Google Cloud gets new security smarts across data encryption
Google has announced a number of notable new tools and services as the internet giant doubles down on enterprise security across its cloud products.
The announcements were made at the U.K. incarnation of its annual Google Cloud Next conference in London.
The first of these new tools, which will be launching in beta shortly, is External Key Manager, which works in tandem with Google’s Cloud KMS, a key management service that lets customers manage their cryptographic keys for services hosted on Google’s cloud. With External Key Manager now on offer, companies will be able to encrypt data from Compute Engine and BigQuery, with keys stored in a third-party key management system. Google said it’s working with vendors such as Equinix, Fortanix, Ionic, Thales, and Unbound for this initiative.
“External Key Manager provides an audit trail of key access, use, and location, so you can document crypto operations for auditors to support your governance and compliance processes,” noted Sunil Potti, VP of engineering at Google Cloud Security, in a blog post.
Related to this, Google is also unveiling a new feature called Key Access Justifications that works in conjunction with External Key Manager to give enterprises more control over when and why their data is decrypted. In effect, this is about making the company itself the “ultimate arbiter of access to your data,” as Potti notes. This allows customers to deny Google the ability to decrypt data based on predefined rules.
“It provides a detailed justification each time one of your keys is requested to decrypt data, along with a mechanism for you to explicitly approve or deny providing the key using an automated policy that you set,” Potti said.
Key Access Justifications will be made available in alpha for Compute Engine/ Persistent Disk and BigQuery “soon.”
Google last year unveiled a web security framework called Armor, which provides protection against distributed denial of service (DDoS) and other forms of online attacks.
Today, the company revealed that it’s adding more web application firewall (WAF) smarts to the mix, which transforms Armor into a more serious security solution, including the ability to configure policies with geo-based access controls, and protection rules to counter risks, including cross-site scripting (XSS), injection, broken authentication, and other prominent risks, according to the Open Web Application Security Project (OWASP).
Google also announced the beta launch of Packet Mirroring, a network traffic inspection service that allows companies to analyze network traffic across Compute Engine and Google Kubernetes Engine (GKE). This will work in conjunction with third-party tools from the likes of Cisco, Palo Alto Networks, and Netscout to not only identify threats and malicious intent, but respond to intrusions.
Other notable announcements to emerge from Google’s cloud conference in London this morning include updates to its Advanced Protection Program, which is an enhanced security initiative aimed at those most at risk of cyber attacks this includes politicians, business leaders, journalists, human rights lawyers, and other high-profile individuals. This service launched originally back in 2017 for personal Google Accounts, and it rolled out in beta for G Suite and Cloud Identity customers a few months back. So, in effect Google is allowing enterprises to opt into a specific set of security policies for individuals, such as IT admins and C-level executives, within their company, and the program will be rolling out in general availability for all eligible businesses from today.
Finally, Google revealed that it’s introducing a new app access control feature that helps companies limit access to G Suite APIs to specific third-party apps that they trust. This is important because not all apps adhere to a company’s specific security policies, and app access control gives admins better insights into the third-party apps employees have allowed to access their G Suite data.
Sold on security
Google recently revealed that its cloud business is approaching $8 billion in annual revenue, double the figure reported the previous year. While the growth is notable, it still pales in comparison to rival Amazon Web Services (AWS), which generates marginally more than that figure on a quarterly basis.
This is why Google is investing heavily in its cloud ambitions. For example, Google’s parent Alphabet launched an enterprise-focused security company called Chronicle in early 2018, with the promise of using machine learning and big data to spot cyber threats more quickly. A few months ago, Chronicle was swallowed outright by Google’s cloud unit. And at Google Cloud Next in San Francisco back in April, the company made 30 security-focused announcements.
Combined with today’s announcements, it’s clearer than ever that security is playing an increasingly pivotal role in Google’s cloud push.