Throughout Google Cloud Next 2019 this week, Google execs kept repeating one number: 30 security-related announcements. We’re not sure how exactly the company is counting, but the message is clear: Google Cloud Platform (GCP) is getting more secure. The highlight was undoubtedly Android phone security keys.
But that was just the beginning. The announcements range from brand new offerings to existing features hitting general availability. They span increasing visibility, detecting threats, speeding up response and remediation, mitigating data exfiltration risks, ensuring a secure software supply chain, and strengthening policy compliance. Google even tried splitting all these into three categories: security of the cloud, security in the cloud, and security services. But that’s all nonsense like the 30 figure. We’re not sure if we got all 30 announcements, but here’s a rundown of what we did get.
Chrome Browser Cloud Management
Announced at Google Cloud Next 2018 as a beta, Chrome Browser Cloud Management is now generally available for enterprise customers. Chrome Browser Cloud Management lets administrators manage Chrome in the cloud:
- Google Admin console: Manage browsers in your Windows, Mac, and Linux environments from a single location. You can also set and apply policies across browsers, and if you’re already managing Chromebooks or G Suite, access all of them from the same console.
- Extensions: Get a full organizational view of extension usage and drill down to the individual machine level. You can block or allow individual extensions across the entire organization, or for specific organizational groups.
- Browser details: Access important information about browser versions, device type, applied policies, and so on. You can also export data to other systems or tools.
If you’re a G Suite, Chrome Browser Enterprise Support, Chrome Enterprise license, or Cloud Identity customer, you already have access to Chrome Browser Cloud Management in the console. Everyone else can try Chrome Browser Cloud Management simply by creating a test account.
Google already has Access Transparency for GCP, a service that creates logs in near-real-time when GCP administrators interact with your data for support. It also has Access Approval for GCP, which allows you to explicitly approve access to your data or configurations on GCP before it happens.
Now, Google is announcing Access Transparency for G Suite is generally available in G Suite Enterprise. This feature provides visibility into access of G Suite data by Google Cloud employees. The G Suite Admin Console documents each access, the reason why, and any relevant support tickets. Additionally, Access Approval is now available in beta for Google Compute Engine, Google App Engine, Google Cloud Storage, and many other services. Google is also launching a completely new product called Access Approvals. This lets you explicitly approve access beforehand. Instead of a Google engineer self-approving, requests will go to the customer, who has to approve or deny access.
“We believe this is unique,” Google Cloud’s Mike Aiello declared. “And we’re very proud of this, because it’s really giving the maximum level of control to customers around what even insiders at Google do with their data.”
DLP user interface and VPC Service Controls
Next, Google is launching the Data Loss Prevention (DLP) user interface in beta, letting enterprises discover and monitor sensitive data at cloud scale. The interface, available from the GCP console, lets you run DLP scans in a few clicks, without any code, hardware, or VMs to manage.
Your virtual private cloud (VPC) is about to get better. VPC Service Controls, now generally available, let you define a security perimeter around specific GCP resources to help mitigate data exfiltration risks.
Cloud Security Command Center
Google’s Cloud Security Command Center (Cloud SCC), a comprehensive security management and data risk platform for GCP, is now generally available. Cloud SCC is a single place for preventing, detecting, and responding to threats across GCP, with new services incoming:
- Event Threat Detection (beta) leverages Google-proprietary intelligence models to quickly detect damaging threats such as malware, crypto mining, and outgoing DDoS attacks. It scans Stackdriver logs for suspicious activity in your GCP environment, distills findings, and flags them for remediation.
- Security Health Analytics (alpha) automatically scans your GCP infrastructure to help surface configuration issues with public storage buckets, open firewall ports, stale encryption keys, deactivated security logging, and much more.
- Cloud Security Scanner (general availability for App Engine, beta for Google Kubernetes Engine and Compute Engine) detects vulnerabilities such as cross-site scripting (XSS), use of clear text passwords, and outdated libraries in your GCP applications.
- Security partner integrations (GCP Marketplace) with Capsule8, Cavirin, Chef, McAfee, Redlock, Stackrox, Tenable.io, and Twistlock consolidate findings and speed up response.
Cloud SCC also helps you respond to threats and remediate findings by exporting incidents. The new Stackdriver Incident Response and Management tool (coming soon in beta) can track incidents.
Apigee security reporting
Apigee, Google Cloud’s API management platform, is getting new security reporting (coming soon in beta) to show the health and security status of your API programs. This tool is meant to thwart attackers that target APIs exposed to developers inside and outside of organizations.
Apigee security reporting can identify APIs that do not adhere to security protocols and user groups that are publishing the most sensitive APIs. Findings will be accessible in the Apigee console and via API.
Securing the software supply chain
Google is also announcing GKE services to help build trust in your containerized software supply chain:
- Container Registry (in general availability soon), Google’s private Docker registry, includes vulnerability scanning, a native integration for GKE that identifies package vulnerabilities for Ubuntu, Debian, and Alpine Linux. In short, it finds vulnerabilities before your containers are deployed.
- Binary Authorization (in general availability soon) is a deploy-time security control that integrates with your CI/CD system, making sure container images meet your organization’s deployment requirements. Binary Authorization can be integrated with Container Registry vulnerability scanning, Cloud Key Management Service, and Cloud Security Command Center.
- GKE Sandbox (beta coming soon), based on the open-source gVisor project, provides additional isolation for multi-tenant workloads. This helps prevent container escapes, increasing workload security.
- Managed SSL certificates (beta) gives you full lifecycle management (provisioning, deployment, renewal and deletion) of your GKE ingress certificates. Managed SSL certificates aim to ease deployment, management, and operation of secure GKE-based applications at scale.
- Shielded VMs (generally available) provide verifiable integrity of your Compute Engine VM instances. More than 21,000 Shielded VM instances are already deployed on GCP.
Securing G Suite data
Google is also announcing new ways to help protect, control, and remediate threats to G Suite data:
- Data regions enhancements (general availability): G Suite Business and Enterprise customers can now designate the region in which covered data at rest is stored. That can be globally, in the U.S, or in Europe. Data regions are also getting coverage for backups.
- Email protection: Advanced phishing and malware protection (beta) can help administrators protect against anomalous attachments and inbound emails spoofing your domain. The security sandbox (beta) helps protect enterprise customers against ransomware, sophisticated malware, and zero-day threats.
- Security center (beta) and alert center (beta) offer best practice recommendations, unified notifications, and integrated remediation. Administrators can save and share their investigations in the security investigation tool as well as indicate alert status, severity, and assign alerts. Admins can also create rules within the security center that perform automated actions or send notifications to the alert center, where teams of admins and analysts can work together to take ownership and update status as they work through security investigations.
Securing web users
Google also introduced two new Google Cloud user protection services:
- Phishing protection (beta): Report unsafe URLs to Google Safe Browsing and view their status in Cloud Security Command Center. This is Google’s way of helping companies fight back against phishing websites that use your name and logo.
- reCAPTCHA Enterprise (beta): Building on reCAPTCHA, this service defends your website against fraudulent activity like scraping, credential stuffing, and automated account creation.
Google’s making generally available context-aware access capabilities in Cloud Identity-Aware Proxy (IAP) and VPC Service Controls, and launching them in beta to Cloud Identity and G Suite. It’s also renaming Cloud Identity for Customers and Partners (CICP) to Identity Platform, and launching Managed Service for Microsoft Active Directory (AD).
- Context-aware access (generally available): Gives admins the ability to impose conditional policies around GCP APIs, resources, G Suite (including Gmail, Drive, Docs, Sheets, Slides, Forms, Calendar, and Keep), and third-party apps, enabling them to allow or deny access based on users’ identity, location, device security status, and context.
- Identity Platform (generally available): It’s built on Google’s in-house identity tech and its Firebase app development platform and offers a customizable framework that manages app flows for user sign-up and sign-in. Identity Platform supports basic email and password authentication, phone numbers, and social media accounts, in addition to more sophisticated schemes like Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). And it’s compatible with a range of client-side software development kits (SDKs) on the web and mobile platforms (on iOS and Android), as well as server-side SDKs, including Node.js, Java, and Python. Integrated automated threat detection leverages Google’s cloud intelligence to detect signs that an account might be compromised. Meanwhile, on the scalability side, Cloud Identity includes “enterprise-grade availability” and technical support at launch.
- Managed Service for Microsoft Active Directory (AD): A Google Cloud service running Microsoft AD designed to help manage cloud-based AD-dependent workloads and automate AD server maintenance and configuration. Google claims that virtually any app with support for LDAP over SSL, including those that lean on legacy identity infrastructure, such as Microsoft Active Directory, is compatible with secure LDAP.
Of the Managed Service for Microsoft Active Directory (AD), product manager Rob Kochman said that most organizations use Active Directory as their directory source of truth — it’s where they store information about their users and accounts. Google wants to enable them to do that in the cloud.
“As these customers migrate Windows-centric workloads up into the cloud, they need to be able to run Microsoft Active Directory,” he said. “The challenge for them is that it can be complex, especially if you have a very complex environment. So what we’re giving them as a highly available, hardened, managed Google Cloud Service to run Active Directory. This is actual Microsoft Active Directory, not a compatible service that allows them to simplify management, simplify security, and make it very easy to leverage Active Directory as that identity provider on Google Cloud Platform.”
Google also revealed that it’s working with (HRMS) providers such as ADP, BambooHR, Namely, and Ultimate Software to integrate their platforms with Cloud Identity. Those integrations, along with Dashboard and SSO support for apps with password vaulting, will be generally available in the coming months.