Google kicked off the second day of its Cloud Next conference in San Francisco the same way as yesterday: with a slew of products. The Mountain View company took the wraps off a number of account management and security features heading to Google Cloud and G Suite in the near future, plus a new ultra-secure FIDO key called the Titan Security Key, secure boot and shielded virtual machine features, new transparency tools, and more.
Here’s everything that was announced this morning.
Context-aware access and Titan Security Key
First up was a new feature Google’s calling context-aware access, which allows Google Cloud administrators to restrict certain users or groups of users from accessing APIs, G Suite tools, and third-party software-as-a-service apps based on location, identity, and other factors.
“This increases your security posture while decreasing complexity for your users, giving them the ability to seamlessly log on to apps from anywhere and any device,” Google wrote in a blog post.
Context-aware access capabilities are available to organizations using the Virtual Private Cloud (VPC) Service in Google Cloud, and will roll out to Cloud Identity and Access Management (IAM), Cloud Identity-Aware Proxy (IAP), and Cloud Identity customers “soon.”
The second security-focused announcement was Titan Security Key, a FIDO Bluetooth/USB security key that runs firmware developed by Google. (The FIDO Alliance is a nonprofit industry consortium that seeks to develop interoperable authentication devices, software, and protocols.)
During a press pre-briefing ahead of today’s keynote address, trust and security marketing lead Rob Sadowski, citing a report from Symantec, said that 71 percent of all targeted attacks start with a phishing attack, and that 76 percent of companies said they were the victim of phishing.
“Users inadvertently subvert the security infrastructure put in place,” he said. “The Titan Security Key provides a ton of security with very little effort and interaction required on the part of the user.”
To that end, mandating the key’s usage is as simple as checking a box in the Google Cloud admin console.
The Titan Security Key is available to Google Cloud subscribers starting today, and it’ll be made broadly available for purchase later this year in the Google Store.
Shielded VMs and Cloud Armor
Continuing the theme of security, Google today unveiled shielded virtual machines (VMs), a Google Cloud feature that lets customers monitor in real time changes made to VMs. It’s available in beta.
Also announced was binary authorization (coming soon in beta), which enforces signature validation to ensure that only authorized workloads are deployed on Kubernetes Engine, Google’s open source environment for containerized applications. It works in tandem with container registry vulnerability scanning — a service that scans Ubuntu, Debian, and Alpine images for known vulnerabilities — to prevent the deployment of compromised packages.
As a bonus, those features come with integrity monitoring. “Many compliance standards require you to do integrity monitoring from time to time and provide access logs,” Sadowski said. “We automate the process every time you boot.”
On the networking side of things was Cloud Armor, which Google describes as an “application defense” service. It leverages the robust global load balancing service behind Google Search, Gmail, and YouTube to funnel harmful traffic (a distributed denial-of-service attack, for example) away from a website, application, or content distribution network. Google Cloud customers who enroll in the beta can control clients’ access based on location or block traffic based on IP addresses.
Other handy features include prebuilt rules deployment for SQL infection and cross-scripting attacks, and control over Layer 3-Layer 7 parameters.
“Cloud Armor works in conjunction with our global load balancing service and provides a policy framework with a rich, open rules language for specifying defense rules,” Google wrote. “In effect, you can deploy application-level DDoS defense at scale based on your unique requirements.”
Data protection was another core theme of today’s announcements. Enter Google’s Cloud HSM, a managed cloud-hosted hardware security module.
“[HSMs] are custom-built pieces of hardware with security features built into [them] — nobody can export the key material,” Sadowski said. “But they’re extremely onerous to manage on-premises … This gives you all the benefits of the HSM without the management overhead.”
Google’s solution allows Google Cloud users to host encryption keys and perform cryptographic operations in FIPS 130-2 Level 3 certified HSMs — one of the highest levels of security issued by the U.S. National Institute of Standards and Technology. It’s integrated with Cloud Key Management Service (KMS) and allows customers to create and use hardware-generated keys with BigQuery, Google Compute Engine, Google Cloud Storage, Data Proc, and other customer-managed encryption keys (CMEK) integrated services.
Last but not least, Google announced enhanced transparency and privacy controls in G Suite.
Starting today, new functionality in G Suite’s security center will allow administrators to quickly identify, investigate, and resolve security problems. And it’ll make it easier to conduct searches across multiple data sources, and to report and audit data to Google BigQuery, Google’s enterprise data warehouse.
That’s in addition to data regions, a feature Google announced on Tuesday. Starting this week, G Suite Business and Enterprise customers can choose the region — global, U.S., or Europe — where the data for certain applications is stored, so as to ease the burden of complying with regulations like the General Data Protection Regulation (GDPR).
“We believe that trust is created through transparency, and want to empower you with the visibility, insight, and control you need to meet your organization’s security objectives as you move to the cloud or increase your cloud adoption,” Google wrote.