Implementing Google's BeyondCorp zero trust access model to eliminate implicit trust from the network perimeter, enforce identity-aware access controls using IAP, Access Context Manager, and Chrome Enterprise Premium for VPN-less secure application access.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionimplementing-beyondcorp-zero-trust-access-modelExecute the skills CLI command in your project's root directory to begin installation:
Fetches implementing-beyondcorp-zero-trust-access-model from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate implementing-beyondcorp-zero-trust-access-model. Access via /implementing-beyondcorp-zero-trust-access-model in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | implementing-beyondcorp-zero-trust-access-model |
| description | 'Implementing Google''s BeyondCorp zero trust access model to eliminate implicit trust from the network perimeter, enforce identity-aware access controls using IAP, Access Context Manager, and Chrome Enterprise Premium for VPN-less secure application access. ' |
| domain | cybersecurity |
| subdomain | zero-trust-architecture |
| tags | - beyondcorp - zero-trust - google-cloud - iap - identity-aware-proxy - ztna - access-context-manager |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.AA-01 - PR.AA-05 - PR.IR-01 - GV.PO-01 |
Do not use when applications require raw network-level access (e.g., UDP-based protocols not supported by IAP), for consumer-facing public applications, or when the organization lacks an identity provider with MFA capabilities.
Define access levels that represent trust tiers based on device and user attributes.
# Enable required APIs
gcloud services enable iap.googleapis.com
gcloud services enable accesscontextmanager.googleapis.com
gcloud services enable beyondcorp.googleapis.com
# Create an access policy (organization level)
gcloud access-context-manager policies create \
--organization=ORG_ID \
--title="BeyondCorp Enterprise Policy"
# Create a basic access level for corporate managed devices
cat > corporate-device-level.yaml << 'EOF'
- devicePolicy:
allowedEncryptionStatuses:
- ENCRYPTED
osConstraints:
- osType: DESKTOP_CHROME_OS
minimumVersion: "13816.0.0"
- osType: DESKTOP_WINDOWS
minimumVersion: "10.0.19045"
- osType: DESKTOP_MAC
minimumVersion: "13.0.0"
requireScreenlock: true
requireAdminApproval: true
regions:
- US
- GB
- DE
EOF
gcloud access-context-manager levels create corporate-managed \
--policy=POLICY_ID \
--title="Corporate Managed Device" \
--basic-level-spec=corporate-device-level.yaml
# Create a custom access level using CEL expressions
gcloud access-context-manager levels create high-trust \
--policy=POLICY_ID \
--title="High Trust Level" \
--custom-level-spec=high-trust-cel.yaml
Enable IAP on backend services to enforce identity verification before granting access.
# Create OAuth consent screen
gcloud iap oauth-brands create \
--application_title="Corporate Applications" \
[email protected]
# Create OAuth client for IAP
gcloud iap oauth-clients create BRAND_NAME \
--display_name="BeyondCorp IAP Client"
# Enable IAP on a backend service (GCE/GKE behind HTTPS LB)
gcloud compute backend-services update internal-app-backend \
--iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET \
--global
# Enable IAP on App Engine
gcloud iap web enable \
--resource-type=app-engine \
--oauth2-client-id=CLIENT_ID \
--oauth2-client-secret=CLIENT_SECRET
# Enable IAP on Cloud Run service
gcloud run services add-iam-policy-binding internal-api \
--member="serviceAccount:[email protected]" \
--role="roles/run.invoker" \
--region=us-central1
Bind IAP access to specific groups with access level requirements.
# Grant access to engineering group with corporate device requirement
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=internal-app-backend \
--member="group:[email protected]" \
--role="roles/iap.httpsResourceAccessor" \
--condition="expression=accessPolicies/POLICY_ID/accessLevels/corporate-managed,title=Require Corporate Device"
# Grant access to contractors with high-trust requirement
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=internal-app-backend \
--member="group:[email protected]" \
--role="roles/iap.httpsResourceAccessor" \
--condition="expression=accessPolicies/POLICY_ID/accessLevels/high-trust,title=Require High Trust"
# Configure re-authentication settings (session duration)
gcloud iap settings set --project=PROJECT_ID \
--resource-type=compute \
--service=internal-app-backend \
--reauth-method=LOGIN \
--max-session-duration=3600s
Roll out Chrome Enterprise Endpoint Verification for device posture collection.
# Deploy Endpoint Verification via Chrome policy (managed browsers)
# In Google Admin Console > Devices > Chrome > Apps & extensions
# Force-install: Endpoint Verification extension ID: callobklhcbilhphinckomhgkigmfocg
# Verify device inventory in Admin SDK
gcloud endpoint-verification list-endpoints \
--filter="deviceType=CHROME_BROWSER" \
--format="table(deviceId, osVersion, isCompliant, encryptionStatus)"
# Create device trust connector for third-party EDR signals
gcloud beyondcorp app connections create crowdstrike-connector \
--project=PROJECT_ID \
--location=global \
--application-endpoint=host=crowdstrike-api.internal:443,port=443 \
--type=TCP_PROXY_TUNNEL \
--connectors=projects/PROJECT_ID/locations/us-central1/connectors/connector-1
# List enrolled devices and their compliance status
gcloud alpha devices list --format="table(name,deviceType,complianceState)"
Enable URL filtering, malware scanning, and DLP for Chrome Enterprise users.
# Configure Chrome Enterprise Premium threat protection rules
# In Google Admin Console > Security > Chrome Enterprise Premium
# Create a BeyondCorp Enterprise connector for on-prem apps
gcloud beyondcorp app connectors create onprem-connector \
--project=PROJECT_ID \
--location=us-central1 \
--display-name="On-Premises App Connector"
gcloud beyondcorp app connections create hr-portal \
--project=PROJECT_ID \
--location=us-central1 \
--application-endpoint=host=hr.internal.company.com,port=443 \
--type=TCP_PROXY_TUNNEL \
--connectors=projects/PROJECT_ID/locations/us-central1/connectors/onprem-connector
# Enable security investigation tool for access anomaly detection
gcloud logging read '
resource.type="iap_tunnel"
jsonPayload.decision="DENY"
timestamp >= "2026-02-22T00:00:00Z"
' --project=PROJECT_ID --format=json --limit=100
Set up comprehensive logging and alerting for zero trust policy enforcement.
# Create a log sink for IAP access decisions
gcloud logging sinks create iap-access-audit \
--destination=bigquery.googleapis.com/projects/PROJECT_ID/datasets/beyondcorp_audit \
--log-filter='resource.type="iap_tunnel" OR resource.type="gce_backend_service"'
# Query BigQuery for access pattern analysis
bq query --use_legacy_sql=false '
SELECT
protopayload_auditlog.authenticationInfo.principalEmail AS user,
resource.labels.backend_service_name AS application,
JSON_EXTRACT_SCALAR(protopayload_auditlog.requestMetadata.callerSuppliedUserAgent, "$") AS device,
protopayload_auditlog.status.code AS decision_code,
COUNT(*) AS request_count
FROM `PROJECT_ID.beyondcorp_audit.cloudaudit_googleapis_com_data_access`
WHERE timestamp > TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 24 HOUR)
GROUP BY user, application, device, decision_code
ORDER BY request_count DESC
LIMIT 50
'
# Create an alert policy for repeated access denials
gcloud alpha monitoring policies create \
--display-name="BeyondCorp Repeated Access Denials" \
--condition-display-name="High denial rate" \
--condition-filter='resource.type="iap_tunnel" AND jsonPayload.decision="DENY"' \
--condition-threshold-value=10 \
--condition-threshold-duration=300s \
--notification-channels=projects/PROJECT_ID/notificationChannels/CHANNEL_ID
| Term | Definition |
|---|---|
| BeyondCorp | Google's zero trust security framework that shifts access controls from network perimeter to per-request identity and device verification |
| Identity-Aware Proxy (IAP) | Google Cloud service that intercepts HTTP requests and verifies user identity and device context before forwarding to backend applications |
| Access Context Manager | GCP service that defines fine-grained attribute-based access control policies using access levels and service perimeters |
| Endpoint Verification | Chrome Enterprise extension that collects device attributes (OS version, encryption, screen lock) for access level evaluation |
| Access Levels | Named conditions in Access Context Manager that define minimum requirements (device posture, IP range, geography) for resource access |
| Chrome Enterprise Premium | Google's commercial BeyondCorp offering providing threat protection, URL filtering, DLP, and continuous access evaluation |
Context: A technology company with 3,000 employees uses Cisco AnyConnect VPN for accessing internal applications. The VPN introduces latency, creates a single point of failure, and grants excessive network access after authentication.
Approach:
Pitfalls: Some legacy applications may not support HTTPS proxying and require TCP tunnel mode. Device enrollment takes time; plan a 2-week onboarding period before enforcing device posture requirements. Break-glass accounts with bypassed access levels must be created and tested for identity provider outages.
BeyondCorp Zero Trust Implementation Report
==================================================
Organization: TechCorp Inc.
Implementation Date: 2026-02-23
Migration Phase: Phase 2 of 3
ACCESS ARCHITECTURE:
Identity Provider: Google Workspace
Access Proxy: Google Cloud IAP
Device Management: Chrome Enterprise + Endpoint Verification
Threat Protection: Chrome Enterprise Premium
On-Prem Connector: BeyondCorp Enterprise Connector (3 instances)
ACCESS LEVEL COVERAGE:
Access Level: corporate-managed
Devices enrolled: 2,847 / 3,000 (94.9%)
Compliant devices: 2,712 / 2,847 (95.3%)
Access Level: high-trust
Devices enrolled: 312 / 350 (89.1%)
Compliant devices: 298 / 312 (95.5%)
APPLICATION MIGRATION:
GCP HTTPS apps (IAP-protected): 32 / 35 (91.4%)
On-prem apps (via connector): 12 / 15 (80.0%)
SaaS apps (via SAML/OIDC): 8 / 8 (100%)
Total migrated: 52 / 58 (89.7%)
SECURITY METRICS (last 30 days):
Total access requests: 1,247,832
Denied by IAP policy: 3,412 (0.27%)
Denied by access level: 1,208 (0.10%)
Re-authentication triggered: 45,219
Anomalous access patterns: 12 (investigated)
VPN-related incidents (before): 8/month
BeyondCorp incidents (after): 1/month
VPN DECOMMISSION STATUS:
Parallel operation remaining: 14 days
Users still on VPN: 148 (5%)
Planned decommission: 2026-03-15
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
implementing-beyondcorp-zero-trust-access-model fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
I recommend implementing-beyondcorp-zero-trust-access-model for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Keeps context tight: implementing-beyondcorp-zero-trust-access-model is the kind of skill you can hand to a new teammate without a long onboarding doc.
We added implementing-beyondcorp-zero-trust-access-model from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
implementing-beyondcorp-zero-trust-access-model reduced setup friction for our internal harness; good balance of opinion and flexibility.
Useful defaults in implementing-beyondcorp-zero-trust-access-model — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
implementing-beyondcorp-zero-trust-access-model is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
implementing-beyondcorp-zero-trust-access-model has been reliable in day-to-day use. Documentation quality is above average for community skills.
implementing-beyondcorp-zero-trust-access-model is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Registry listing for implementing-beyondcorp-zero-trust-access-model matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 42