During Google’s Cloud Next 2019 conference in Tokyo this week, the Mountain View tech giant announced a slew of Google Cloud Platform (GCP) updates intended to bolster data, app, and user security. Among the highlights are the Advanced Protection Program’s broad launch and the expanded retail availability of Titan Security Keys, as well as improved anomaly detection in G Suite enterprise deployments and enhanced support for legacy apps in GCP.
“At Google Cloud, we’re always looking to make advanced security easier for enterprises so they can stay focused on their core business,” wrote director of product management Karthik Lakshminarayanan and group product manager Vidya Nagarajan. “Already this year, we’ve worked to strengthen user protection, make threat defense more effective, and streamline security administration through a constant stream of new product releases and enhancements.”
Advanced Protection Program
Google’s Advanced Protection Program — which is designed to prevent cyberattacks against business leaders, politicians, and other high-profile targets — will be available in beta in the coming days for G Suite, GCP, and Cloud Identity customers. Enterprise administrators will gain the option to enroll users most at risk of targeted attacks, such as IT administrators, business executives, and employees in security-sensitive segments like finance and government.
As a refresher, the Advanced Protection Program enforces the use of Google’s aforementioned Titan Security Key (or compatible third-party hardware) and blocks access to third-party accounts not explicitly approved by an admin. Additionally, it enables enhanced scanning of incoming email for phishing attempts, viruses, and malicious attachments.
Titan Security Keys
On the subject of Titan Security Keys, the sets of physical FIDO (Fast Identity Online) keys used to authenticate logins over Bluetooth or USB, they’ve hit the Google Store in Canada, France, Japan, and the U.K. roughly a year after launching in the U.S. Bundles ship with a USB key, a Bluetooth Low Energy key, and an adapter for devices with USB Type-C ports.
For the uninitiated, FIDO is a standard certified by the nonprofit FIDO Alliance that supports public key cryptography and multifactor authentication. When you register a FIDO device with an online service, it creates a key pair of an on-device, offline private key and an online public key. During authentication, the device “proves possession” of the private key by prompting you to enter a PIN code or password, supply a fingerprint, or speak into a microphone.
Since 2014, Yubico, Google, NXP, and others have collaborated to develop the Alliance’s standards and protocols, including the new World Wide Web Consortium’s Web Authentication API. (WebAuthn shipped in Chrome 67 and Firefox 60 earlier this year.) Among the services that support them are Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter.
Machine Learning in G Suite
At the kickoff of Google Cloud Next this April in San Francisco, Google announced no fewer than 30 security-related upgrades headed to GCP in the coming months. Those were only the start, evidently — beginning today in beta for G Suite Enterprise and G Suite Enterprise for Education customers, admins can opt into automatic anomalous activity notifications in the G Suite alert center. They’re informed by AI models that analyze signals within apps like Google Drive to detect security risks, including data exfiltration and policy violations related to unusual external file sharing and download behavior.
The launch builds on Google’s ongoing efforts to block spam, phishing, and malware with sophisticated machine learning techniques. Google in February said that it’s blocking around 100 million additional spam messages every day for Gmail users thanks to its open source AI framework TensorFlow, all while ensuring the share of legitimate mail that inadvertently ends up in spam folders stays below 0.05%.
One-click access to apps
Lastly, Google today said that it’ll start rolling out support for password vaulted apps — i.e., legacy apps that require a username and password to authenticate — to Cloud Identity customers this week, complementing G Suite and Cloud Identity’s ecosystem of single sign-on (SSO) apps that tap identity standards like Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).
“The combination of standards based- and password-vaulted app support will deliver one of the largest app catalogs in the industry, providing seamless one-click access for users and a single point of management, visibility, and control for admins,” wrote Lakshminarayanan and Nagarajan. “These new features will help strengthen protection and securely enable cloud workloads and business processes.”