Google, taking a new approach to enterprise security, is moving its corporate applications to the Internet. In doing so, the Internet giant is flipping common corporate security practice on its head, shifting away from the idea of a trusted internal corporate network secured by perimeter devices such as firewalls, in favor of a model where corporate data can be accessed from anywhere with the right device and user credentials.

The new model -- called the BeyondCorp initiative -- assumes that the internal network is as dangerous as the Internet. Access depends on the employee’s device and user credentials. Using authentication, authorization and encryption, the model grants employees fine-grained access to different enterprise resources, wrote Google’s Rory Ward and Betsy Beyer in a paper published in December.

Kim Kyung-Hoon/Reuters

The more employees use clouds and mobile applications, the more this type of model is needed, say analysts. “A lot of companies can learn from Google’s aggressiveness,” said Jon Oltsik, senior principal analyst at Enterprise Strategy Group, an IT research firm. “There’s not a company anywhere that won’t have to develop something like this,” he said.

Google is currently migrating to the new approach and intends for the entire company to eventually use this model. So far, about 90% of corporate applications have been migrated, according to a Google spokesman. With the new model access depends solely on the device and user credentials, regardless of the employee’s network location. That means employee access is treated the same whether the user is at a corporate office, at home or in a coffee shop. This setup does away with the conventional virtual private network connection into the corporate network. It also encrypts employee connections to corporate applications, even when an employee is connecting from a Google building.

With this approach, trust is moved from the network level to the device level. Employees can only access corporate applications with a device that is procured and actively managed by the company. In this setup, Google requires a device inventory database that keeps track of computers and mobile devices issued to employees as well as changes made to those devices.

After the device is authenticated, the next step involves securely identifying the user. Google tracks and manages all employees in a user database and a group database that is tied into the company’s human resources processes. These databases are updated as employees join the company, change responsibilities or leave the company. There’s also a single sign-on system, a user authentication portal that validates employee use against the user database and group database, generating short-lived authorization for access to specific resources.

The level of access given to a user or a particular device can change over time. For example, an employee with a device whose operating system has not been updated with a recent patch may be given reduced trust, according to the paper. Specific models of phones can also be assigned different levels of trust based on the security inherent in those devices. If an employee suddenly decides to access corporate applications in a new physical location – much like when someone suddenly uses a credit card in a foreign country – he or she may be denied access to some resources.

Some companies including Coca-Cola Co., Verizon Communications Inc. and Mazda Motor Corp. are taking a similar approach, experimenting with a network model that first authenticates the user device, then confirms the employee identity and gives fine-grained access to corporate applications. “If you look at what the challenges are in corporations today; it’s agility, speed to market. We’re moving more and more things into the cloud, every corporation is,” said Alan Boehme, chief enterprise architect at Coca-Cola, speaking at a security conference in March.

Google’s new enterprise security architecture is a sharp departure from the way many companies currently configure security. For example, many companies depend heavily on firewalls which are used to prevent unauthorized Internet users from accessing private networks such as intranets. The global enterprise firewall market is expected to grow to $8.14 billion in 2019 from $6.14 billion in 2014, according to a September 2014 report from Markets and Markets. “It throws out a lot of historical networking and security notions,” said Mr. Oltsik.

UPDATE: This blog post has been updated with information from a Google spokesman about the percentage of corporate applications that have been migrated to the new security model.

Write to rachael.king@wsj.com

Sign up for our weekday email newsletter, The Morning Download.