Google implemented a Zero Trust architecture on a large scale, and relied on user and device credentials, regardless of location.
This is in contrast to traditional security models, which rely on firewalls and other perimeter defenses to protect sensitive data.
The corporate network grants no inherent trust, and all internal apps are accessed via the BeyondCorp system, regardless of whether the user is in a Google office or working remotely.
The Trust Inferrer checks things like the security of the device, whether it has the right software installed, and if it belongs to an authorized user.
[10] Unlike traditional VPNs, BeyondCorp's access policies are based on information about a device, its state, and its associated user.
The certificate is used to uniquely identify a device; however, additional information is required to grant access privileges to a resource.
Its job is to make sure that only authorized devices and users are allowed to access specific resources (like files or applications) on the network.