Google has announced a number of notable new tools and services as the internet giant doubles down on enterprise security across its cloud products.

The announcements were made in London at the U.K. incarnation of its annual Google Cloud Next conference.

Decrypt

The first of these new tools, which will be launching in beta shortly, is called External Key Manager. It works in tandem with Google’s Cloud KMS, a key management service that lets customers manage their cryptographic keys for services hosted on Google’s cloud. Using External Key Manager, companies will be able to encrypt data from Compute Engine and BigQuery, with keys stored in a third-party key management system. Google said it’s working with vendors such as Equinix, Fortanix, Ionic, Thales, and Unbound for this initiative.

“External Key Manager provides an audit trail of key access, use, and location, so you can document crypto operations for auditors to support your governance and compliance processes,” noted Sunil Potti, VP of engineering at Google Cloud Security, in a blog post.

Related to this, Google is also unveiling a new feature called Key Access Justifications that works in conjunction with External Key Manager to give enterprises more control over when and why their data is decrypted. In effect, this is about making the company itself the “ultimate arbiter of access to your data,” as Potti notes. This allows customers to deny Google the ability to decrypt data based on predefined rules.

“It provides a detailed justification each time one of your keys is requested to decrypt data, along with a mechanism for you to explicitly approve or deny providing the key using an automated policy that you set,” Potti said.

Key Access Justifications will be made available in alpha for Compute Engine, Persistent Disk, and BigQuery “soon.”

WAF

Google last year unveiled a web security framework called Google Cloud Armor, which provides protection against distributed denial of service (DDoS) and other forms of online attacks.

Today, the company revealed it’s adding more web application firewall (WAF) smarts to the mix, transforming Cloud Armor into a more serious security solution. Updates include the ability to configure policies with geo-based access controls and protection rules to counter risks, including cross-site scripting (XSS), injection, broken authentication, and other prominent risks, according to the Open Web Application Security Project (OWASP).

Above: Armor & WAF

Inspection

Google also announced the beta launch of Packet Mirroring, a network traffic inspection service that allows companies to analyze network traffic across Compute Engine and Google Kubernetes Engine (GKE). This will work in conjunction with third-party tools from the likes of Cisco, Palo Alto Networks, and Netscout to not only identify threats and malicious intent, but respond to intrusions.

Other notable announcements to emerge from Google’s cloud conference this morning include updates to its Advanced Protection Program. This is an enhanced security initiative aimed at those most at risk of cyberattacks, such as politicians, business leaders, journalists, human rights lawyers, and other high-profile individuals. The service first launched back in 2017 for personal Google Accounts, and it rolled out in beta for G Suite and Cloud Identity customers a few months back. In effect, Google is allowing enterprises to opt into a specific set of security policies for individuals, such as IT admins and C-level executives, within their company. The program will be rolling out in general availability for all eligible businesses from today.

Finally, Google revealed that it’s introducing a new app access control feature that helps companies limit access to G Suite APIs to specific third-party apps that they trust. This is important because not all apps adhere to a company’s specific security policies, and app access control gives admins better insights into the third-party apps employees have allowed to access their G Suite data.

Sold on security

Google recently revealed that its cloud business is approaching $8 billion in annual revenue, double the figure reported the previous year. While the growth is notable, it still pales in comparison to rival Amazon Web Services (AWS), which generates marginally more than that figure on a quarterly basis.

This is why Google is investing heavily in its cloud ambitions. For example, Google parent Alphabet launched an enterprise-focused security company called Chronicle in early 2018, with the promise of using machine learning and big data to spot cyber threats more quickly. A few months ago, Chronicle was swallowed outright by Google’s cloud unit. And back in April Google made 30 security-focused announcements at Google Cloud Next in San Francisco.

Combined with today’s announcements, it’s clear that security is playing an increasingly pivotal role in Google’s cloud push.