeof this.api?.[t])return this.api[t](...r);(0,e.R)(35,t)}start(){return this.#e("start")}finished(e){return this.#e("finished",e)}recordReplay(){return this.#e(t.G4.RECORD)}pauseReplay(){return this.#e(t.G4.PAUSE)}addToTrace(e){return this.#e("addToTrace",e)}setCurrentRouteName(e){return this.#e("setCurrentRouteName",e)}interaction(){return this.#e("interaction")}wrapLogger(e,t,r){return this.#e("wrapLogger",e,t,r)}}var a=i(860),s=i(5217);const c=Object.values(a.K7);function u(e){const t={};return c.forEach((r=>{t[r]=function(e,t){return!0===(0,s.gD)(t,"".concat(e,".enabled"))}(r,e)})),t}var l=i(7603);var d=i(1687),f=i(4234),g=i(5289),p=i(6154),h=i(384);const m=e=>p.RI&&!0===(0,s.gD)(e,"privacy.cookies_enabled");function v(e){return!!(0,h.dV)().o.MO&&m(e)&&!0===(0,s.gD)(e,"session_trace.enabled")}var b=i(6389);class y extends f.W{constructor(e,t,r=!0){super(e.agentIdentifier,t),this.auto=r,this.abortHandler=void 0,this.featAggregate=void 0,this.onAggregateImported=void 0,!1===e.init[this.featureName].autoStart&&(this.auto=!1),this.auto?(0,d.Ak)(e.agentIdentifier,t):this.ee.on("manual-start-all",(0,b.J)((()=>{(0,d.Ak)(e.agentIdentifier,this.featureName),this.auto=!0,this.importAggregator(e)})))}importAggregator(t,r={}){if(this.featAggregate||!this.auto)return;let n;this.onAggregateImported=new Promise((e=>{n=e}));const o=async()=>{let o;try{if(m(this.agentIdentifier)){const{setupAgentSession:e}=await i.e(296).then(i.bind(i,3861));o=e(t)}}catch(t){(0,e.R)(20,t),this.ee.emit("internal-error",[t]),this.featureName===a.K7.sessionReplay&&this.abortHandler?.()}try{if(!this.#t(this.featureName,o))return(0,d.Ze)(this.agentIdentifier,this.featureName),void n(!1);const{lazyFeatureLoader:e}=await i.e(296).then(i.bind(i,6103)),{Aggregate:a}=await e(this.featureName,"aggregate");this.featAggregate=new a(t,r),t.runtime.harvester.initializedAggregates.push(this.featAggregate),n(!0)}catch(t){(0,e.R)(34,t),this.abortHandler?.(),(0,d.Ze)(this.agentIdentifier,this.featureName,!0),n(!1),this.ee&&this.ee.abort()}};p.RI?(0,g.GG)((()=>o()),!0):o()}#t(e,t){switch(e){case a.K7.sessionReplay:return v(this.agentIdentifier)&&!!t;case a.K7.sessionTrace:return!!t;default:return!0}}}var w=i(6630);class A extends y{static featureName=w.T;constructor(e,t=!0){super(e,w.T,t),this.importAggregator(e)}}var E=i(9908),R=i(2843),_=i(3878),x=i(782),N=i(1863);class k extends y{static featureName=x.T;constructor(e,t=!0){super(e,x.T,t),p.RI&&((0,R.u)((()=>(0,E.p)("docHidden",[(0,N.t)()],void 0,x.T,this.ee)),!0),(0,_.sp)("pagehide",(()=>(0,E.p)("winPagehide",[(0,N.t)()],void 0,x.T,this.ee))),this.importAggregator(e))}}var S=i(9559),T=i(3969);class j extends y{static featureName=T.TZ;constructor(e,t=!0){super(e,T.TZ,t),(0,S.A5)(this.ee),T.Pj.forEach((e=>{this.ee.on(S.NF+e,((...t)=>{(0,E.p)("buffered-"+S.NF+e,[...t],void 0,this.featureName,this.ee)}))})),this.importAggregator(e)}}new class extends o{constructor(t){super(),p.gm?(this.features={},(0,h.bQ)(this.agentIdentifier,this),this.desiredFeatures=new Set(t.features||[]),this.desiredFeatures.add(A),this.runSoftNavOverSpa=[...this.desiredFeatures].some((e=>e.featureName===a.K7.softNav)),(0,l.j)(this,t,t.loaderType||"agent"),this.run()):(0,e.R)(21)}get config(){return{info:this.info,init:this.init,loader_config:this.loader_config,runtime:this.runtime}}run(){try{const t=u(this.agentIdentifier),r=[...this.desiredFeatures];r.sort(((e,t)=>a.P3[e.featureName]-a.P3[t.featureName])),r.forEach((r=>{if(!t[r.featureName]&&r.featureName!==a.K7.pageViewEvent)return;if(this.runSoftNavOverSpa&&r.featureName===a.K7.spa)return;if(!this.runSoftNavOverSpa&&r.featureName===a.K7.softNav)return;const n=function(e){switch(e){case a.K7.ajax:return[a.K7.jserrors];case a.K7.sessionTrace:return[a.K7.ajax,a.K7.pageViewEvent];case a.K7.sessionReplay:return[a.K7.sessionTrace];case a.K7.pageViewTiming:return[a.K7.pageViewEvent];default:return[]}}(r.featureName).filter((e=>!(e in this.features)));n.length>0&&(0,e.R)(36,{targetFeature:r.featureName,missingDependencies:n}),this.features[r.featureName]=new r(this)}))}catch(t){(0,e.R)(22,t);for(const e in this.features)this.features[e].abortHandler?.();const r=(0,h.Zm)();delete r.initializedAgents[this.agentIdentifier]?.api,delete r.initializedAgents[this.agentIdentifier]?.features,delete this.sharedAggregator;return r.ee.get(this.agentIdentifier).abort(),!1}}}({features:[A,k,j],loaderType:"lite"})})()})();</script> <link rel="shortcut icon" href="https://www.usenix.org/sites/default/files/waves_favicon.ico" type="image/vnd.microsoft.icon" /> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" /> <meta name="rating" content="general" /> <meta name="generator" content="Drupal 7 (http://drupal.org)" /> <link rel="canonical" href="https://www.usenix.org/publications/loginonline/beyondcorp-and-long-tail-zero-trust" /> <link rel="shortlink" href="https://www.usenix.org/node/284811" /> <meta property="og:type" content="website" /> <meta property="og:site_name" content="USENIX" /> <meta property="og:title" content="BeyondCorp and the long tail of Zero Trust" /> <meta property="og:url" content="https://www.usenix.org/publications/loginonline/beyondcorp-and-long-tail-zero-trust" /> <meta property="og:updated_time" content="2023-06-07T07:27:41-07:00" /> <meta property="og:image" content="https://www.usenix.org/sites/default/files/usenix_og_1200x630_2.png" /> <meta property="og:image:url" content="https://www.usenix.org/sites/default/files/usenix_og_1200x630_2.png" /> <meta property="og:image:type" content="image/png" /> <meta name="twitter:image:width" content="1200" /> <meta name="twitter:image:height" content="630" /> <meta property="article:published_time" content="2022-10-07T07:59:31-07:00" /> <meta property="article:modified_time" content="2023-06-07T07:27:41-07:00" /> <title>BeyondCorp and the long tail of Zero Trust | USENIX</title> <link type="text/css" rel="stylesheet" href="https://www.usenix.org/sites/default/files/css/css_xE-rWrJf-fncB6ztZfd2huxqgxu4WO-qwma6Xer30m4.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://www.usenix.org/sites/default/files/css/css_6Lm0rnfxqNW_dZrK-jiErWln-cm6IgixIkNMwxv7Ar4.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://www.usenix.org/sites/default/files/css/css_nUFTrBzuSS1e6iNFoYIyAptja28IikBBh8IfX_l3-Jw.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://www.usenix.org/sites/default/files/css/css_NhfuCP0ROKqhpwldXoTM4JcPh5nWD9lhOAJb1G88pjY.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://www.usenix.org/sites/default/files/css/css_mRbT5IPFSFuKfzZdgdvZZ85p2out8lpep9KzGqViarQ.css" media="all" /> <script type="text/javascript" src="https://www.usenix.org/sites/default/files/js/js_fyV0VVkC6Q3xduxGurKMTFIU2dMmArUrbAdZORL-9WQ.js"></script> <script type="text/javascript" src="https://www.usenix.org/sites/default/files/js/js_s7yA-hwRxnKty__ED6DuqmTMKG39xvpRyrtyCrbWH4M.js"></script> <script type="text/javascript" src="https://www.usenix.org/sites/default/files/js/js_DjF-Bb20xeeKeAY25OYUCrKu9mAURkrZnvUmdejl3_I.js"></script> <script type="text/javascript" src="https://www.usenix.org/sites/default/files/js/js_gHk2gWJ_Qw_jU2qRiUmSl7d8oly1Cx7lQFrqcp3RXcI.js"></script> <script type="text/javascript" src="https://www.usenix.org/sites/default/files/js/js_RTrWEAPrEyH6RHoUPa_GRU_NbHR0-rQewtCeJl7Faa4.js"></script> <script type="text/javascript"> <!--//--><![CDATA[//><!-- var _paq = _paq || [];(function(){var u=(("https:" == document.location.protocol) ? "https://usenix.matomo.cloud/" : "http://usenix.matomo.cloud/");_paq.push(["setSiteId", "2"]);_paq.push(["setTrackerUrl", u+"matomo.php"]);_paq.push(["setDocumentTitle", "BeyondCorp%20and%20the%20long%20tail%20of%20Zero%20Trust"]);_paq.push(["setDownloadExtensions", "pdf|epub|mobi|zip|7z|tar|tgz|gz|gzip"]);_paq.push(["setDoNotTrack", 1]);_paq.push(["trackPageView"]);_paq.push(["setIgnoreClasses", ["no-tracking","colorbox"]]);_paq.push(["enableLinkTracking"]);var d=document,g=d.createElement("script"),s=d.getElementsByTagName("script")[0];g.type="text/javascript";g.defer=true;g.async=true;g.src=u+"matomo.js";s.parentNode.insertBefore(g,s);})(); //--><!]]> </script> <script type="text/javascript" src="https://www.usenix.org/sites/default/files/js/js_4uimch3jbwkBM_rQkLGsREMhoXGquBbBD04tk1HbzYc.js"></script> <script type="text/javascript" src="https://js.stripe.com/v3"></script> <script type="text/javascript"> <!--//--><![CDATA[//><!-- window.a2a_config=window.a2a_config||{};window.da2a={done:false,html_done:false,script_ready:false,script_load:function(){var a=document.createElement('script'),s=document.getElementsByTagName('script')[0];a.type='text/javascript';a.async=true;a.src='https://static.addtoany.com/menu/page.js';s.parentNode.insertBefore(a,s);da2a.script_load=function(){};},script_onready:function(){da2a.script_ready=true;if(da2a.html_done)da2a.init();},init:function(){for(var i=0,el,target,targets=da2a.targets,length=targets.length;i<length;i++){el=document.getElementById('da2a_'+(i+1));target=targets[i];a2a_config.linkname=target.title;a2a_config.linkurl=target.url;if(el){a2a.init('page',{target:el});el.id='';}da2a.done=true;}da2a.targets=[];}};(function ($){Drupal.behaviors.addToAny = {attach: function (context, settings) {if (context !== document && window.da2a) {if(da2a.script_ready)a2a.init_all();da2a.script_load();}}}})(jQuery);a2a_config.callbacks=a2a_config.callbacks||[];a2a_config.callbacks.push({ready:da2a.script_onready});a2a_config.overlays=a2a_config.overlays||[];a2a_config.templates=a2a_config.templates||{}; //--><!]]> </script> <script type="text/javascript" src="https://www.usenix.org/sites/default/files/js/js_ZO6lBzNCyArV9XKBSrkUh7Vi0Hl4xwt03mPiMaTMGPA.js"></script> <script type="text/javascript"> <!--//--><![CDATA[//><!-- jQuery.extend(Drupal.settings, {"basePath":"\/","pathPrefix":"","setHasJsCookie":0,"ajaxPageState":{"theme":"cotija","theme_token":"QPQxvqxDcdNWMv0WRriZAOnz4rYQePgGN8Ir0ZXBe1Q","js":{"0":1,"https:\/\/www.usenix.org\/sites\/default\/files\/google_tag\/usenix\/google_tag.script.js":1,"sites\/all\/modules\/jquery_update\/replace\/jquery\/1.8\/jquery.min.js":1,"misc\/jquery-extend-3.4.0.js":1,"misc\/jquery-html-prefilter-3.5.0-backport.js":1,"misc\/jquery.once.js":1,"misc\/drupal.js":1,"sites\/all\/modules\/beautytips\/js\/jquery.bt.min.js":1,"sites\/all\/modules\/beautytips\/js\/beautytips.min.js":1,"sites\/all\/modules\/jquery_update\/replace\/ui\/external\/jquery.cookie.js":1,"sites\/all\/libraries\/mmenu\/dist\/mmenu.js":1,"sites\/all\/modules\/entityreference\/js\/entityreference.js":1,"sites\/all\/modules\/behavior_weights\/behavior_weights.js":1,"sites\/all\/modules\/cookiebot\/js\/cookiebot.js":1,"sites\/all\/modules\/matomo\/matomo.js":1,"1":1,"sites\/all\/modules\/usenix\/usenix_blocks\/js\/mobile-menu.js":1,"sites\/all\/modules\/field_group\/field_group.js":1,"https:\/\/js.stripe.com\/v3":1,"2":1,"sites\/all\/themes\/custom\/cotija\/cotija.js":1},"css":{"modules\/system\/system.base.css":1,"modules\/system\/system.menus.css":1,"modules\/system\/system.messages.css":1,"modules\/system\/system.theme.css":1,"sites\/all\/libraries\/mmenu\/dist\/mmenu.css":1,"modules\/comment\/comment.css":1,"modules\/field\/theme\/field.css":1,"modules\/node\/node.css":1,"modules\/poll\/poll.css":1,"modules\/search\/search.css":1,"sites\/all\/modules\/usenix\/usenix_conference\/css\/timezone-picker.css":1,"modules\/user\/user.css":1,"sites\/all\/modules\/workflow\/workflow_admin_ui\/workflow_admin_ui.css":1,"sites\/all\/modules\/views\/css\/views.css":1,"sites\/all\/modules\/cookiebot\/css\/cookiebot.css":1,"sites\/all\/modules\/media\/modules\/media_wysiwyg\/css\/media_wysiwyg.base.css":1,"sites\/all\/modules\/ctools\/css\/ctools.css":1,"sites\/all\/modules\/geshifilter\/geshifilter.css":1,"sites\/all\/modules\/biblio\/biblio.css":1,"sites\/all\/modules\/usenix\/usenix_blocks\/css\/mobile-menu.css":1,"sites\/all\/modules\/date\/date_api\/date.css":1,"sites\/all\/modules\/field_collection\/field_collection.theme.css":1,"sites\/all\/modules\/addtoany\/addtoany.css":1,"sites\/all\/themes\/custom\/cotija\/css\/normalize.css":1,"sites\/all\/themes\/custom\/cotija\/css\/style.css":1,"sites\/all\/themes\/custom\/cotija\/fonts\/fontawesome\/css\/all.min.css":1}},"beautytipStyles":{"default":{"fill":"#F4F4F4","strokeStyle":"#666666","spikeLength":20,"spikeGirth":10,"width":350,"overlap":0,"centerPointY":1,"cornerRadius":0,"cssStyles":{"fontFamily":"\u0026quot;Lucida Grande\u0026quot;,Helvetica,Arial,Verdana,sans-serif","fontSize":"12px","padding":"10px 14px"},"shadow":1,"shadowColor":"rgba(0,0,0,.5)","shadowBlur":8,"shadowOffsetX":4,"shadowOffsetY":4},"plain":[],"netflix":{"positions":["right","left"],"fill":"#FFF","padding":5,"shadow":true,"shadowBlur":12,"strokeStyle":"#B9090B","spikeLength":50,"spikeGirth":60,"cornerRadius":10,"centerPointY":0.1,"overlap":-8,"cssStyles":{"fontSize":"12px","fontFamily":"arial,helvetica,sans-serif"}},"facebook":{"fill":"#F7F7F7","padding":8,"strokeStyle":"#B7B7B7","cornerRadius":0,"cssStyles":{"fontFamily":"\u0022lucida grande\u0022,tahoma,verdana,arial,sans-serif","fontSize":"11px"}},"transparent":{"fill":"rgba(0, 0, 0, .8)","padding":20,"strokeStyle":"#CC0","strokeWidth":3,"spikeLength":40,"spikeGirth":40,"cornerRadius":40,"cssStyles":{"color":"#FFF","fontWeight":"bold"}},"big-green":{"fill":"#00FF4E","padding":20,"strokeWidth":0,"spikeLength":40,"spikeGirth":40,"cornerRadius":15,"cssStyles":{"fontFamily":"\u0022lucida grande\u0022,tahoma,verdana,arial,sans-serif","fontSize":"14px"}},"google-maps":{"positions":["top","bottom"],"fill":"#FFF","padding":15,"strokeStyle":"#ABABAB","strokeWidth":1,"spikeLength":65,"spikeGirth":40,"cornerRadius":25,"centerPointX":0.9,"cssStyles":[]},"hulu":{"fill":"#F4F4F4","strokeStyle":"#666666","spikeLength":20,"spikeGirth":10,"width":350,"overlap":0,"centerPointY":1,"cornerRadius":0,"cssStyles":{"fontFamily":"\u0022Lucida Grande\u0022,Helvetica,Arial,Verdana,sans-serif","fontSize":"12px","padding":"10px 14px"},"shadow":true,"shadowColor":"rgba(0,0,0,.5)","shadowBlur":8,"shadowOffsetX":4,"shadowOffsetY":4}},"beautytips":{".beautytips":{"cssSelect":".beautytips","style":"default"}},"jcarousel":{"ajaxPath":"\/jcarousel\/ajax\/views"},"cookiebot":{"message_placeholder_cookieconsent_optout_marketing_show":false,"message_placeholder_cookieconsent_optout_marketing":"\u003Cdiv class=\u0022cookiebot cookieconsent-optout-marketing\u0022\u003E\r\n\t\u003Cdiv class=\u0022cookieconsent-optout-marketing__inner\u0022\u003E\r\n\t\tPlease \u003Ca href=\u0022!cookiebot_renew\u0022 class=\u0022cookieconsent-optout-marketing__cookiebot-renew\u0022\u003Eaccept marketing-cookies\u003C\/a\u003E to view this embedded content from \u003Ca href=\u0022!cookiebot_from_src_url\u0022 target=\u0022_blank\u0022 class=\u0022cookieconsent-optout-marketing__from-src-url\u0022\u003E!cookiebot_from_src_url\u003C\/a\u003E\t\u003C\/div\u003E\r\n\u003C\/div\u003E\r\n"},"matomo":{"trackMailto":0},"field_group":{"fieldset":"full","div":"full"}}); //--><!]]> </script> </head> <body class="html not-front not-logged-in no-sidebars page-node page-node- page-node-284811 node-type-login-online user-is-non-member" > <div id="skip-link"> <a href="#main-content" class="element-invisible element-focusable">Skip to main content</a> </div> <noscript aria-hidden="true"><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-WQSPGJT" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <div id="page-wrapper"><div id="page"> <div id="header"> <div class="section clearfix"> <div class="region region-header"> <div id="block-usenix-blocks-usenix-logo-1" class="block block-usenix-blocks usenix-logo-1"> <div class="content"> <a href="/" title="Home" rel="home"><img src="https://www.usenix.org/sites/all/themes/custom/cotija/images/logo.svg" alt="Home" /></a> </div> </div> <div id="block-system-main-menu" class="block block-system block-menu main-menu"> <div class="content"> <ul class="menu"><li class="first collapsed"><a href="/about">About</a></li> <li class="collapsed"><a href="/conferences">Conferences</a></li> <li class="collapsed"><a href="/publications" title="Publications from USENIX">Publications</a></li> <li class="leaf"><a href="/membership">Membership</a></li> <li class="collapsed"><a href="/students" title="Student Programs">Students</a></li> <li class="leaf hidden-medium-up"><a href="/search/site" class="search-link">Search</a></li> <li class="last leaf"><a href="https://www.usenix.org/donate" class="btn">Donate Today</a></li> </ul> </div> </div> <div id="block-system-user-menu" class="block block-system block-menu user-menu"> <div class="content"> <ul class="menu"><li class="first leaf"><a href="/user/login" class="login-link">Sign In</a></li> <li class="last leaf hidden-medium-down"><a href="/search/site" class="search-link">Search</a></li> </ul> </div> </div> <div id="block-usenix-blocks-usenix-mobile-menu" class="block block-usenix-blocks usenix-mobile-menu"> <div class="content"> <a href="#mobile-menu" id="mobile-menu-toggle"><i class="fas fa-bars"></i><i class="fas fa-times"></i></a><div id="mobile-menu"><ul class="menu"><li class="first expanded"><a href="/about">About</a><ul class="menu"><li class="first leaf"><a href="/board" title="USENIX Board of Directors">USENIX Board</a></li> <li class="leaf"><a href="/staff" title="Usenix Staff">Staff</a></li> <li class="leaf"><a href="/newsroom">Newsroom</a></li> <li class="leaf"><a href="/good-works-program" title="Good Works Program">Good Works</a></li> <li class="leaf"><a href="/blog">Blog</a></li> <li class="leaf"><a href="/about/governance-financials">Governance and Financials</a></li> <li class="leaf"><a href="/about/awards">USENIX Awards</a></li> <li class="leaf"><a href="/supporters">USENIX Supporters</a></li> <li class="leaf"><a href="/board/elections24">2024 Board Election</a></li> <li class="collapsed"><a href="/board-meeting-minutes">Board Meeting Minutes</a></li> <li class="last leaf"><a href="https://www.usenix.org/donate" title="USENIX Annual Fund">Donate</a></li> </ul></li> <li class="expanded"><a href="/conferences">Conferences</a><ul class="menu"><li class="first collapsed"><a href="/conferences/upcoming">Upcoming</a></li> <li class="leaf"><a href="/conferences/byname" title="">By Name</a></li> <li class="leaf"><a href="/conferences/calls-for-papers">Calls for Papers</a></li> <li class="leaf"><a href="/conferences/grants">Grants</a></li> <li class="leaf"><a href="/conferences/sponsorship" title="Sponsorship Opportunities">Sponsorship</a></li> <li class="leaf"><a href="/conferences/best-papers">Best Papers</a></li> <li class="leaf"><a href="/conferences/test-of-time-awards">Test of Time Awards</a></li> <li class="leaf"><a href="/conferences/multimedia">Multimedia</a></li> <li class="leaf"><a href="/conferences/faq">Conference FAQ</a></li> <li class="leaf"><a href="/conferences/policies-resources">Conference Policies</a></li> <li class="last leaf"><a href="/conferences/coc">Code of Conduct</a></li> </ul></li> <li class="expanded"><a href="/publications" title="Publications from USENIX">Publications</a><ul class="menu"><li class="first leaf"><a href="/publications/proceedings">Proceedings</a></li> <li class="collapsed"><a href="/conferences/author-resources">Author Resources</a></li> <li class="leaf"><a href="/publications/loginonline">;login: Online</a></li> <li class="leaf"><a href="/publications/loginonline/writing">Writing for ;login: Online</a></li> <li class="last leaf"><a href="/publications/login">;login: Archive</a></li> </ul></li> <li class="leaf"><a href="/membership">Membership</a></li> <li class="expanded"><a href="/students" title="Student Programs">Students</a><ul class="menu"><li class="first leaf"><a href="/students/fees">Conference Fees</a></li> <li class="last leaf"><a href="/students/grants">Student Grant Program</a></li> </ul></li> <li class="leaf hidden-medium-up"><a href="/search/site" class="search-link">Search</a></li> <li class="last leaf"><a href="https://www.usenix.org/donate" class="btn">Donate Today</a></li> </ul></div> </div> </div> </div> </div> </div> <!-- /.section, /#header --> <div id="sub-menu-wrapper"></div> <div id="postheader"> <div class="region region-postheader"> <div id="block-block-162" class="block block-block login-v2-article-header-block 162"> <div class="content"> <div class="login-v2-article-header"> <div class="login-v2-discussion"> <div class="login-v2-discussion-text"> <a href="#comments"><span class="login-icon-chat"></span>Join the conversation</a><br /> <a href="/publications/loginonline">Back to ;login: Online</a> </div> </div> </div> </div> </div> <div id="block-addtoany-addtoany-button" class="block block-addtoany addtoany-button"> <div class="content"> <span class="a2a_kit a2a_kit_size_32 a2a_target addtoany_list" id="da2a_1"> <a class="a2a_button_print"></a> <a class="a2a_button_facebook"></a> <a class="a2a_button_twitter"></a> <a class="a2a_button_linkedin"></a> </span> <script type="text/javascript"> <!--//--><![CDATA[//><!-- if(window.da2a)da2a.script_load(); //--><!]]> </script> </div> </div> </div> </div> <!-- /#postheader --> <div id="main-wrapper"><div id="main" class="clearfix"> <div id="content-header" class="column"><div class="section"> <div class="tabs"></div> <h1 class="title" id="page-title">BeyondCorp and the long tail of Zero Trust</h1> </div></div> <!-- /.section, /#content-header --> <div id="content" class="column"><div class="section"> <div class="region region-content"> <div id="block-block-156" class="block block-block block-usenix-donate 156"> <div class="content"> <!--<a class="btn" href="https://connect.clickandpledge.com/w/Form/a9f96acc-aa05-4c52-a9b4-e12ab505abdf" target="_blank">Donate Today</a>--> <a class="btn" href="https://www.usenix.org/ways-to-give" target="_blank">Donate Today</a> </div> </div> <div id="block-system-main" class="block block-system main"> <div class="content"> <div id="node-284811" class="node node-login-online view-mode-full view-mode-full--node view-mode-full--node--login_online clearfix"> <div class="content"> <div class="group-article-body-wrapper field-group-div"><div class="field field-name-field-lv2-subtitle field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Handling the most challenging use cases at Google</div></div></div><div class="field field-name-field-lv2-publication-date field-type-datetime field-label-hidden"><div class="field-items"><div class="field-item odd"><span class="date-display-single">June 5, 2023</span></div></div></div><div class="field field-name-field-lv2-article-type field-type-taxonomy-term-reference field-label-hidden"><div class="field-items"><div class="field-item odd">Deployed System</div></div></div><div class="field field-label-inline clearfix field-type-text-long field-pseudo-field field-pseudo-field--author-list"><div class="field-label">Authors:&nbsp;</div><div class="field-items"><a href="#Guilherme Gonçalves" title="Guilherme Gonçalves">Guilherme Gonçalves</a>, <a href="#Kyle O&#039;Malley" title="Kyle O&#039;Malley">Kyle O&#039;Malley</a>, <a href="#Betsy Beyer" title="Betsy Beyer">Betsy Beyer</a>, <a href="#Max Saltonstall" title="Max Saltonstall">Max Saltonstall</a></div> </div><div class="field field-name-field-lv2-shepherds field-type-user-reference field-label-inline clearfix"><div class="field-label">Article shepherded by:&nbsp;</div><div class="field-items"><div class="field-item odd"><span class="usenix-user-reference-names">Rik Farrow</span></div></div></div> <div class="paragraphs-items paragraphs-items-field-lv2-body paragraphs-items-field-lv2-body-full paragraphs-items-full"> <div class="field field-name-field-lv2-body field-type-paragraphs field-label-hidden"><div class="field-items"><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text paragraphs-first-text"> <div class="content"> <div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>As with most large-scale migration efforts, the later stages of Alphabet's BeyondCorp migration required disproportionate effort. After successfully transitioning most of Google's workflows to BeyondCorp, we were left with a long tail of specific or challenging situations to resolve. This article examines how we created processes, tools, and solutions to handle use cases that were not easily adapted to our core HTTPS-based workflow.</span></p></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-sub field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Introduction</div></div></div><div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>This article continues Alphabet's BeyondCorp story by addressing the long tail of difficult use cases, where gaps in tooling, available data, management buy-in, or specialized technical knowledge historically prevented users from migrating to a zero-trust model.</span></p><p>We discuss how we managed security exceptions left over from the previous migration processes, the evolution of the solutions applied, and how—through a combination of change management, security, and program management practices—we were able to move Alphabet employees away from a privileged internal network. Throughout the article, we provide lessons learned to help others address the long tail of a migration to a BeyondCorp-style architecture.</p><div></div></div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-sub field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Difficult Cases for BeyondCorp</div></div></div><div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>A </span><span>previous article</span><span> in the BeyondCorp series covered how we migrated Alphabet from using a privileged, legacy network (internally known as Managed Privileged Client, or MPC) to the MNP (Managed Non-Privileged) network as the default. </span><em><a href="https://research.google/pubs/pub46134/" target="_blank" rel="nofollow">Migrating to BeyondCorp: Maintaining Productivity While Improving Security</a></em><span> covered the processes, tooling, and solutions used for the majority of use cases, and especially those that rely solely on HTTPS traffic.</span></p><p>As the migration to an MNP-by-default model progressed at Google, it became clear that certain classes of applications were incompatible with the existing available solutions. In particular, applications were incompatible with the <a href="https://research.google/pubs/pub45728/" target="_blank" rel="nofollow">BeyondCorp access proxy</a> described earlier in this series. This problem included third-party applications that had one of the following characteristics:</p><ul><li><p><span>While HTTPS-based, could not be easily configured to present a machine certificate to a proxy.</span></p></li><li><p><span>Required IP-layer connectivity to a variety of backends using non-HTTPS protocols.</span></p></li><li><p><span>Explicitly required IP-based client allowlists to function.</span></p></li></ul><p><span>In some cases, although they had a considerable number of users, these applications were officially unsupported internally and only "accidentally worked" seamlessly due to the overly-broad access granted by MPC.</span></p><p><span>Even for well-behaved applications and protocols, the BeyondCorp model implemented via access proxies posed challenges to teams with strict bandwidth or latency requirements. Traversing a proxy can degrade performance compared to direct access to a local server, especially if that proxy is not physically close to the user. For relatively small and niche use cases, it may not be practical to deploy proxies as widely as the main HTTPS BeyondCorp proxy.</span></p><p>Many of these problematic workflows were identified through the MNP simulation <a href="https://research.google/pubs/pub46134/" target="_blank" rel="nofollow">described previously</a>, and the relevant users were granted exceptions to stay on the MPC network temporarily until we identified a solution. These workflows often underpinned critical parts of Alphabet's business, such as financial operations or physical security, and became known as the 'long tail' of BeyondCorp.</p><p><strong>Lessons learned:</strong></p><ul><li><p><span>When ambient privilege exists, expect systems and users to become dependent on it.</span></p></li><li><p><span>The long tail of BeyondCorp adoption can easily span many distributed organizations, such that no single management chain or executive can drive it to completion alone.</span></p></li></ul></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-sub field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Exception Management</div></div></div><div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>Manual approval of individuals' exceptions is infeasible for Alphabet's very large employee population. Therefore, we created an exception system to allow full-time employees to self-grant an MPC exception from a defined set of known incompatible workflows, and temporary workers or vendors to request that exception via their manager.</span></p><p><span>We also continued to allow support teams to request the creation of new exception groups for their users as certain new workflows were introduced, again adding to the complexity of the long tail.</span></p><p><span>Separately from that system, a small but highly important set of workflows were also granted network-level exceptions. That is, certain privileged flows were allowed even on the non-privileged network, regardless of the user initiating the flow. This class of exceptions, known as “MNP holes”, was necessary for:</span></p><ul><li><p><span><strong>Printers</strong>: </span><span>Direct access from corporate devices to printers.</span></p></li><li><p><span><strong>SSH</strong>: </span><span>Direct SSH access across corporate networks, motivated by cases that depended on high bandwidth.</span></p></li><li><p><span><strong>Emergency IRC access</strong>: </span><span>Direct access from corporate devices to IRC servers used for emergency communications by SRE.</span></p></li></ul><p><span>Although they allowed business continuity, these exceptions also lasted much longer than initially anticipated. Because of their widespread usage, they were also often difficult to associate to a single executive-level sponsoring owner.</span></p><p><span>After the success of the initial MNP rollout, management support for migrating workflows and users to BeyondCorp waned, and development of long tail solutions went underfunded. The data analysis pipeline we used to discover workflows was turned down.</span></p><p>As a result, the long tail persisted as a growing population of users, segregated into coarse groups with sizes ranging from dozens to thousands of users, whose needs became increasingly opaque to the BeyondCorp team.</p><p><strong>Lessons learned:</strong></p><ul><li><p><span>An exception system ensures business continuity while migrating difficult cases to a new system.</span></p></li><li><p><span>Exceptions should, at a minimum, expire and require renewal. If the necessary network logs are available, exceptions can also automatically expire if unused.</span></p></li><li><p><span>A support team for each exception must exist. To mitigate the risk of users acquiring unnecessary exceptions, the user's eligibility for an exception should be controlled by another process owned by the support team.</span></p></li><li><p><span>Controlling and ultimately removing overly broad security exceptions requires investment in Security Engineering, support, change management, SRE, and program management. The "wait it out" strategy (hoping teams update or change their infrastructure) won't create full-scale change.</span></p></li></ul></div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-sub field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Solutions, Interim Solutions, and Mitigations</div></div></div><div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>As teams migrated away from the privileged network, they generally moved their workflows or infrastructure to depend on one of the main internal BeyondCorp solutions.</span></p><p><span>The </span><a href="https://research.google/pubs/pub45728/" target="_blank" rel="nofollow"><span>BeyondCorp proxy</span></a><span> remains the primary internal solution for HTTPS traffic originating from a browser. Non-browser HTTPS clients are configured to use a forward proxy that injects user and machine credentials into requests for compatibility with the BeyondCorp proxy. This forward proxy is internally developed and runs on the client side, listening on localhost.</span></p><p><span>We also developed a microsegmented VPN solution to serve as a catch-all option for tools requiring arbitrary IP connectivity across networks. It works similarly to a traditional VPN, with added support for endpoints that cannot run arbitrary applications (typically embedded systems). It's also integrated with existing BeyondCorp access decision mechanisms for authorization. Importantly, it contrasts with VPN by providing fine-grained network access to only a set of pre-configured backends per user.</span></p><p><span>As shown in Figure 1, the microsegmented VPN supports two methods for transporting application data</span>: </p><ul><li><p><span>Interactive Connectivity Establishment (</span><a href="https://datatracker.ietf.org/doc/html/rfc8445" target="_blank" rel="nofollow"><span>ICE</span></a><span>) sessions established through the corporate firewall for high throughput.</span></p></li><li><p><span>Websocket through the BeyondCorp proxy for improved connection stability.</span></p></li></ul></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-article-image view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--article_image"> <div class="content"> <div class="field field-name-field-article-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/article_embedded/public/icepick_architecture_for_bclt_paper_2.png?itok=fuZzfYIv" width="1097" height="678" alt="" /></div></div></div><div class="field field-name-field-article-image-caption field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Figure 1: Architecture diagram for Microsegmented VPNs</div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>In addition to the "pure" BeyondCorp solutions above, we also employed an important "compromise" solution: the existing internal VPN service.</span></p><p><span>During the period of office closures due to the COVID-19 pandemic, we didn't quite know how to support the non-BeyondCorp workflows, as the privileged network by definition only exists in the office. In certain cases employees were still able to remotely access a workstation in the office to get their work done, but in other cases, there were simply no suitable short-term hardware options.</span></p><p><span>In this context, VPN stood out to many teams as a relatively familiar, mature, and globally available service that allowed users to work from home while retaining IP-based privilege, even though we could not rely upon it as a long-term solution. Throughout 2020 and 2021, many support teams worked with Security to ensure company VPN policies were suitable for their workflows. By shifting these MPC use cases to VPN, we were able to revoke users' MPC access provided they continued to use VPN while in the office.</span></p><p><span>As shown in Figure 2, VPN is not an optimal BeyondCorp-compatible solution as it does not remove network-based trust. Although it is employed for certain specialized use cases, those remaining use cases will be migrated to different options.</span></p><p><span>However, VPN provides three critical advantages over a privileged network:</span></p><ul><li><p><span>Coarse-grained control over the policies for allowed traffic, with known owners for each necessary flow.</span></p></li><li><p><span>A clear migration path to a microsegmented solution.</span></p></li><li><p>Removal of ambient network privilege even for workflows with unclear permanent solutions, which prevents new dependencies on that privilege from appearing over time.</p></li></ul></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-article-image view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--article_image"> <div class="content"> <div class="field field-name-field-article-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/article_embedded/public/beyondcorp_trustwortiness_scale_1.png?itok=4lSKW1Vw" width="636" height="399" alt="" /></div></div></div><div class="field field-name-field-article-image-caption field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Figure 2: Ranked BeyondCorp solutions</div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p>Finally, we closed the pre-existing MNP holes described in the previous section using the following solutions:</p><ul><li><p><span><strong>Printers</strong>: </span><span>Migrating printing workflows to a third-party, Cloud-hosted solution that works over HTTPS.</span></p></li><li><p><span><strong>SSH</strong>: </span><span>Migrating users to an internally developed BeyondCorp SSH proxy.</span></p></li><li><p><span><strong>Emergency IRC access</strong>: </span><span>Migrating IRC servers to Google's production infrastructure, accessible through the BeyondCorp proxy from trusted machines only, but taking care to maintain compatibility with known disaster recovery scenarios and strategies.</span></p></li></ul><p><strong>Lessons learned:</strong></p><ul><li><p><span>No single solution is applicable in every case, and simpler, special-purpose solutions for common cases can mitigate the operational load of BeyondCorp and provide a better user experience. Choose the most appropriate solution for major workflows, rather than a single catch-all option.</span></p></li><li><p><span>Be pragmatic and prepared to migrate to intermediate solutions with a clear path forward, or make trade-offs among different policies to ensure business continuity.</span></p></li></ul></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-sub field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Migration Strategy</div></div></div><div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>We started the migration process for each use case once we identified one of the above solutions as appropriate. Our overarching goal was to revoke the MPC exceptions of a population of users and to direct them to the candidate solution, which potentially required a change to their workflow.</span></p><p><span>The candidate solution we proposed depended on:</span></p><ul><li><p><span>The scale and coherence of the target user population.</span></p></li><li><p><span>The degree of collaboration with support groups and subject matter experts thus far.</span></p></li><li><p><span>The depth of user testing performed to validate the solution.</span></p></li></ul><p><span>During any migration, it is important to account for the possibility that the candidate solution will be unsuitable for some fraction of users (for example, due to location-dependent latency). Additionally, you might uncover new incompatible workflows needed by the same users during migration, which can surprise the teams supporting those applications or tools.</span></p><p><span>To mitigate those risks, we created and automated a standard migration process that incorporates change management best practices, including:</span></p><ul><li><p><span>Communications to individual users in advance, with a clear migration date.</span></p></li><li><p><span>User documentation with a clear description of the solution, a FAQ, and links to documentation for previous migrations.</span></p></li><li><p><span>Gradual rollout over multiple days.</span></p></li><li><p><span>A self-service, temporary opt-out mechanism with a clearly communicated expiration date that requires additional information on the workflow and (if possible) a contact for a support team or subject matter expert.</span></p></li></ul><p><span>By using opt-outs as an opportunity to gather information, we were able to identify internal support groups we could work with to address the 'long tail of the long tail'.</span></p><p><strong>Lessons learned:</strong></p><ul><li><p><span>Formalize acceptance testing with help from support teams and subject matter experts.</span></p></li><li><p><span>Follow change management best practices, such as gradual rollout, broad communications with clear timelines and an FAQ, and temporary self-service remediation.</span></p></li><li><p><span>Leverage opt-outs to identify support points of contact and new incompatible workflows.</span></p></li></ul></div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-sub field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Program Lessons</div></div></div><div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>Overall, the task of removing the long tail of BeyondCorp can be broken down into the following steps:</span></p><ol><li><p><span>Identify the support team or subject matter experts that formally support populations of users with exception requests.</span></p></li><li><p><span>Work with the support team to understand the workflows of those users. Propose and validate a solution.</span></p></li><li><p><span>Migrate the users to the solution using the standard process.</span></p></li><li><p><span>Triage opt-outs to uncover new workflows and subject matter experts to engage with.</span></p></li></ol><p><span>You can execute the above steps independently for any one combination of support team and user population, in what we called an </span><span>engagement</span><span> (see Figure 3). To execute engagements, we assembled a team of Security Engineers, first-level support and change management specialists, SREs for the relevant solutions, and program managers.</span></p></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-article-image view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--article_image"> <div class="content"> <div class="field field-name-field-article-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/article_embedded/public/beyondcorp_long_tail_fig_3_flow_chart.png?itok=j4sbyGzW" width="990" height="527" alt="" /></div></div></div><div class="field field-name-field-article-image-caption field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Figure 3: High-level execution tracks of the &quot;BeyondCorp Long Tail&quot; program</div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>Staffing and time constraints meant that not every user population was eligible for engagement with the BeyondCorp team. For small populations, we made best-effort attempts to locate experts on the workflows and communicate deadlines months in advance. Those individuals and teams could book office hours slots for quick consultations.</span></p><p><span>To further raise awareness for the program, we leveraged an existing network of Director and VP-level Security Champions spread across Alphabet leadership. We also provided monthly status reports, including notifications of upcoming migrations, to an open internal mailing list, which we initially populated with our engagement points of contact.</span></p><p><span>Importantly, we consistently provided clear deadlines for support teams to migrate their users' workflows off the privileged network months in advance. We also provided a standardized escalation process to allow those teams and their management chains to surface competing priorities.</span></p><p><span>Support teams successfully used the escalation process to extend their timeline as necessary. Sizable groups of users whose workflows were not formally supported used the escalation process to find a team that would claim ownership of the necessary migration and support work.</span></p><p><strong><span>Lessons learned:</span></strong></p><ul><li><span>Work with existing support teams and experts, and empower them to experiment with and test the zero-trust model before rolling it out to their users.</span></li><li><span>Communicate clear deadlines and provide a standardized escalation process that rolls up to the project sponsor.</span></li><li><span>When no formal support exists for a population of users, have mechanisms to draw executive attention and resources to either support the work or end the workflow.</span></li><li><span>Standardize and operationalize the common parts of the problem (project management and migration), and offer those as a service to support teams who may not have that expertise.</span></li></ul><div></div></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-sub field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Conclusion</div></div></div><div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>Alphabet's internal BeyondCorp story will continue as we work on transitioning the remaining VPN use cases to more suitable access solutions. The evolution of the </span><a href="https://cloud.google.com/beyondcorp-enterprise" target="_blank" rel="nofollow">BeyondCorp Enterprise</a><span> platform also opens important convergence opportunities that will allow us to phase out internal solutions and move towards more standardization.</span></p><p><span>As organizations adopt BeyondCorp principles, they inevitably come across seemingly incompatible workloads that require careful trade-offs between security, reliability, user experience, and other factors. We hope that the pragmatic and multidisciplinary approach described here, along with the outlined solutions, will help readers structure their migration to BeyondCorp and inform their own trade-offs.</span></p><p>Finally, we recognize the value of application-layer (preferably HTTP-based) applications from a security standpoint, as they facilitate proxying and traffic inspection. Overlay networks providing VPN-like connectivity often lack the transparency and granular access controls of HTTP proxies, which diminishes the benefits of adopting BeyondCorp and may ultimately result in placing trust in the overlay network itself.</p></div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-sub field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Acknowledgements</div></div></div><div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span><span>We thank the following colleagues in the BeyondCorp team for their work on achieving this latest milestone, in alphabetical order:</span><a href="mailto:jeffbaird@google.com" rel="nofollow"><span>Jeff Baird</span></a><span>, </span><a href="mailto:bjensen@google.com" rel="nofollow"><span>Blake Jensen</span></a><span>,</span><a href="mailto:bksobiech@google.com" rel="nofollow"><span>Brett Ksobiech</span></a><span>, </span><a href="mailto:gfm@google.com" rel="nofollow"><span>Giovanni Mazzeo</span></a><span>, </span><a href="mailto:bmelody@google.com" rel="nofollow"><span>Bradley Melody</span></a><span>, </span><a href="mailto:pnehls@google.com" rel="nofollow"><span>Patrick Nehls</span></a><span>, </span><a href="mailto:barclay@google.com" rel="nofollow"><span>Barclay Osborn</span></a><span> and </span><a href="mailto:pawsa@google.com" rel="nofollow"><span>Paweł Sałek</span></a><span>.</span></span></p></div></div></div> </div> </div> </div></div></div></div> </div><div class="field field-name-field-lv2-tags field-type-taxonomy-term-reference field-label-above"><div class="field-label">Article Categories:&nbsp;</div><div class="field-items"><div class="field-item odd">SRE</div><div class="field-item even">Security</div><div class="field-item odd">Distributed systems</div><div class="field-item even">Network</div><div class="field-item odd">Cloud</div></div></div><div class="psuedo-last-updated">Last updated June 7, 2023</div> <div class="field-collection-container clearfix"><div class="field field-name-field-authors field-type-field-collection field-label-above"><div class="field-label">Authors:&nbsp;</div><div class="field-items"><div class="field-item odd"><div class="field-collection-view clearfix view-mode-full"><div class="entity entity-field-collection-item field-collection-item-field-authors view-mode-full view-mode-full--field_collection_item view-mode-full--field_collection_item--field_authors clearfix"> <div class="content"> <a class="anchor" name="Guilherme Gonçalves"></a><div class="field field-name-field-collection-author-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/author_bio/public/ggoncalves.jpg?itok=ud5FVDn_" width="138" height="138" alt="" /></div></div></div><div class="field field-name-field-collection-author-bio field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p>Guilherme Gonçalves is a Technical Program Manager in Google Ireland. Since joining Google in 2015, he has worked on the Site Reliability Engineering aspects of the company&#039;s BeyondCorp adoption, both in individual internal services and broad programs. He holds an undergraduate Computer Engineering degree from State University of Campinas (UNICAMP).</p> </div></div></div><div class="field field-name-field-collection-author-email field-type-email field-label-hidden"><div class="field-items"><div class="field-item odd"><a href="mailto:ggoncalves@google.com">ggoncalves@google.com</a></div></div></div> </div> </div> </div></div><div class="field-item even"><div class="field-collection-view clearfix view-mode-full"><div class="entity entity-field-collection-item field-collection-item-field-authors view-mode-full view-mode-full--field_collection_item view-mode-full--field_collection_item--field_authors clearfix"> <div class="content"> <a class="anchor" name="Kyle O&#039;Malley"></a><div class="field field-name-field-collection-author-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/author_bio/public/kyleomalley.jpeg?itok=9Qp7VtIE" width="138" height="138" alt="" /></div></div></div><div class="field field-name-field-collection-author-bio field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p>Kyle O&#039;Malley has been a Security Engineer with Google since 2016. His previous work experience includes Network Engineering, SRE and Security Engineering roles at other large tech companies. He currently works from the San Diego, CA office and holds a BAS degree from Arizona State University.</p> </div></div></div><div class="field field-name-field-collection-author-email field-type-email field-label-hidden"><div class="field-items"><div class="field-item odd"><a href="mailto:kyleomalley@google.com">kyleomalley@google.com</a></div></div></div> </div> </div> </div></div><div class="field-item odd"><div class="field-collection-view clearfix view-mode-full"><div class="entity entity-field-collection-item field-collection-item-field-authors view-mode-full view-mode-full--field_collection_item view-mode-full--field_collection_item--field_authors clearfix"> <div class="content"> <a class="anchor" name="Betsy Beyer"></a><div class="field field-name-field-collection-author-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/author_bio/public/image1.jpg?itok=E0FBuxLp" width="138" height="138" alt="" /></div></div></div><div class="field field-name-field-collection-author-bio field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p>Betsy Beyer is a Technical Writer for Google in NYC specializing in Site Reliability Engineering (SRE). She coauthored Site Reliability Engineering: How Google Runs Production Systems (2016), The Site Reliability Workbook: Practical Ways to Implement SRE (2018), and Building Secure and Reliable Systems (2020). En route to her current career, Betsy studied international relations and English literature, and she holds degrees from Stanford and Tulane.</p> </div></div></div><div class="field field-name-field-collection-author-email field-type-email field-label-hidden"><div class="field-items"><div class="field-item odd"><a href="mailto:bbeyer@google.com">bbeyer@google.com</a></div></div></div> </div> </div> </div></div><div class="field-item even"><div class="field-collection-view clearfix view-mode-full field-collection-view-final"><div class="entity entity-field-collection-item field-collection-item-field-authors view-mode-full view-mode-full--field_collection_item view-mode-full--field_collection_item--field_authors clearfix"> <div class="content"> <a class="anchor" name="Max Saltonstall"></a><div class="field field-name-field-collection-author-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/author_bio/public/max_saltonstall_headshot_2.jpg?itok=aHjZ2xtp" width="138" height="138" alt="" /></div></div></div><div class="field field-name-field-collection-author-bio field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p>Max Saltonstall is a Developer Relations Engineer within Google Cloud. He loves teaching, especially when it comes to collaboration and cybersecurity. He&#039;s also been known to instruct at board games and juggling. Max has strong opinions about storytelling, chocolate and ice cream - just ask. He lives in New York, with his kids, his cats and his dice.</p> </div></div></div><div class="field field-name-field-collection-author-email field-type-email field-label-hidden"><div class="field-items"><div class="field-item odd"><a href="mailto:maxsaltonstall@google.com">maxsaltonstall@google.com</a></div></div></div> </div> </div> </div></div></div></div></div> </div> <ul class="links inline"><li class="comment_forbidden first last"><span><span class="comment-1"><a id="comments" href="/user/login?destination=node/284811%23comment-form">Log in</a>&nbsp;or&nbsp;<a href="/user/register?destination=node/284811%23comment-form">Register</a> to post comments</span></span></li> </ul> </div> </div> </div> </div> </div></div> <!-- /.section, /#content --> </div></div> <!-- /#main, /#main-wrapper --> <div id="footer"><div class="section"> <div id="footer-col-1" class="footer-col"> <div class="region region-footer-col-1"> <div id="block-usenix-blocks-usenix-logo-2" class="block block-usenix-blocks usenix-logo-2"> <div class="content"> <a href="/" title="Home" rel="home"><img src="https://www.usenix.org/sites/all/themes/custom/cotija/images/logo.svg" alt="Home" /></a> </div> </div> <div id="block-block-141" class="block block-block 141"> <div class="content"> <p class="subtitle-small">&copy; USENIX <script>new Date().getFullYear()>document.write(new Date().getFullYear());</script><br> EIN 13-3055038<br> Website designed and built<br> by <a href="https://giantrabbit.com"target="_blank" style="color: black;">Giant Rabbit LLC</a></p> </div> </div> <div id="block-usenix-blocks-usenix-social-media-2" class="block block-usenix-blocks usenix-social-media-small usenix-social-media-2"> <div class="content"> <ul class="usenix-social-media"><li class="0 first"><a href="https://www.linkedin.com/company/usenix-association/" class="usenix-social-media-icon" alt="LinkedIn" title="LinkedIn"><i class="fab fa-linkedin"></i></a></li> <li class="1"><a href="https://www.facebook.com/pages/USENIX-Association/124487434386" class="usenix-social-media-icon" alt="Facebook" title="Facebook"><i class="fab fa-facebook-square"></i></a></li> <li class="2"><a href="https://www.youtube.com/user/USENIXAssociation" class="usenix-social-media-icon" alt="YouTube" title="YouTube"><i class="fab fa-youtube"></i></a></li> <li class="3 last"><a href="https://twitter.com/usenix" class="usenix-social-media-icon" alt="Twitter" title="Twitter"><i class="fab fa-square-x-twitter"></i></a></li> </ul> </div> </div> </div> </div> <div id="footer-col-2" class="footer-col"> <div class="region region-footer-col-2"> <div id="block-menu-menu-footer" class="block block-menu menu-footer"> <div class="content"> <ul class="menu"><li class="first leaf"><a href="/privacy-policy">Privacy Policy</a></li> <li class="last leaf"><a href="/contact">Contact Us</a></li> </ul> </div> </div> </div> </div> <div id="footer-col-3" class="footer-col"> <div class="region region-footer-col-3"> <div id="block-block-140" class="block block-block 140"> <div class="content"> <a class="anchor" name="signup"></a> <script src="https://www.google.com/recaptcha/api.js"></script> <script> function timestamp() { var response = document.getElementById("g-recaptcha-response"); if (response == null || response.value.trim() == "") {var elems = JSON.parse(document.getElementsByName("captcha_settings")[0].value);elems["ts"] = JSON.stringify(new Date().getTime());document.getElementsByName("captcha_settings")[0].value = JSON.stringify(elems); } } setInterval(timestamp, 500); </script> <div class="subtitle">Sign up for Our Newsletter:</div> <form action="https://webto.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8" method="POST" class="inline-form-extra-large"> <input type=hidden name='captcha_settings' value='{"keyname":"web_to_lead_google_v2_recaptcha","fallback":"true","orgId":"00DA0000000Ihkj","ts":""}'> <input type=hidden name="oid" value="00DA0000000Ihkj"> <input type=hidden name="retURL" value="https://usenix.org?newsletter_submit=1"> <input type=hidden name="lead_source" value="Newsletter"> <div class="row"> <input name="first_name" type="text" placeholder="First Name" required style="border: none;"> <input name="last_name" type="text" placeholder="Last Name" required style="border: none;"> <input name="email" type="email" placeholder="Email" required style="border: none;"> </div> <div class="row"><div class="g-recaptcha" data-sitekey="6Ldbd8gUAAAAAKvBvNAlRsQWTH1ZqzM5f07hB7lO"></div></div> <div class="row"><input type="submit" name="submit" value="Submit" class="btn-small"></div> </form> </div> </div> </div> </div> </div></div> <!-- /.section, /#footer --> </div></div> <!-- /#page, /#page-wrapper --> <script type="text/javascript"> <!--//--><![CDATA[//><!-- da2a.targets=[ {title:"BeyondCorp and the long tail of Zero Trust",url:"https:\/\/www.usenix.org\/publications\/loginonline\/beyondcorp-and-long-tail-zero-trust"}]; da2a.html_done=true;if(da2a.script_ready&&!da2a.done)da2a.init();da2a.script_load(); //--><!]]> </script> <script type="text/javascript">window.NREUM||(NREUM={});NREUM.info={"beacon":"bam.nr-data.net","licenseKey":"d823139095","applicationID":"509444","transactionName":"YVJVZksCXkEEVhIMWFgYYkBQTBodDFsCAE8YR19C","queueTime":0,"applicationTime":463,"atts":"TRVWEAMYTU8=","errorBeacon":"bam.nr-data.net","agent":""}</script></body> </html>