[tyler_larson]

The answer to both the byod and permissions questions is the "tiered" device trust part from the article. You, the policy-maker decide how certain you are that a device hasn't been pwned given its provenance and user access story, and you assign a "trust tier" accordingly, which determines what resources it can access.

I don't think beyondcorp necessarily changes your incident response story, assuming you already have one.

A lot of this discussion glosses over the fact that U2F really makes this a viable system. U2F solves the MITM problem and ensures that the anyone who logs in does so with a company-issued hardware authenticator in physical communication (usually USB, but maybe also NFC or Bluetooth) with the client device. This means that even in a byod story, there's a piece of corp-issued hardware always attached. This in turn means that impersonation requires physical device theft in addition to credential theft.

[puzzle]

BYOD is possible to at least some degree, with devices like Chromebooks. A few years ago, I was able to use my personal Chromebook to access internal sites. I tried just a few. The sole requirements I remember were a stock install of the OS, a work profile and a Yubikey.

[pkcsecurity]

> A lot of this discussion glosses over the fact that U2F really makes this a viable system.

This. Really, BeyondCorp is only amazing insofar as it takes full advantage of U2F. U2F is the real (and lasting) innovation we're looking at here.

[e12e]

> A lot of this discussion glosses over the fact that U2F really makes this a viable system. U2F solves the MITM problem and ensures that the anyone who logs in (…)

Makes viable: certainly; solves: not so sure. Session hi-jack doesn't magically cease to be a problem.

[nine_k]

It becomes much less of an issue if the connection is re-negotiated periodically, and a new key may require a physical action (touch) from the key generator.